Re: [pfSense] Diagnosing DNS Resolver SERVFAIL issues

2018-05-25 Thread Steve Yates
Is the pfSense set to forward DNS requests?  Maybe the ISP on the VPN 
side is blocking DNS requests that leave their network to a third-party DNS 
server?  I have seen that before, over the years.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Antonio
Sent: Thursday, May 24, 2018 11:41 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] Diagnosing DNS Resolver SERVFAIL issues

Hi,

I've been happily using the "Outgoing Network Interfaces" set to my VPN
interface to prevent DNS leaks and its been working pretty well until
today when all of a sudden it stopped resolving DNS requests. In fact,


[fri may25, 03:04 ][user@1:~]nslookup www.google.com
Server: 192.168.2.1
Address:    192.168.2.1#53

** server can't find www.google.com: SERVFAIL


192.168.2.1 is my pfSense box hooked to DSL modem. As soon as I set
"Outgoing Network Interfaces" to my WAN, then it all works again.
However, this means that although my traffic is vehicle through VPN, the
DNS Resolver is routing requests via ISP instead of VPN. I don't
understand how all of a sudden the VPN server stopped allowing DNS
requests to be passed from my pfSense maching. Does this seem plausible
and how do you think I can diagnose this? The is no way i can get ubound
to work unless i set "Outgoing Network Interfaces" to WAN. This was not
the case until yesteday.

Any clues?

Thanks

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Custom pass entries for Suricata for all rules, for inline mode

2018-05-24 Thread Steve Yates
I know Bill (bmeeks) hangs out in the web forums but since they're 
offline, does anyone know if it is possible to allow an IP for Suricata when 
it's in Inline mode?  I see lots of examples like:

pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; 
sid:10;)

...but I gather that is tied to the specific rule/sid?

The use case is it seems to be triggering on our Nagios monitoring of 
our web servers and I'd like to just whitelist our office IPs rather than 
trying to manage bunch of rules.

(for those unaware, Pass Lists will be removed from Inline mode:
 
https://webcache.googleusercontent.com/search?q=cache:VUgCeE4j3yQJ:https://forum.pfsense.org/index.php%3Ftopic%3D135331.0+=1=en=clnk=us=firefox-b-1-ab
 
https://webcache.googleusercontent.com/search?q=cache:6eT7PljragcJ:https://forum.pfsense.org/index.php%3Ftopic%3D145257.0+=4=en=clnk=us=firefox-b-1
)

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

2018-05-24 Thread Steve Yates
Finally found https://redmine.pfsense.org/issues/8518 which is this bug (the 
extra incomplete gateway line).  Fix seems to be to delete/comment out three 
lines in /etc/inc/filter.inc:

https://redmine.pfsense.org/projects/pfsense/repository/revisions/c9159949e06cc91f6931bf2326672df7cad706f4/diff/src/etc/inc/filter.inc?utf8=%E2%9C%93=inline

A poster on that report says "When I try and add an IPv6 IP Alias VIP the error 
seems to appear" which would explain why we didn't see it on other 2.4.3_1 
updates that have only IPv4 VIPs.

I did try changing off the LAGG to just the one interface on WAN and that had 
the same symptom with the interface in the message.

--

Steve Yates
ITS, Inc.


-Original Message-----
From: Steve Yates 
Sent: Wednesday, May 23, 2018 10:34 PM
To: 'pfSense Support and Discussion Mailing List' <list@lists.pfsense.org>
Subject: Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they 
are logging:

There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The 
line in question reads [242]: pass out  route-to ( lagg0 64.79.96.145 ) from  
to !/ tracker 105913 keep state allow-opts label "let out anything from 
firewall host itself"

64.79.96.145 is our WAN gateway.  We have the WAN configured to use a 
one-interface LAGG to allow sharing CARP states if we ever use a different 
router with a different interface name.

Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the 
output:

pass out  route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 
tracker 105911 keep state allow-opts label "let out anything from firewall 
host itself"
pass out  route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 
tracker 105912 keep state allow-opts label "let out anything from firewall 
host itself"
pass out  route-to ( lagg0 64.79.96.145 ) from  to !/ tracker 105913 keep 
state allow-opts label "let out anything from firewall host itself"

.149 is the WAN IP, .150 the CARP shared IP.  Given the first two are there, 
I'm not sure what the third is supposed to be?

Re-applying the firewall rules does not clear it, though does appear to trigger 
it (presumably due to the rules reload).

Suggestions?

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

2018-05-23 Thread Steve Yates
I found Suricata won't start, and I'm guessing the error Suricata is 
logging when it terminates (leaving its .pid file behind), "23/5/2018 -- 
22:42:18 -  -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - alert-pf: Could 
not validate pf table: snort2c, module init failed." ...is related to this...?

--

Steve Yates
ITS, Inc.

-Original Message-----
From: Steve Yates 
Sent: Wednesday, May 23, 2018 10:34 PM
To: 'pfSense Support and Discussion Mailing List' <list@lists.pfsense.org>
Subject: Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they 
are logging:

There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The 
line in question reads [242]: pass out  route-to ( lagg0 64.79.96.145 ) from  
to !/ tracker 105913 keep state allow-opts label "let out anything from 
firewall host itself"

64.79.96.145 is our WAN gateway.  We have the WAN configured to use a 
one-interface LAGG to allow sharing CARP states if we ever use a different 
router with a different interface name.

Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the 
output:

pass out  route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 
tracker 105911 keep state allow-opts label "let out anything from firewall 
host itself"
pass out  route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 
tracker 105912 keep state allow-opts label "let out anything from firewall 
host itself"
pass out  route-to ( lagg0 64.79.96.145 ) from  to !/ tracker 105913 keep 
state allow-opts label "let out anything from firewall host itself"

.149 is the WAN IP, .150 the CARP shared IP.  Given the first two are there, 
I'm not sure what the third is supposed to be?

Re-applying the firewall rules does not clear it, though does appear to trigger 
it (presumably due to the rules reload).

Suggestions?

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Syntax error in rules.debug for lagg0 (WAN) after upgrade to 2.4.3_1

2018-05-23 Thread Steve Yates
After upgrading our HA routers from 2.4.2_1 to 2.4.3_1, every few minutes they 
are logging:

There were error(s) loading the rules: /tmp/rules.debug:242: syntax error - The 
line in question reads [242]: pass out  route-to ( lagg0 64.79.96.145 ) from  
to !/ tracker 105913 keep state allow-opts label "let out anything from 
firewall host itself"

64.79.96.145 is our WAN gateway.  We have the WAN configured to use a 
one-interface LAGG to allow sharing CARP states if we ever use a different 
router with a different interface name.

Searching /tmp/rules.debug for "lagg0" I see three lines at the top of the 
output:

pass out  route-to ( lagg0 64.79.96.145 ) from 64.79.96.149 to !64.79.96.144/29 
tracker 105911 keep state allow-opts label "let out anything from firewall 
host itself"
pass out  route-to ( lagg0 64.79.96.145 ) from 64.79.96.150 to !64.79.96.144/29 
tracker 105912 keep state allow-opts label "let out anything from firewall 
host itself"
pass out  route-to ( lagg0 64.79.96.145 ) from  to !/ tracker 105913 keep 
state allow-opts label "let out anything from firewall host itself"

.149 is the WAN IP, .150 the CARP shared IP.  Given the first two are there, 
I'm not sure what the third is supposed to be?

Re-applying the firewall rules does not clear it, though does appear to trigger 
it (presumably due to the rules reload).

Suggestions?

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

2018-05-23 Thread Steve Yates
FWIW I upgraded our SG-4860 pair and saw the same behavior, fails after 
the metadata update.  I waited 5 minutes and it did not restart and saw no 
indication in system log it was going to, or upgrading.

--

Steve Yates
ITS, Inc.

-Original Message-
From: Steve Yates 
Sent: Wednesday, May 16, 2018 9:14 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: RE: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

Huh, I should remember to look there first.  So used to this list. 

The "sort of scary" part is comments like "Same thing here.  The page reported 
the upgrade had failed.  We waited about two minutes and the page refreshed and 
we logged in.  The upgrade had worked after all."  Like it's running in the 
background despite the failure?  And I ran it a second time during this?  
That's what "KPA" posted last night: "The WebGUI upgrade still seems to suffer 
from the same problem as it did a while ago which is that it gets disconnected 
from the real upgrade run and reports a failure when the upgrade is actually 
running successfully in the background."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of John Kline
Sent: Tuesday, May 15, 2018 10:29 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

Many of us a e seeing this.
See:https://forum.pfsense.org/index.php?topic=147853.0 




On Tuesday, May 15, 2018, 7:53 PM, Steve Yates <st...@teamits.com> wrote:

I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1.  One is an 
SG-3100 and one is a PC.  On both, both times, the upgrade almost immediately 
fails, but if I try again it works.  I click the pending-update icon on the 
dashboard to go to System Update and it detects the update.  I start and I get:

">>> Updating repositories metadata... done.
2.4.3_1 version of pfSense is available"

Then a red bar at the top of the page, "System update failed!"

If I click the already-highlighted System Update tab again, confirm the update, 
it then immediately installs.

Is anyone else seeing this?

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider...

2018-05-23 Thread Steve Yates
I don't have a straight answer for you, but are you sure the DC is counting all 
traffic and not just HTTP/SMTP/etc?  I would think they are, but...

Something that may help...the firewall/rules page tracks data usage in the 
States column.  I'm assuming from when it was last booted.  Perhaps make an 
allow rule for each server and/or service and see what is tracked?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Chuck Mariotti
Sent: Wednesday, May 23, 2018 12:57 PM
To: list@lists.pfsense.org
Subject: [pfSense] Bandwidth Mismatch between pfSense and Data Center 
Provider...

We've run into a data overage situation at a datacenter... We get charged a 
premium per GB over 500GB (yes I know, stupid). Their reporting system seems to 
indicate significantly less data usages vs pfSense's RRD reporting... their 
billing system seems to be indicating overage similar to their reporting... 
Uploads seem to be growing significantly. Any idea why the pfSense box seems to 
be counting differently than the datacenter's metrics? We need to track down 
where this usage is happened, but I know users have only grown ~5% over that 
same period of time.

Here are stats for each month:

JanuaryFebruary  
March   April   
 May (to 23rd)
Datacenter (Upload/Download):   618.95GB/76.01GB  
365.25/47.15GB799.92/79.81GB801.67/105.01GB 
 581.57/76.26GB
pfSense RRD (Upload/Download):1372.41GiB/148.91GiB
1388.65/149.60GiB   1697.71/152.24GiB1706.53/200.86GiB  
 1177.95/139.55GiB


Any suggestions how or why there is a mismatch?

Regards,

Chuck
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] How could I block messages trying to pass as from my net?

2018-05-18 Thread Steve Yates
The "EHLO 190.6.79.98" greeting is not looked at by the firewall so that can be 
ignored.

Can you enable logging on the rule allowing port 25, and verify where the 
packets are actually coming from?

In most cases we set our clients up with our spam filter and the inbound port 
25 rule allows connections only from the spam filter server IP ranges...

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Alberto José García 
Fumero
Sent: Friday, May 18, 2018 11:52 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] How could I block messages trying to pass as from my net?

El vie, 18-05-2018 a las 16:24 +0000, Steve Yates escribió:
>   I think your rule should work.  Are you sure there is not
> another rule above that one in the list of rules, that allows the
> inbound connection?  In other words the block rule has to be above
> the rule allowing traffic on port 25 to your mail server.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
That rule is the third in the WAN section, after the one blocking rfc
1918 networks and the one blocking bogon networks.

Could I create a rule saying, for instance: "reject packets originating
(apparently!) from the WAN address and directed to my WAN address? (as
they are trying to forge identity) 

Should that work?
-- 
M.Sc. Alberto García Fumero
Usuario Linux 97 138, registrado 10/12/1998
http://interese.cubava.cu
No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
que pones en esas horas.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How could I block messages trying to pass as from my net?

2018-05-18 Thread Steve Yates
I think your rule should work.  Are you sure there is not another rule 
above that one in the list of rules, that allows the inbound connection?  In 
other words the block rule has to be above the rule allowing traffic on port 25 
to your mail server.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Alberto José García 
Fumero
Sent: Friday, May 18, 2018 9:42 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] How could I block messages trying to pass as from my net?

Hi all.

I use PfSense 2.2.1. Of course I know it would very convenient to
upgrade, but right now it isn't possible.

Im trying to block spam (for instance, from 185.234.217.232).
As far as I know, it's trying to pass as a message from my very net:

Transcript of session follows.
De: Mail Delivery System <mailer-dae...@partagas.ettpartagas.co.
cu>
Para:   Postmaster <postmas...@ettpartagas.co.cu>
Asunto: Postfix SMTP server: errors from
unknown[185.234.217.232]
Fecha:  Fri, 18 May 2018 10:10:39 -0400 (CDT)
 Out: 220 partagas.ettpartagas.co.cu ESMTP Partagas
 In:  EHLO 190.6.79.98
 Out: 250-partagas.ettpartagas.co.cu
 Out: 250-PIPELINING
 Out: 250-SIZE 1524
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  AUTH LOGIN
 Out: 503 5.5.1 Error: authentication not enabled

Session aborted, reason: lost connection

For other details, see the local mail logfile

but the MTA correctly rejects it as a fake.

I have created an alias list (rechaza) in the menu Firewall/Aliases,
where I put all the addresses known to be spammers, and tried to reject
them with the rule in Firewall/Rules/WAN

Action: Block
Interface: WAN
TCP/IP version: IPV4
Protocol: TCP
Source: (single hots or alias) rechaza
Destination: 190.6.79.98
Destination port range: any

but I can not stop the spam right in the WAN interface.

How could I create a convenient rule?

TIA,

Fumero  

-- 
M.Sc. Alberto García Fumero
Usuario Linux 97 138, registrado 10/12/1998
http://interese.cubava.cu
No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
que pones en esas horas.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

2018-05-16 Thread Steve Yates
I've used the console in the recent past...there was something around the 2.3.3 
upgrade where you had to switch it to the development branch and back again to 
get it to work: 
https://forum.pfsense.org/index.php?topic=125873.msg695386#msg695386

Overall seems like the GUI should work...

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of WebDawg
Sent: Wednesday, May 16, 2018 9:50 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

I upgrade via the console now.  Not to say that the GUI is broken, but
I must have been a victim of when it was.  I have seen what kpa is
talking about in that forum thread too.  It is why I always ssh in and
update from console.

On Wed, May 16, 2018 at 10:13 AM, Steve Yates <st...@teamits.com> wrote:
> Huh, I should remember to look there first.  So used to this list. 
>
> The "sort of scary" part is comments like "Same thing here.  The page 
> reported the upgrade had failed.  We waited about two minutes and the page 
> refreshed and we logged in.  The upgrade had worked after all."  Like it's 
> running in the background despite the failure?  And I ran it a second time 
> during this?  That's what "KPA" posted last night: "The WebGUI upgrade still 
> seems to suffer from the same problem as it did a while ago which is that it 
> gets disconnected from the real upgrade run and reports a failure when the 
> upgrade is actually running successfully in the background."
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List <list-boun...@lists.pfsense.org> On Behalf Of John Kline
> Sent: Tuesday, May 15, 2018 10:29 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata
>
> Many of us a e seeing this.
> See:https://forum.pfsense.org/index.php?topic=147853.0
>
>
>
>
> On Tuesday, May 15, 2018, 7:53 PM, Steve Yates <st...@teamits.com> wrote:
>
> I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1.  One is an 
> SG-3100 and one is a PC.  On both, both times, the upgrade almost immediately 
> fails, but if I try again it works.  I click the pending-update icon on the 
> dashboard to go to System Update and it detects the update.  I start and I 
> get:
>
> ">>> Updating repositories metadata... done.
> 2.4.3_1 version of pfSense is available"
>
> Then a red bar at the top of the page, "System update failed!"
>
> If I click the already-highlighted System Update tab again, confirm the 
> update, it then immediately installs.
>
> Is anyone else seeing this?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

2018-05-16 Thread Steve Yates
Huh, I should remember to look there first.  So used to this list. 

The "sort of scary" part is comments like "Same thing here.  The page reported 
the upgrade had failed.  We waited about two minutes and the page refreshed and 
we logged in.  The upgrade had worked after all."  Like it's running in the 
background despite the failure?  And I ran it a second time during this?  
That's what "KPA" posted last night: "The WebGUI upgrade still seems to suffer 
from the same problem as it did a while ago which is that it gets disconnected 
from the real upgrade run and reports a failure when the upgrade is actually 
running successfully in the background."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of John Kline
Sent: Tuesday, May 15, 2018 10:29 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

Many of us a e seeing this.
See:https://forum.pfsense.org/index.php?topic=147853.0 




On Tuesday, May 15, 2018, 7:53 PM, Steve Yates <st...@teamits.com> wrote:

I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1.  One is an 
SG-3100 and one is a PC.  On both, both times, the upgrade almost immediately 
fails, but if I try again it works.  I click the pending-update icon on the 
dashboard to go to System Update and it detects the update.  I start and I get:

">>> Updating repositories metadata... done.
2.4.3_1 version of pfSense is available"

Then a red bar at the top of the page, "System update failed!"

If I click the already-highlighted System Update tab again, confirm the update, 
it then immediately installs.

Is anyone else seeing this?

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Upgrades to 2.4.3.x failing after updating metadata

2018-05-15 Thread Steve Yates
I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1.  One is an 
SG-3100 and one is a PC.  On both, both times, the upgrade almost immediately 
fails, but if I try again it works.  I click the pending-update icon on the 
dashboard to go to System Update and it detects the update.  I start and I get:

">>> Updating repositories metadata... done.
2.4.3_1 version of pfSense is available"

Then a red bar at the top of the page, "System update failed!"

If I click the already-highlighted System Update tab again, confirm the update, 
it then immediately installs.

Is anyone else seeing this?

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Firewall rules on OpenVPN interface

2018-05-07 Thread Steve Yates
What is the purpose of the VPN?  For instance if you are only accessing 
one remote network you could set up a rule to allow only the remote subnet.  
Blocking private subnets would block 10.x.x.x, 192.168.x.x, etc.  Blocking 
bogons blocks unassigned IP ranges that shouldn't have traffic yet.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Antonio
Sent: Sunday, May 6, 2018 4:34 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] Firewall rules on OpenVPN interface

Hi,

I was wondering is the "*Block private networks and loopback addresses*"
and "*Block bogon networks*" shoudl be ticked for the interface I have
created for my OpenVPN client?

Do I need to allow incoming requests on that interface? I copied the
configuration from the internet to connect to my VPN provider but it
gave no detail around these options. You would expect the link to be
secure and I guess the only risk is if the VPN provider sends requests
to my internal network?

Thanks

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] DNS configurazione under VPN

2018-05-04 Thread Steve Yates
I'm not sure I understand how a web page can tell where DNS responses 
to the OS are coming from, but I suspect what you may want is the DNS Resolver 
checkbox for "Enable Forwarding Mode" which will force pfSense to forward the 
query on, rather than try to resolve the query against the root servers.  Then 
it would use your OpenDNS servers, and where those servers are is up to 
OpenDNS.  I assume they're big enough to have them worldwide...?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Antonio
Sent: Thursday, May 3, 2018 2:29 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] DNS configurazione under VPN

Hi folks,

I'm trying to understand why I get DNS leaks. I am connecting to VPN
italian server from UK and when I go to www.dnsleaktest.com, the main
page says I'm connecting from Italy but then, when I do the advanced or
standard tests, these say I'm located in the UK.

I have:

2.4.3-RELEASE (amd64)
built on Mon Mar 26 18:02:04 CDT 2018
FreeBSD 11.1-RELEASE-p7

Installed on a mini PC that is connected via WAN on a DLS modem (setup
in pass through mode, not router mode). pfSense is acting as a DNS
Resolver even though I have have OpenDNS set in the GENERAL tab (I
believe these are not being used because I'm connected via DNS
Resolver). Would it be best to configure pfSense as DNS FOrwarder?
ALthough I'm not sure that this is going to resolve my DNS leak problem.
All clients are confirgured with a DNS set to the IP of the pfSEnse
machine. Any suggestions on what is the best way to configure DNS on
pfSense where occasionally I fire up my OpenVPN connection?

Many thanks

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-04 Thread Steve Yates
Wild guess, but did you try it in 2.4.x?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Bryan D.
Sent: Wednesday, April 4, 2018 8:01 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] DNS over TLS config for pfSense 2.2.6

Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
---
Applying the suggested "Custom Options" to the Unbound/DNS Resolver 
configuration in pfSense 2.2.6 does not work, with logs indicating that 
"forward-ssl-upstream" is invalid.

I tried various incantations using "server:ssl-upstream: yes" with and 
without "ssl-port: 853" and, although the unbound service would then run, a 
DNS/host query always indicated that no hosts were found.

Does anyone know a configuration that will work with pfSense 2.2.6?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Nat between vlans

2018-03-30 Thread Steve Yates
Wouldn't it be easier to just create a firewall rule to allow the Guest VLAN to 
the printer IP:port?  It would be the same thing...they can only access that 
IP:port?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Yilmaz Bilgili
Sent: Friday, March 30, 2018 10:33 AM
To: list@lists.pfsense.org
Subject: [pfSense] Nat between vlans

Dear all,

I have a multi vlan setup and I want to give access to my printer on 
corp vlan from guest vlan. There is no access from guest vlan to corp 
vlan at the moment (and will never be). Can I use an IP address from 
guest vlan and nat it to printer's IP address on the corp network? My 
box is an up to date 2.4.2.

Thanks in advance.

Best regards.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Failed to Configure OpenVPN to Work With LAN Clients.

2018-03-23 Thread Steve Yates
It looks like you are obfuscating/hiding the IP addresses.  The two networks 
need two different subnets, and the OpenVPN network between them needs a third 
subnet.  Did you add firewall rules to and from the OpenVPN interface?

Overall, we followed the steps in the pfSense/Netgate "book" 
(https://portal.pfsense.org/docs/book/, you get access if you bought from 
Netgate as I recall) and didn't have any issues setting up OpenVPN on IPv4.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Fadhili Ngalawa
Sent: Friday, March 23, 2018 9:30 AM
To: list@lists.pfsense.org
Subject: [pfSense] Failed to Configure OpenVPN to Work With LAN Clients.

Hello fellow Pfsense Users,

I have tried and failed many times to configure OpenVPN using Pfsense to
work in this situation I will explain below.

In my office we have a financial information system that should be accessed
only using a network IP addresses of 192.168.200.0 which is only used by
Finance Department.

Based on this condition, I reserved a subnet  192.168.200.32/27 and configured
VPN server using Pfsense to use this local address using CIDR as required.
The local address of the whole LAN is 192.168.192.0/20.

When a user connects to Pfsense server using the Public IP,  it gives IP
address to VPN users as required . But the problem comes users can not
connect to the Financial Information System server 192.168.200.10 or access
any server that is in the LAN. But it works when I  put any other full
address let's say 192.168.0.1/24 as the VPN server clients IP released
addresses.

I tried to add firewall rules, it still failed but based on the time
allocated for this task, I could not experiment more so I chose Endian
Firewall to finalize the work. I really need to use Pfsense server because
it is our gateway server, and it  will spare the IP address used by Endian
VPN for now.

Based on the explanations above, I kindly request for your help on this.

Thanks in advance.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Steve Yates
I would think "exposed host" is what I am calling DMZ, from your 
description.

If you have a firewall rule you can set it to log traffic (pass or 
block I believe).  Under status/system logs/settings there is a checkbox to log 
packets blocked by the default block rule.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Monday, February 12, 2018 3:10 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine

On Mon, 12 Feb 2018 20:45:55 +0000
Steve Yates <st...@teamits.com> wrote:

> Just to double check the config, so the pfSense router is set as the
> DMZ of the ISP router?

No clue if the ISP device has a concept of DMZ. I configure it as
“Exposed Host”, so all communication is actually forwarded to the
pfSense box. I've set up numerous of those devices in different
locations and that was always sufficient.

> Have you tried deleting the rule and re-adding?

On the ISP device? No, not yet. I guess tomorrow I'll clear the ISP
devices' config and also start off with a vanilla pfSense config.

I'm not really used to debugging with pfSense, especially the
logging features. What's the best way to check if that packet is
blocked by pfSense somehow? I tried

Status → System Logs → Firewall → Normal View → Advanced Log Filter

I checked “Block”, then entered Port: 8000 and “Apply Filter” and it
shows “No logs to disply”. That means that the packet is not blocked
by an implicit or explicit firewall rule, right?

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Steve Yates
Just to double check the config, so the pfSense router is set as the DMZ of the 
ISP router?  Have you tried deleting the rule and re-adding?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 1:13 PM
To: list@lists.pfsense.org
Subject: [pfSense] Port forwards don't work on one machine

Hi,

I have set up port forwarding multiple times in the past and it has always
worked. But I now have a machine that fails to forward a port. No clue why.
Maybe I'm missing the obvious here.

My network:

  Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1)

For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG,
used IPs instead of aliases.

1) The port forward from the WAN to 10.0.30.21 is set up.

https://i.imgur.com/V8vlN1Z.png

2) A corresponding WAN rule is created as well:

https://i.imgur.com/N7ulwha.png

  On another machine this already is enough to get it working. But not on this
  one. Nmap shows “filtered”.

3) Confirming the port 8000 is actually open on 10.0.30.21:

https://i.imgur.com/KcaSP6T.png

  Yes, it is.

4) Now testing from the external IP:

https://i.imgur.com/QnWQuIO.png

  Nope!

  Again using an external service:

https://i.imgur.com/v4KaivE.png

  No, James!

5) States:

https://i.imgur.com/Rf1kjbf.png

6) Packet capture:

https://i.imgur.com/xT3qFXW.png


I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

> Common Problems
> 
> 1. NAT and firewall rules not correctly added (see How can I forward ports 
> with pfSense?)

I guess it's all correct, works on another machine.

> Hint: Do NOT set a source port

not set

> 2. Firewall enabled on client machine

nope

> 3. Client machine is not using pfSense as its default gateway

pfSense is the default gateway

> 4. Client machine not actually listening on the port being forwarded

It is, see

  https://i.imgur.com/KcaSP6T.png

> 5. ISP or something upstream of pfSense is blocking the port being forwarded

I guess the states table and packet capture should be empty if that's the
case, right?

> 6. Trying to test from inside the local network, need to test from an outside 
> machine

Tested both, see

  https://i.imgur.com/QnWQuIO.png
  https://i.imgur.com/v4KaivE.png

> 7. Incorrect or missing Virtual IP configuration for additional public IP 
> addresses

No clue, haven't configured anything virtual.

> 8. The pfSense router is not the border router. If there is something else 
> between pfSense and the ISP, the port forwards and associated rules must be 
> replicated there.

True, pfSense is not the border router, ISP provided “NAT gateway” is. Device
is configured to forward everything to the pfSense box, though.

> 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be 
> added both to and from the server's IP in order for a port forward to work 
> behind a Captive Portal.

nope

> 10. If this is on a WAN that is not the default gateway, make sure there is a 
> gateway chosen on this WAN interface, or the firewall rules for the port 
> forward would not reply back via the correct gateway.

WAN is default gateway

> 11. If this is on a WAN that is not the default gateway, ensure the traffic 
> for the port forward is NOT passed in via Floating Rules or an Interface 
> Group. Only rules present on the WAN's interface tab under Firewall Rules 
> will have the reply-to keyword to ensure the traffic responds properly via 
> the expected gateway.

didn't configure floating rules

> 12. If this is on a WAN that is not the default gateway, make sure the 
> firewall rule(s) allowing the traffic in do not have the box checked to 
> disable reply-to.

not the case

> 13. If this is on a WAN that is not the default gateway, make sure the master 
> reply-to disable switch is not checked under System > Advanced, on the 
> Firewall/NAT tab.

not the case

> 14. WAN rules should NOT have a gateway set, so make sure that the rules for 
> the port forward do NOT have a gateway configured on the actual rule.

see

https://i.imgur.com/N7ulwha.png

> 15. If the traffic appears to be forwarding in to an unexpected device, it 
> may be happening due to UPnP. Check Status > UPnP to see if an internal 
> service has configured a port forward unexpectedly. If so, disable UPnP on 
> either that device or on the firewall. 

UPnP is not used

I guess I'm missing the obvious here, since port forwards are rather
straightforward in pfSense and have never given me troubles in the past. A
nudge in the right direction is appreciated.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_

Re: [pfSense] Bug found: Remote Logging Options and IPv6

2018-02-06 Thread Steve Yates
There is a bug tracker at https://redmine.pfsense.org/projects/pfsense

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Christoph Haas
Sent: Tuesday, February 6, 2018 8:11 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] Bug found: Remote Logging Options and IPv6

Dear list,

I dare say that I have found a bug in version 2.4.2-RELEASE (amd64).

When setting up syslog forwarding in the "Remote Logging Options" I can
choose IPv6 as "IP Protocol" but when I save the field switches back to
IPv4 and logging fails to the given IPv6 address.

Should I report that somewhere?

Kind regards
 Christoph


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Error in NAT --> Port Forward --> Edit

2018-01-11 Thread Steve Yates
This came up on this list in October with 2.4 and 2.4.1, but with Outbound NAT 
rules.  I don't have a saved email with a posted solution...?

If you export/save your config file does it have odd characters in it?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of David Kleiner
Sent: Thursday, January 11, 2018 10:57 AM
To: list@lists.pfsense.org
Subject: [pfSense] Error in NAT --> Port Forward --> Edit

Folks,

I am all of a sudden unable to edit or add new port forwards in my
firewall.

The exact error message is:

   - Invalid characters detected "00". Please
   remove invalid characters and save again.

This comes up when I try to either edit an existing rule or add a new port
forward rule.

I am running 2.4.2_1.

Any thoughts or recommendations?

--
David Kleiner
Apogee Research
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign • The Register - patch to pfsense?

2018-01-03 Thread Steve Yates
I'm not a developer but I would think it's dependent on FreeBSD releasing the 
update, plus testing by pfSense/Netgate.  However, I would think there's not 
much concern with PCs running pfSense, since raw code would not normally be 
running on the pfSense box...?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Wednesday, January 3, 2018 10:47 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] 'Kernel memory leaking' Intel processor design flaw forces 
Linux, Windows redesign • The Register - patch to pfsense?

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

is there patch soon available on pfsense kernel?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Slow/impossible updates to 2.4?

2017-12-30 Thread Steve Yates
Check to see if your DNS is running properly.  If it isn't the DNS timeouts 
will take forever.  I had that happen once after an update.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of David C. Jenner
Sent: Tuesday, December 26, 2017 10:10 PM
To: list@lists.pfsense.org
Subject: [pfSense] Slow/impossible updates to 2.4?

I updated successfully to 2.4.

Then I tried to update to 2.4.2.  It took many minutes for 
System/Update/System Update to get to the point of asking me to confirm 
the update.  Then the update was excruciatingly slow, it took 1/2 hour 
or more.  It finally succeeded.

Now I am trying to update to 2.4.2_p1.  Again it takes many minutes to 
get to the request for confirming the update.  After confirming, it 
takes many minutes for an error "System update failed!" to appear, and 
Updating System says:

done.
2.4.2_1 version of pfSense is available.

All this is on an SG-2440:

Version 2.4.2-RELEASE (amd64)
built on Mon Nov 20 09:10:42 CST 2017
FreeBSD 11.1-RELEASE-p4

CPU TypeIntel(R) Atom(TM) CPU C2358 @ 1.74GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: Yes (active)

The current installation of 2.4.2 appears to be running OK.  What is the 
problem with updating?

Thanks, Dave
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] SSH Bruteforce

2017-12-20 Thread Steve Yates
I think you're looking for the Suricata or Snort packages for detecting 
malicious traffic at pfSense.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel
Sent: Wednesday, December 20, 2017 4:53 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] SSH Bruteforce

Hi there,

 

anyone now how to prevent SSH Bruteforce attackes in my network?

I wanted to have a Firewall which counts SSH Connections from the same IP and 
when it reach the defined limit the IP will be block.

 

I know I can change the SSH port but I also want to know is there is an option 
to limit such kind of attacks.

 

Cheers

 

Daniel 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense crashing

2017-12-18 Thread Steve Yates
I had been following that one since we had been using limiters and had 
the "pfsync_undefer_state" issue, though thankfully no crashes.

Post #44 on that page has a workaround.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Monday, December 18, 2017 6:03 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfsense crashing

this long standing issue: https://redmine.pfsense.org/issues/4310

:(

Eero

2017-12-18 10:07 GMT+02:00 Eero Volotinen <eero.voloti...@iki.fi>:

> looks like turning pfsync from on to off resolved this issue.
>
> --
> Eero
>
> 2017-12-17 20:11 GMT+02:00 Joseph L. Casale <jcas...@activenetwerx.com>:
>
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>> Volotinen
>> Sent: Sunday, December 17, 2017 11:02 AM
>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
>> Subject: Re: [pfSense] pfsense crashing
>>
>> > Need to test that tomorrow. Just wondering how to attach remote debugger
>> > or
>> > similar to get root cause of crash.
>>
>> Page 13 in the SG-8860 manual.
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] DHCPv6 working but no gateway

2017-12-14 Thread Steve Yates
Apparently pfSense 2.4.2 fixed a bug with RA not working on the SG-3100 router 
model:
https://forum.pfsense.org/index.php?topic=139953.0

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Friday, December 8, 2017 12:13 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] DHCPv6 working but no gateway

I set up a couple of 3100s at a client and their branch office, with OpenVPN 
connecting them together.  With the LAN set to "track interface" IPv6 addresses 
are acquired and DHCPv6 is working.  RA doesn't seem to be working since 
Windows PCs don't get a gateway.  I know I picked modes Managed or Assisted.  
If I set a static IP in that range with a gateway I can get out, so IPv6 is 
routing.  If I configure the VPN for IPv6 I can even ping across the VPN to the 
other router.

My understanding was if RA was enabled and everything at defaults/blank it 
should "just work"...am I missing something that needs configuring?  I did try 
putting in a subnet, even though the RA page says that's not necessary.

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense ha issues

2017-12-12 Thread Steve Yates
I get the actual LAN IP back from a traceroute also so that's normal.  In the 
sense of "that's the router handling the packet" that makes sense.

Do you get packet loss if you ping out from the pfSense?

Steve

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Tuesday, December 12, 2017 2:01 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfsense ha issues

Well,

I did traceroute 8.8.8.8 and that shows traffic via 192.168.1.7 which is
primary firewall lan address.

DHCP gives default route to 192.168.1.1 which is the carp vip. I got only
continuos packet loss to internet not to .1 (vip) or .7 addresses and carp
status is stable. (ie. primary firewall is master on all carp addresses)

Eero

2017-12-12 21:55 GMT+02:00 Steve Yates <st...@teamits.com>:

> They aren't swapping master/backup are they?  If you turn off one of the
> two what happens?
>
> Not sure how you're determining traffic going to the .7 IP...?  The
> gateway on a device on the LAN should be .1 (the "CARP" LAN IP).
>
> Are you getting packet loss if you ping the .1 address?  The .7 address?
> Or just out to the Internet?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Tuesday, December 12, 2017 1:03 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] pfsense ha issues
>
> Hi,
>
> installed pfsense ha system on office. it works, but experiencing about 25%
> packet loss. any idea why? switch issue? failover works fine.
>
> VIP lan gw ip is .1 but looks like traffic is going to .7 ip (normal ip of
> fw) even dhcp offers .1 as gw. is this normal?
>
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense ha issues

2017-12-12 Thread Steve Yates
They aren't swapping master/backup are they?  If you turn off one of the two 
what happens?

Not sure how you're determining traffic going to the .7 IP...?  The gateway on 
a device on the LAN should be .1 (the "CARP" LAN IP).

Are you getting packet loss if you ping the .1 address?  The .7 address?  Or 
just out to the Internet?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Tuesday, December 12, 2017 1:03 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfsense ha issues

Hi,

installed pfsense ha system on office. it works, but experiencing about 25%
packet loss. any idea why? switch issue? failover works fine.

VIP lan gw ip is .1 but looks like traffic is going to .7 ip (normal ip of
fw) even dhcp offers .1 as gw. is this normal?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] DHCPv6 working but no gateway

2017-12-08 Thread Steve Yates
I set up a couple of 3100s at a client and their branch office, with OpenVPN 
connecting them together.  With the LAN set to "track interface" IPv6 addresses 
are acquired and DHCPv6 is working.  RA doesn't seem to be working since 
Windows PCs don't get a gateway.  I know I picked modes Managed or Assisted.  
If I set a static IP in that range with a gateway I can get out, so IPv6 is 
routing.  If I configure the VPN for IPv6 I can even ping across the VPN to the 
other router.

My understanding was if RA was enabled and everything at defaults/blank it 
should "just work"...am I missing something that needs configuring?  I did try 
putting in a subnet, even though the RA page says that's not necessary.

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-04 Thread Steve Yates
Ah, I misread your message, sorry.

Per the other posters, check to see if your DNS resolver or forwarder service 
is running.  At one point I had DNS stop working during an upgrade and it 
caused problems.  I want to say it was when updating the second (primary) 
router, because the DNS on the other took its 2 seconds to time out after every 
request.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Pete Boyd
Sent: Monday, December 4, 2017 2:29 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

On 04/12/2017 20:11, Steve Yates wrote:
> If you ssh to the device and pick the option to update from its console menu, 
> does it update there?

No, those package repository errors are what I'm seeing when doing that.

I tried the swapping to different repositories in the GUI, trying update
from console, back and forth, as described in the page you linked to,
but that hasn't helped, each time it has the same repository errors.



-- 
Pete Boyd

Open Plan IT - http://openplanit.co.uk
The Golden Ear - http://thegoldenear.org
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-04 Thread Steve Yates
That sounds like what I saw a couple of times now.  If you ssh to the 
device and pick the option to update from its console menu, does it update 
there?

Also see:
https://forum.pfsense.org/index.php?topic=135078.msg739919#msg739919
...in which I linked to:
https://forum.pfsense.org/index.php?topic=125873.msg695386#msg695386

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Pete Boyd
Sent: Monday, December 4, 2017 1:19 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

Hi. I upgraded a production SG-2440 running pfSense 64-bit 2.3.5 to
2.4.2 using the web GUI. There were no packages installed. It appeared
to update OK, and rebooted afterwards. However it came back as version
2.3.5 and now says it's on the latest version, despite going to the
update page and re-saving.

Choosing "Update from console" gives the following:

"Updating pfSense-core repository catalogue...

pkg-static: Repository pfSense-core load error: access repo
file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory

pkg-static:
https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_amd64-core/meta.txz:
No address record
repository pfSense-core has no meta file, using default settings

pkg-static:
https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_amd64-core/packagesite.txz:
No address record

Unable to update repository pfSense-core

Updating pfSense repository catalogue...

pkg-static: Repository pfSense load error: access repo
file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory

pkg-static:
https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_amd64-pfSense_factory-v2_4_2/meta.txz:
No address record
repository pfSense has no meta file, using default settings

pkg-static:
https://firmware.netgate.com/pkg/pfSense_factory-v2_4_2_amd64-pfSense_factory-v2_4_2/packagesite.txz:
No address record

Unable to update repository pfSense

Error updating repositories!

If I run "pkg update -f" I get this error:
Shared object "libssl.so.8" not found, required by "pkg"

These commands give the same repository error messages as aobve:
pkg-static update –f
pkg-static upgrade –f

I don't have physical access to the device.
So far, ostensibly, it appears to be running OK; I'm VPNd in.

Has anyone any ideas that might help please?
Thanks


-- 
Pete Boyd

Open Plan IT - http://openplanit.co.uk
The Golden Ear - http://thegoldenear.org
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] single pfsense to ha conversion

2017-12-04 Thread Steve Yates
I don't think it would qualify as "simple" since it involves setting up an 
additional interface on each as well as the CARP virtual IPs.

If you're asking about linking your old router to a new router, the routers 
have to use the same hardware interface (NIC) names in order to sync firewall 
states (em0 to igb0 won't sync).

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Saturday, December 2, 2017 11:04 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] single pfsense to ha conversion

Hi List,

I just bought two pieces of sg-8860 netgate devices and planning to convert
old unit to ha solution.

Is there simple way to convert units to ha with a bit editing xml backup?

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-12-01 Thread Steve Yates
In System/Update/Update Settings I think you can choose a 2.3 branch...?

I haven't had any issues with installing the upgrade, but in two cases after 
the GUI updated the repository for 2.4 it wouldn't proceed with the upgrade, 
and I had to connect via SSH and run the update at the console/shell, where it 
installed fine.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Friday, December 1, 2017 2:08 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

inplace upgrade from 2.3 to 2.4 looks fragile. is there way to upgrade
system to latest 2.3.* series without reinstalling? online upgrade wants to
update 2.4.2..

Eero

1.12.2017 16.27 "Alberto Moreno" <ports...@gmail.com> kirjoitti:

> The last version from 2.3.x is 2.3.5 u can stick with latter u can test
> 2.4.2 upgrade.
>
>
> On Sun, Nov 26, 2017 at 4:04 AM, Eero Volotinen <eero.voloti...@iki.fi>
> wrote:
>
> > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any
> > known issues?
> >
> > it's not so complex setup, but running as our hq main firewall. so, some
> > ipsec and openvpn connections are running against it.
> >
> >
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Using LAGG interfaces with CARP to allow future router replacements

2017-12-01 Thread Steve Yates
Thanks for the assist/validation.  It is a bit awkward to set 
up because one can’t put an active NIC into a LAGG so there’s a bit of round 
robin to get igb0 into a LAGG and assigned to WAN again.  But it does work as 
long as one has a spare interface.  I think it’d be difficult if not impossible 
to configure remotely but we can config a replacement router and take it to the 
data center.

Once I did it here and could export the config, it was much 
easier to just edit the to-be-replaced router’s config file and paste in the 
LAGG section and update the interface names, and it gets set up all at once 
upon restore.

--

Steve Yates
ITS, Inc.

From: Adam Thompson [mailto:athom...@athompso.net]
Sent: Wednesday, November 29, 2017 3:03 PM
To: Steve Yates <st...@teamits.com>
Subject: RE: [pfSense] Using LAGG interfaces with CARP to allow future router 
replacements

Yeah, in theory that should work. I've never need to care *that* much about 
downtime, so haven't tested it.
-Adam
On November 29, 2017 1:42:29 PM CST, Steve Yates 
<st...@teamits.com<mailto:st...@teamits.com>> wrote:
OK thanks for the observations.  Fortunately the 4860 has a bunch of ports but 
dedicating one to a management port would seem to require 4 in our case, 
instead of 3.  My thought would be that in the future we could edit a saved 
config file to change interface names and just restore it to the new hardware, 
and have it sync states with the LAGGs.  Hopefully that’s not going to happen 
for many years, but…


--


Steve Yates
ITS, Inc.


From: Adam Thompson [mailto:athom...@athompso.net]
Sent: Tuesday, November 28, 2017 5:29 PM
To: pfSense Support and Discussion Mailing List 
<list@lists.pfsense.org<mailto:list@lists.pfsense.org>>; Steve Yates 
<st...@teamits.com<mailto:st...@teamits.com>>
Subject: Re: [pfSense] Using LAGG interfaces with CARP to allow future router 
replacements


Yes, there's downtime to set up LAGs. So this won't help avoid all downtime.
Since the SG-2440 just went EOL, I would expect the SG-4860 will also go EOL 
soon, perhaps next quarter (Q1’18).
There is a small performance hit. It's not large - certainly not large enough 
that I ever cared to measure it. Unless you are pinning the CPU regularly, I 
expect it would be undetectable.
There is a much bigger hit in complexity, since you still can't set up LAGs 
during initial setup, necessitating a dedicated mgmt interface to avoid certain 
types of "oops, oh shit" problems.
-Adam
On November 28, 2017 5:08:48 PM CST, Steve Yates 
<st...@teamits.com<mailto:st...@teamits.com>> wrote:

 We had two routers set up using CARP and unfortunately had some issues with 
them, and currently have a temporary router in place.  We will be replacing the 
temp router with a SG-4860 1U HA however that unfortunately has different 
interface names, so state sync won't work, and the cutover won't be transparent.

 I understand from 
https://doc.pfsense.org/index.php/Redundant_Firewalls_Upgrade_Guide#pfSense_2.2.x_and_pfsync
 that using LAGGs can work around this.  My question is, is it worth setting up 
LAGGs just to allow for future proofing to have the state sync working on 
disparate devices if we ever replace a router down the road?  Is there any sort 
of performance penalty or significant complexity?

 Note we have five CARP interfaces, IPv4 and IPv6 for WAN and LAN, and a LAN 
IPv4 on a second subnet.  So as a first run-through on LAGGs, it seems like we 
would need at least four LAGGs for the WAN and LAN interfaces (we can ignore 
the secondary LAN for this purpose)?  So we would set up four LAGG interfaces 
using Failover (?) with one interface each, and have WAN and LAN use those?

 Avoiding downtime would be really nice, but I don't think we can get around 
that at this point (for this router replacement) since LAGGs apparently can't 
be set on an interface that is in use already and thus there would be downtime 
to set up LAGGs on our temp router anyway.

--

Steve Yates
ITS, Inc.



pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense can get to Internet but LAN cannot

2017-11-30 Thread Steve Yates
1) we're not using NAT
2) ...which means this is the answer because the router on the WAN side doesn't 
know to route that subnet back to the pfSense.  D'oh!

Adding a manual NAT rule lets it work.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Holger Bauer
Sent: Thursday, November 30, 2017 4:19 PM
To: pfSense support and discussion <list@lists.pfsense.org>
Subject: Re: [pfSense] pfSense can get to Internet but LAN cannot

Hi Steve,

Any chance outbound nat got messed up, when setting up carp? Check the
settings there and check diag>states if nat works.

Holger

Am 30.11.2017 10:43 nachm. schrieb "Steve Yates" <st...@teamits.com>:

Short version: a PC on the LAN cannot ping the router's gateway,
though the router can ping it and get to the Internet.  Routing table looks
OK, default firewall rule isn't blocking packets (rule to allow LAN to any
is in place), and it's not a private IP address.  Looking for suggestions?

We are replacing two routers using CARP with two 4860s.  I edited
the saved configuration files to add two LAGGs, and changed the interfaces
to match the new hardware.  As I said ping/traceroute/nslookup from the
pfSense to the Internet works fine.  Route table shows the proper gateway
IP as the default.  We have tried changing off the LAGGs, no difference.  A
traceroute from the PC shows the pfSense router LAN IP as expected but not
the gateway which is the next hop.  It's as if the routing isn't sending
packets out the WAN?  I have rebooted the routers, and disabled CARP and
disconnected the second router (and changed the PC gateway accordingly).

Changing the PC to an IP on the WAN side and plugging it into the
gateway router works fine to get past the gateway.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfSense can get to Internet but LAN cannot

2017-11-30 Thread Steve Yates
A couple clarifications...the ping from LAN to the WAN gateway is timing out, 
not saying "unreachable" or something like that.  I can ping the router's WAN 
IP (and CARP WAN IP) from the LAN, as allowed by firewall rule.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Thursday, November 30, 2017 3:44 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfSense can get to Internet but LAN cannot

Short version: a PC on the LAN cannot ping the router's gateway, though 
the router can ping it and get to the Internet.  Routing table looks OK, 
default firewall rule isn't blocking packets (rule to allow LAN to any is in 
place), and it's not a private IP address.  Looking for suggestions?

We are replacing two routers using CARP with two 4860s.  I edited the 
saved configuration files to add two LAGGs, and changed the interfaces to match 
the new hardware.  As I said ping/traceroute/nslookup from the pfSense to the 
Internet works fine.  Route table shows the proper gateway IP as the default.  
We have tried changing off the LAGGs, no difference.  A traceroute from the PC 
shows the pfSense router LAN IP as expected but not the gateway which is the 
next hop.  It's as if the routing isn't sending packets out the WAN?  I have 
rebooted the routers, and disabled CARP and disconnected the second router (and 
changed the PC gateway accordingly).

Changing the PC to an IP on the WAN side and plugging it into the 
gateway router works fine to get past the gateway.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfSense can get to Internet but LAN cannot

2017-11-30 Thread Steve Yates
Short version: a PC on the LAN cannot ping the router's gateway, though 
the router can ping it and get to the Internet.  Routing table looks OK, 
default firewall rule isn't blocking packets (rule to allow LAN to any is in 
place), and it's not a private IP address.  Looking for suggestions?

We are replacing two routers using CARP with two 4860s.  I edited the 
saved configuration files to add two LAGGs, and changed the interfaces to match 
the new hardware.  As I said ping/traceroute/nslookup from the pfSense to the 
Internet works fine.  Route table shows the proper gateway IP as the default.  
We have tried changing off the LAGGs, no difference.  A traceroute from the PC 
shows the pfSense router LAN IP as expected but not the gateway which is the 
next hop.  It's as if the routing isn't sending packets out the WAN?  I have 
rebooted the routers, and disabled CARP and disconnected the second router (and 
changed the PC gateway accordingly).

Changing the PC to an IP on the WAN side and plugging it into the 
gateway router works fine to get past the gateway.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-11-30 Thread Steve Yates
It would help if someone updated the pfSense doc page to clarify that, then, 
since I asked that question on this list in July and got a different answer 
than yours.
https://doc.pfsense.org/index.php/Upgrade_Guide#Packages

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Coleman
Sent: Wednesday, November 29, 2017 1:54 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

Anything that isn’t a maintenance release (2.x.y … the “y” here) should be 
considered a major release.

macOS 10.11 is a major release. 10.11.1 is not.

—
Ryan

> On Nov 29, 2017, at 1:37 PM, Steve Yates <st...@teamits.com> wrote:
> 
> Does it work if you uninstall haproxy first?  I know pfSense recommends 
> uninstalling packages for "major" version upgrades but (per my past thread 
> here ) I would think point versions are minor upgrades.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
> Sent: Wednesday, November 29, 2017 12:02 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
> 
> yes. looks like very similar problem :)
> 
> Eero
> 
> 2017-11-29 18:59 GMT+02:00 Tom Müller-Kortkamp <tmu...@kommunity.net>:
> 
>> Did you had any packages installed?
>> I filed this bug 2 Days ago:
>> https://redmine.pfsense.org/issues/8135
>> 
>>> Am 29.11.2017 um 00:11 schrieb Steve Yates <st...@teamits.com>:
>>> 
>>>  https://redmine.pfsense.org/ is the bug tracker.
>> https://www.netgate.com/support/contact-support.html for tech support.
>>> 
>>> --
>>> 
>>> Steve Yates
>>> ITS, Inc.
>>> 
>>> -Original Message-
>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
>> Volotinen
>>> Sent: Monday, November 27, 2017 12:37 AM
>>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>;
>> j...@netgate.com
>>> Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
>>> 
>>> Hi,
>>> 
>>> Looks like "online" upgrade (2.3.5 -> 2.4.2) trashes sg-8860 unit to
>>> "non-working state". (ie. ssl libraries missing and so on)
>>> 
>>> Where I can file critical bug ticket? :D
>>> 
>>> --
>>> Eero
>>> 
>>> 2017-11-26 19:53 GMT+02:00 Daniel <dan...@linux-nerd.de>:
>>> 
>>>> I Updates 3 Firewalls all without any problems.
>>>> 
>>>> 
>>>> 
>>>> Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" <
>>>> list-boun...@lists.pfsense.org im Auftrag von eero.voloti...@iki.fi>:
>>>> 
>>>>   just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there
>>>> any
>>>>   known issues?
>>>> 
>>>>   it's not so complex setup, but running as our hq main firewall. so,
>>>> some
>>>>   ipsec and openvpn connections are running against it.
>>>> 
>>>> 
>>>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-11-29 Thread Steve Yates
Does it work if you uninstall haproxy first?  I know pfSense recommends 
uninstalling packages for "major" version upgrades but (per my past thread here 
) I would think point versions are minor upgrades.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Wednesday, November 29, 2017 12:02 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

yes. looks like very similar problem :)

Eero

2017-11-29 18:59 GMT+02:00 Tom Müller-Kortkamp <tmu...@kommunity.net>:

> Did you had any packages installed?
> I filed this bug 2 Days ago:
> https://redmine.pfsense.org/issues/8135
>
> > Am 29.11.2017 um 00:11 schrieb Steve Yates <st...@teamits.com>:
> >
> >   https://redmine.pfsense.org/ is the bug tracker.
> https://www.netgate.com/support/contact-support.html for tech support.
> >
> > --
> >
> > Steve Yates
> > ITS, Inc.
> >
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> > Sent: Monday, November 27, 2017 12:37 AM
> > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>;
> j...@netgate.com
> > Subject: Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
> >
> > Hi,
> >
> > Looks like "online" upgrade (2.3.5 -> 2.4.2) trashes sg-8860 unit to
> > "non-working state". (ie. ssl libraries missing and so on)
> >
> > Where I can file critical bug ticket? :D
> >
> > --
> > Eero
> >
> > 2017-11-26 19:53 GMT+02:00 Daniel <dan...@linux-nerd.de>:
> >
> >> I Updates 3 Firewalls all without any problems.
> >>
> >>
> >>
> >> Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" <
> >> list-boun...@lists.pfsense.org im Auftrag von eero.voloti...@iki.fi>:
> >>
> >>just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there
> >> any
> >>known issues?
> >>
> >>it's not so complex setup, but running as our hq main firewall. so,
> >> some
> >>ipsec and openvpn connections are running against it.
> >>
> >>
> >>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.4.2 release

2017-11-22 Thread Steve Yates
They emailed partners, since we got an email yesterday afternoon.  It just came 
out since I upgraded a router to 2.4.1 overnight Monday night.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Coleman
Sent: Wednesday, November 22, 2017 10:50 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfSense 2.4.2 release

Tis. And it works. I’m surprised I didn’t get a notification.

> On Nov 22, 2017, at 3:30 AM, Doug Lytle <supp...@drdos.info> wrote:
> 
> I just noted that it's out.
> 
> pfSense 2.4.2 
> <https://www.netgate.com/blog/pfsense-2-4-2-release-now-available.html>
> 
> Doug
> 
> 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.4 consistently crashes daily

2017-11-22 Thread Steve Yates
Any chance it had a 32 bit install and you manually upgraded to 64?  I believe 
pfSense recommends a wipe and reinstall in that case.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Liwei
Sent: Wednesday, November 22, 2017 8:08 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfSense 2.4 consistently crashes daily

On Tue, 21 Nov 2017 at 01:08 WebDawg <webd...@gmail.com> wrote:

> It should work though.  A great many people virtualize pfSense:
>
> https://doc.pfsense.org/index.php/PfSense_on_VMware_vSphere_/_ESXi
>
> Here is some more information:
>
> https://doc.pfsense.org/index.php/VirtIO_Driver_Support
> https://doc.pfsense.org/index.php/Lost_Traffic_/_Packets_Disappear
> https://doc.pfsense.org/index.php/Virtualizing_pfSense_on_Proxmox
>
> I know what it is like to ask for support and see people stop helping
> because something is virtualized.  I have seen bad code fail in
> virtualization situations only to here 'do not virtualize'.
>
> From what I know, BSD has trouble with NIC interfaces and such.  Do
> you have any limiters or QOS installed?  I would take a look at the
> nic interfaces first.  Can you actively monitor the log to look for
> errors once the VM is booted?
>
> I virtualized pfSense on proxmox about a year ago and BSD hated the
> cpu timers and such.  I would get so many issues from it until I
> figured it out but everything was plain as day in the kernel messages
> that were outputted.
>
> There is an ova file available via the gold subscription:
>
> https://doc.pfsense.org/index.php/VMware_Appliance
>
> You need to get more information for me to help further.  It would be
> great to get a copy of some logs.
>
> Here is a XenServer thread:
> https://forum.pfsense.org/index.php?topic=88467
>
> Last time I virtualized the big deal was hvm nic vs pvhvm NIC.  You
> could do limiters on one (I think hvm) but the NIC's become CPU bound
> because of how HVM works.  I could only push like 10-30 mbits out of
> an i3 processor.
>
> I do not know if this has been solved, or if it is solvable.  pfSense
> follows FreeBSD so most of the fixes for this come from FreeBSD,
> though pfSense had/has some of its own kernel hacks.
>
>
>
Hi Vick, thanks for the assistance, nonetheless!

Hi WebDawg,
Yeah, I guessed as much that the problem should be on my side, because
something this fatal should already be widely reported.

I don't have any limiters or QoS set. I've set up logging of the serial
port so at least I know what are the events leading up to the crash.
Nothing interesting though, it just... happens. How do I set up log
monitoring? My guess is I'll probably have to turn on remote syslog and log
over. Will set up when I get the chance.

The odd thing is this is a 7+ years old setup (but we did do a fresh
install of 2.3 when we upgraded hardware 1+ years ago), and we never had
any serious issues. In fact it was purring along nicely on 2.3 since it was
first installed, until we upgraded to 2.4.

I'm pretty confident of the hardware since it is only a year old, the
other VMs are not having any issues, and reverting to 2.3 works fine. Thus
based on a hunch I decided to remove a couple of bridge interfaces
(bridging our oVPN tap interfaces to the main and private LANs) when I sent
my first email to the list.

The crashes haven't occurred since then for 2 days. I'm not sure if it
is a coincidence or not, but it does seem like my configuration may be
triggering some bug. Or I may have mis-configured something.

I'll continue to iterate things around to narrow down the problem, but
given that I have to wait a few days after each change to be sure on
whether it crashes or not, any suggestion is very welcome!

Warm regards,
Liwei
-- 
Clear Skies,LiweiCo-Founder, CTO

TinyMOS


<http://tinymos.com/> <https://www.facebook.com/thetinymos/>
<https://www.instagram.com/thetinymos/> <https://twitter.com/thetinymos>

21 Heng Mui Keng Terrace, Level 1 The Hangar, Singapore 119613
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense ipv6 not working

2017-11-21 Thread Steve Yates
Ah yes, System/Advanced/Networking, Allow IPv6.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel
Sent: Tuesday, November 21, 2017 12:42 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfsense ipv6 not working

You also need to enbale it in the Setting.. tick te IPv6 Box.

Am 21.11.17, 19:38 schrieb "List im Auftrag von Steve Yates" 
<list-boun...@lists.pfsense.org im Auftrag von st...@teamits.com>:

Starting at the top level, do you have a firewall rule allowing ICMP for 
IPv6?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero 
Volotinen
Sent: Monday, November 20, 2017 1:01 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfsense ipv6 not working

Hi List,

Running ipv6 with dhcpv6 from isp and it works on my laptop without pfsense,
but on pfsense shell, I cannot even ping other network addresses that gw:

ping6 fe80::208:20ff:fe4e:1c1b

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
fe80::208:20ff:fe4e:1c1b

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64 time=0.573
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64 time=0.578
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64 time=0.518
ms


and when trying to ping google:



ping6 2a00:1450:4001:820::200e

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
2a00:1450:4001:820::200e

^C

--- 2a00:1450:4001:820::200e ping6 statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss

Wan configuration is using DHCPv6

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense ipv6 not working

2017-11-21 Thread Steve Yates
Starting at the top level, do you have a firewall rule allowing ICMP for IPv6?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Monday, November 20, 2017 1:01 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfsense ipv6 not working

Hi List,

Running ipv6 with dhcpv6 from isp and it works on my laptop without pfsense,
but on pfsense shell, I cannot even ping other network addresses that gw:

ping6 fe80::208:20ff:fe4e:1c1b

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
fe80::208:20ff:fe4e:1c1b

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64 time=0.573
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64 time=0.578
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64 time=0.518
ms


and when trying to ping google:



ping6 2a00:1450:4001:820::200e

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
2a00:1450:4001:820::200e

^C

--- 2a00:1450:4001:820::200e ping6 statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss

Wan configuration is using DHCPv6

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Packetloss

2017-11-16 Thread Steve Yates
I don't have a specific answer but if you know the setting you can try the 
System > Advanced, System Tunables page.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel
Sent: Thursday, November 16, 2017 6:36 AM
To: pfSense support and discussion <list@lists.pfsense.org>
Subject: [pfSense] Packetloss

Hi there,

 

as some of you guys know i had a lot of packetloss. It is/was because the WAN 
Interface runs full of traffic.

 

Normaly behavour is the no packets gets droped. They get queued as I understand 
and the ping RTT increase extremely.

It seems I need to increase in TCP Buffer size.

 

Is there anyway in Pfsense to increase the Buffer Size?

 

Cheers

 

Daniel

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] FreeNAS Jail Connection

2017-11-13 Thread Steve Yates
Try turning on logging of the default block rules to see if it is in fact being 
blocked.  Alternatively, if you add firewall rules allowing all traffic to/from 
the NAS does it work?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Travis Hansen
Sent: Saturday, November 11, 2017 11:09 AM
To: PfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] FreeNAS Jail Connection

I cannot get pfSense to 'talk' to a jail running on a FreeNAS machine.  If I 
recall correctly a while back I did some tcpdumps in the jail and saw both 
incoming and outgoing icmp traffic but pfSense seems to ignore/throw it away or 
something.  I know I'm not the only one who's seen this because someone on the 
#freenas mentioned they had the same thing.
Anyone have any ideas on how it might be resolved?
Travis hansentravisghan...@yahoo.com
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP Demotion Not Working

2017-11-03 Thread Steve Yates
Are you using the "enter persistent maintenance mode" here?  I'm trying 
to remember when I looked at this a couple years ago but overall if we shut 
down node A, node B takes over, and when A boots up it becomes Master again.  
However if I enter maintenance mode first (forcing B to Master) then B stays as 
Master after A comes up again.

I have seen the occasional situation where we exit maintenance mode and 
the IPv6 CARP WAN IP ends up with *both* routers showing as Master, but at that 
point I restart node B and it clears out (we have CARP IPs for two LANs and a 
WAN, and both IPv4 and IPv6, on two virtualized routers).

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Andrew Kester
Sent: Friday, November 3, 2017 10:49 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] CARP Demotion Not Working

An update on this, if the master node is rebooted during a failure, the 
secondary node takes cover correctly and remains the master as would be 
expected.

This makes me think that the priority is set correctly but the second 
node for some reason isn't honoring the advskew set by the master correctly.

To illustrate what I mean-

---
| Node A | Node B |
---
| M M| B B| Normal, Node A is master on all CARP IP's
| M X| B M| Failure, incorrect though.  Node B should be master.
| - -| M M| Node A Offline, B takes over as master correctly
| B X| M M| After restart, correct behavior.  Node B is master.
---
M - Master
X - Down
B - Backup

I've also ran through the CARP troubleshooting guide here to no avail. 
https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting

Let me know if you need more information or clarification, I'm not sure 
the best way to illustrate / communicate my problem.

---
Thanks,

Andrew Kester
The Storehouse
https://sthse.co

On 11/1/17 3:30 PM, Andrew Kester wrote:
> Hi List,
> 
> I'm having an issue with CARP preempt.  I have two pfSense machines 
> running 2.4.1-RELEASE.  CARP fails over all individual IPs correctly, 
> but doesn't preempt correctly in the case of a single failure.
> 
> On both machines, I've checked that net.inet.carp.preempt is enabled. 
> The master appears to be detecting the demotion, as it sets 
> net.inet.carp.demotion to 240 during a failure, but ifconfig still 
> reports advskew as 0.
> 
> I'm not 100% sure if that number should update, or if the demotion 
> number is added to the advskew reported by ifconfig.
> 
> Relevent sysctl, ifconfig, and log output taken from the master firewall 
> during a failure is attached.
> 
> Any help is greatly appreciated!
> 
> ---
> Thanks,
> 
> Andrew Kester
> The Storehouse
> https://sthse.co
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] malformed packets

2017-10-30 Thread Steve Yates
I saw your question but didn't see an answer...  Have you considered Suricata 
or Snort to see if they can detect and block off the traffic?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of 
mad.scientist.at.la...@tutanota.com
Sent: Friday, October 20, 2017 7:24 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] malformed packets

is there any way i can block malformed packets and drop them rather than being 
used for a ddos attack?  this is related to LEGAL torrents, i.e. copy left etc. 
 even running deluge there is a storm of malformed packets with spoofed ip 
addrs, which then makes my machine send out many, many malformed packets to 
people who didn't even send them.  Gee, i thought doing a ddos on people was 
illegal, not that it matters in most countries.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP Interface doese not sync

2017-10-30 Thread Steve Yates
A few thoughts...

When upgrading pfSense recommends upgrading the backup router first.
For the states to sync the interfaces have to have the same names, i.e. same 
NICs in both.

An XML sync error is usually seen when saving changes on the primary router and 
it tries to connect to the backup.  That's different than the interfaces not 
syncing state.  Ensure you're using the username "admin" to sync...even though 
there is a field for the username in the CARP sync settings, pfSense apparently 
uses a hardcoded "admin" instead and ignores the field.

Are you using Suricata or any other packages?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel
Sent: Monday, October 30, 2017 7:33 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] CARP Interface doese not sync

Hi there,

 

i run 2 Pfsense boxed which are connected directly on the Sync interface.

Pf1 Version is 2.4.1 and pf2 Version is 2.4.0

 

I created now CARP interfaces wich are not synced to pf1 automaticly. I get 
some XML errors (Syntax Error in XML)

Is there anyway to start the Sync process manually to check logs or so?

 

Cheers

 


Daniel

 

 

 

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] openvpn restarts when running on secondary node and sync updates comes from primary

2017-10-19 Thread Steve Yates
We also get that message logged at the daily rule update for Suricata.  I think 
it just happens when pfSense senses certain types of updates... :-/

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eugenio Modesti
Sent: Thursday, October 19, 2017 6:21 AM
To: list@lists.pfsense.org
Subject: [pfSense] openvpn restarts when running on secondary node and sync 
updates comes from primary

Hi,
i've got two pfsense box with HA. openvpn server is listening on a CARP ip. I 
assigned the vpn to an interface to set up specific rules and add it to an 
existing interface group. 
Everything works when running on the primary node.
When i put the master in maintenance the secondary takes over correctly and 
openvpn clients reconnect to that node. Everything continue to works as 
expected.

The problem is that every time i modify something on the primary the secondary 
restarts all the packages, dropping the vpn connections. 
The first time i noticed while assigning interfaces, but it triggers on every 
update (alias, rules).

In the log i see something like:

/rc.newwanip: pfSense package system has detected an IP change or dynamic WAN 
reconnection - 192.168.11.129 -> 192.168.11.129 - Restarting packages.

Why is it restarting even if there was no ip change?

Is there a reason to not check if $oldip != $curwanip? 

// rc.newwanip 
function restart_packages() {
global $oldip, $curwanip, $g;

/* restart packages */
log_error("{$g['product_name']} package system has detected an IP 
change or dynamic WAN reconnection - $oldip ->  $curwanip - Restarting 
packages.");
send_event("service reload packages");
}


thanks,
Eugenio
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones

2017-10-11 Thread Steve Yates
Lurking on by...if you ever want traffic stats by IP address, without a proxy, 
check out the BandwidthD package.
https://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage


--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam Cage
Sent: Wednesday, October 11, 2017 3:06 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for 
cell phones

...
Squid also let me have web traffic statistics with its logs.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfSense virtualisation

2017-10-11 Thread Steve Yates
What Lars wrote.  

https://doc.pfsense.org/index.php/VirtIO_Driver_Support
https://forum.pfsense.org/index.php?topic=88467.0

YMMV...with Virtuozzo 7 (KVM) I found VirtIO worked but I could not get the 
Intel or Realtek drivers to pass traffic.  The opposite of Virtuozzo 6 as I 
recall.  Also perhaps specific to Virtuozzo was that I had to use some special 
startup parameters to get pfSense to install and boot.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Lars Wuerfel
Sent: Wednesday, October 11, 2017 8:38 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] pfSense virtualisation

Hi Daniel,

On 10/10/2017 09:51 PM, Daniel wrote:
> Hi there,
> 
> i thing about to remove my 2 Hardware Firewalls and virtualize them with KVM 
> on different Host-Servers.

I have several pfSense instances running on KVM/QEMU for two years now
successfully, but no HA at the moment.

I had to
   "Disable hardware checksum offload",
   "Disable hardware TCP segmentation offload"
and
   "Disable Large Receive Offloading"

otherwise the performance is very poor.

HTH
Lars
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Every so often I am seeing "[zone: pf frag entries] PF frag entries limit reached" on my monitor attached to my pfsense box.

2017-10-03 Thread Steve Yates
Not having run into this I searched out of curiosity.

Suggests fixing the issue rather than upping the limit: 
https://forum.pfsense.org/index.php?topic=92495.0

and https://forum.pfsense.org/index.php?topic=109601.0 mentions "MSS clamping 
may be required to reduce the effective MTU of the VPN" from 
https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Packet_Loss_with_Certain_Protocols.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Hillie Sample
Sent: Monday, October 2, 2017 3:57 PM
To: list@lists.pfsense.org
Subject: [pfSense] Every so often I am seeing "[zone: pf frag entries] PF frag 
entries limit reached" on my monitor attached to my pfsense box.

Every so often I am seeing "[zone: pf frag entries] PF frag entries 
limit reached" on my monitor attached to my pfsense box.

I increased System > Advanced, Firewall & NAT tab, "Firewall Maximum 
Fragment Entries" to 8192 from the default value of 5000 (Thanks Jim 
Pingle for the tip).

I rebooted and unfortunately I am still having the message appear every 
so often.

Should I increase the limit even higher?

Memory, CPU ans swap use is all very low.

2.3.4-RELEASE-p1 (amd64)
built on Fri Jul 14 14:52:43 CDT 2017
FreeBSD 10.3-RELEASE-p19

Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz
Current: 3300 MHz, Max: 3301 MHz
4 CPUs: 1 package(s) x 4 core(s)

4GB Ram

I am using openvpn.

Any advice/suggestions appreciated.

Thanks,

Hillie

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Open ports between subnets

2017-10-02 Thread Steve Yates
Do you have the option to block private networks on both interfaces turned off?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Antonio
Sent: Saturday, September 30, 2017 7:05 PM
To: list@lists.pfsense.org
Subject: [pfSense] Open ports between subnets

Hi,

I have a media app called EMBY on my android phone that is installed on
androide 7.1 mobile connected via pfsense wifi network (192.168.3.x). It
should try to connect to my server on the wired LAN at 192.168.2.X but
doesn't appear to do so  for some reason. I inspected firewall logs and
it says that packets from 192.168.3.7: (phone) to 192.168.3.1 are
blocked.  Its almost as if the packets couldn't get past the WIFI
gateway into the 192.168.2.X subnet even though I have a rule set up in
the wifi that:

a) allows a PASS for IPV4* packtes with source "LAN net" to destination
* -> "Default allow LAN to any rule"

b) allow IPV4 from 192.168.3.X any port to 192.168.2.2 any port

There must be something that I am missing but can't get my head around it.

Note that DHCP server on pfsense is assigning 192.168.3.7 to phone as
default via MAC address identification so its not a DHCP problem

Any clues on what I could be missing? why are the packets getting
blocked at 192.168.3.x? in the logs, there appear to be a lot of
requests from random ports on the mobile device to port 53.

Note that I have another device on the wifi network (a little Adafruit
ESP device logging  temperature) that is not having these problems and
is getting to the server no problem.

I hope you guys can help me work out what is wrong.

Thanks

Antonio

-- 

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Multi-WAN and HA. Established connections through a not default gateway are broken when I disable CARP in the master unit.

2017-09-27 Thread Steve Yates
So you have both dual WAN and CARP?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of dayer
Sent: Wednesday, September 27, 2017 2:43 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Multi-WAN and HA. Established connections through a not 
default gateway are broken when I disable CARP in the master unit.

2017-09-27 20:29 GMT+02:00 Steve Yates <st...@teamits.com>:
> I'm not sure if I am following you correctly, but the WAN CARP IP has 
> to be the same on both routers.  So router1 has a WAN of a.a.a.a and CARP of 
> a.a.a.b, and router2 has a WAN of a.a.a.c and CARP of a.a.a.b.  Same thing 
> with the LAN IPs.
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
>> If I had to guess: Are you using a CARP address for outbound NAT?  If
>> not then the connections *will* break on failover.
>
>
> Thanks for your reply, Jon :)
>
> Yes, I'm using CARP addresses from each WAN for outbound NAT:
> - WLAN1 CARP, for WLAN1
> - WLAN2 CARP, for WLAN2
>
> In addition, when the *new* master unit routes the established
> traffic, it continues doing the previous NAT according to the state
> synchronised from the previous master. So it continues doing outbound
> NAT with the WLAN2 CARP address, but trying to route through WLAN1.
> This proves that the new master unit has the synchronised states, but
> it try to route the established connections according to routing table
> and not to firewall rules.

Hi Steve! Exactly. It doesn't matter, I know this behavior is some
difficult to explain.

In my example, according to the diagram from [1]:

PC:
- LAN: 192.168.2.1
- GW: 192.168.2.10

Pfsense1:
- LAN: 192.168.2.11
- LAN CARP: 192.168.2.10
- WAN1: 192.168.56.11
- WAN1 CARP: 192.168.56.10
- GW1: 192.168.56.1 (default)
- WAN2: 192.168.57.11
- WAN2 CARP: 192.168.57.10
- GW2: 192.168.57.1

Pfsense2:
- LAN: 192.168.2.12
- LAN CARP: 192.168.2.10
- WAN1: 192.168.56.12
- WAN1 CARP: 192.168.56.10
- GW1: 192.168.56.1 (default)
- WAN2: 192.168.57.12
- WAN2 CARP: 192.168.57.10
- GW2: 192.168.57.1

Outbound NAT settings, something like:
- LAN→WAN1→WAN1 CARP
- LAN→WAN2→WAN2 CARP

Initially (Pfsense1 master; Pfsense2 backup; Traffic from LAN is
routing through GW2 according to a firewall rule):
SSH from PC → LAN → WAN2 (NAT with WAN2 CARP) → GW2

If I disable CARP in Pfsense1, Pfsense2 is the new master and:
- The *established* connections do this path (wrong):
PC → LAN → WAN1 (WAN2 CARP) → GW1
- The *new* connections do this path (right):
PC → LAN → WAN2 (WAN2 CARP) → GW2


Regards,


[1]: https://forum.pfsense.org/index.php?topic=136739.msg749477#msg749477
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-WAN and HA. Established connections through a not default gateway are broken when I disable CARP in the master unit.

2017-09-27 Thread Steve Yates
I'm not sure if I am following you correctly, but the WAN CARP IP has 
to be the same on both routers.  So router1 has a WAN of a.a.a.a and CARP of 
a.a.a.b, and router2 has a WAN of a.a.a.c and CARP of a.a.a.b.  Same thing with 
the LAN IPs.

--

Steve Yates
ITS, Inc.

-Original Message-
> If I had to guess: Are you using a CARP address for outbound NAT?  If
> not then the connections *will* break on failover.


Thanks for your reply, Jon :)

Yes, I'm using CARP addresses from each WAN for outbound NAT:
- WLAN1 CARP, for WLAN1
- WLAN2 CARP, for WLAN2

In addition, when the *new* master unit routes the established
traffic, it continues doing the previous NAT according to the state
synchronised from the previous master. So it continues doing outbound
NAT with the WLAN2 CARP address, but trying to route through WLAN1.
This proves that the new master unit has the synchronised states, but
it try to route the established connections according to routing table
and not to firewall rules.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPv6?

2017-09-20 Thread Steve Yates
IPv6 has multiple configuration protocols and I'm not sure I have my 
head around them all either.  Generally speaking, addressing is handled by a 
router because it's supposed to be handing out an address assigned by an 
upstream router, so IPs are assigned geographically making large router tables 
unnecessary.  IPv6 doesn't have NAT so every PC gets a public IP and the 
firewall blocks traffic to/from the outside world.  So in your case pfSense 
should be getting an IPv6 from Comcast, and requesting a subnet from Comcast to 
assign to PCs on your LAN.

So if your goal is to have a private IPv6 range on your LAN you should 
probably give up on that and just disable IPv6 on pfSense and you're done.  
That way PCs can use the Windows domain controller for DNS.

Windows has DHCP for IPv6 but the short version is it won't work...as I 
vaguely recall, the spec is something like: because it's not a router, it can 
only assign a /128 address and mask, so no PC can talk to other PCs on the LAN. 
 IPv6s would have to be entered on the PCs manually, or let them get IPv6 from 
pfSense...but then you're back to needing DNS to point to the Windows server.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Michael Munger
Sent: Wednesday, September 20, 2017 11:48 AM
To: list <list@lists.pfsense.org>
Subject: [pfSense] IPv6?

TL;DR - I think pfSense should be blocking DHCP6 requests (or responding
directly), but I am still getting my ISPs IPv6 address for DNS on
machines behind the pfSense firewall. This causes lookup problems since
their DNS server is not reliable. I suspect I have a bad config in my
pfSense firewall (user error), and need guidance on how to resolve this.

Background:

I have severe problems with IPv6. Most of the IPv6 requests time out,
forcing anything that is IPv6 enabled to fall back to IPv4. There's
nothing wrong with IPv4, but, the timeout is supremely annoying.

NOTE: I understand there is a difference between pfSense and DHCP
requests from a client machine. My IPv6 skills are not as strong as my
IPv4 skills, so my solution has been to disable IPv6 on any machine that
has a problem. But that's a bandaid, and not a good solution.

Symptoms:

I seem to be getting a DNS server of
2603:3001:3805:10f0:223:7dff:fe3b:73ac, which is my ISP's DNS Server
(Comcast). I cannot figure out where this is coming from. It appears to
be coming from Comcast, THROUGH pfSense. How is this DHCP request
traversing pfSense to the WAN? I have a local Windows server, with an
fe80:: address, which is a DNS server also. Not sure why this is not
being set as DNS via DHCP6 (different issue).

What I want:

I need to stop the timeouts by controlling where the lookups go (which
servers are getting served in the DHCP6 requests), which cause the
network to bottleneck and request to take forever.

Is there an IPv6 guide / tutorial that I have been unable to find with
Google? I would like to be able to configure pfSense to ignore / block
any upstream DNS servers when DHCP6 requests go out. Or, in the
alternative, control where they go so I can point them at wither my
Windows DNS or a bind9 server (or even the resolver in pfSense). 
Perhaps pfSense is forwarding the requests upstream instead of
responding itself?
-- 
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
mich...@highpoweredhelp.com <mailto:mich...@highpoweredhelp.com>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] bandwithd

2017-08-31 Thread Steve Yates
For what it's worth we installed this package yesterday and had no issues.  All 
we did was Enable BandwidthD, and set "Subnet(s) for Statistics Collection" to 
LAN.

I noticed the package installation does have a warning at the end that no one 
is maintaining bandwidthd (the FreeBSD package, I think) anymore.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel
Sent: Tuesday, August 22, 2017 5:15 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] bandwithd

Hi there,

i installed BandwithD thought the Package Manager. After setup BandwithD I got 
an error when I try to access bandwithD:

Fatal error: Call to undefined function read_package_configurationfile() in 
/usr/local/www/guiconfig.inc on line 1053 Call Stack: 0. 226984 1. {main}() 
/usr/local/www/diag_bandwidthd.php:0 0.0243 3592344 2. add_package_tabs() 
/usr/local/www/diag_bandwidthd.php:29 PHP ERROR: Type: 1, File: 
/usr/local/www/guiconfig.inc, Line: 1053, Message: Call to undefined function 
read_package_configurationfile()

Is there any known issue? I am looking for an issue to Count traffic for each 
IP.

--
Grüsse

Daniel
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] rules were ignored.

2017-08-21 Thread Steve Yates
"Inside" is an interface per his description.

Greg, did you reboot before upgrading?  It doesn't really help now but I wonder 
if rebooting would have fixed it.  Agreed it seems weird.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of PiBa
Sent: Monday, August 21, 2017 12:47 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>; greg 
whynott <greg.whyn...@gmail.com>
Subject: Re: [pfSense] rules were ignored.

Hi,
As you probably know pfSense rules don't apply to 'zones' as some 
firewalls do..
So I'm wondering what is the actual rules set for the configuration of 
these 3 items on wifi?

1. Allow from wifi to inside webmail server on port 443/80.
2. Block all from wifi to inside any any.
3. Allow from wifi to internet any any.

Okay first one is easy, its a simple pass rule with a specific destination.
The second one, is a bit more interesting, how is 'inside' defined?
And then the third could be most prone to mistake, how did you define 
'to internet' ? Like 'destination NOT 192.168/16' or something similar?
Also are any proxy's or other gateway/advanced configurations used?
Though only reason i think something might 'disapear' or change kinda 
spontaneous is if the rules have a gateway defined that went down.

Can you describe the rules in detail?

Regards
PiBa-NL

Op 21-8-2017 om 19:20 schreef greg whynott:
> First time for me as well.  I want to believe it was induced by human,  but
> there is no evidence of on the surface.   Perhaps there is something in the
> logs which would indicate what happened,  but I'm not sure for how long
> those rules went dark.
>
>   I'm deploying an instance of zabbix in the wifi zone to test inward
> readability,  the DMZ's already have zabbix hosts so will configure those
> to do so as well.I failed to mention in OP,   this issue was only
> related to the wifi zone.  The DMZ/inside/outside policies were functioning
> as expected.
>
> -greg
>
>
>
>
> On Mon, Aug 21, 2017 at 12:45 PM, Moshe Katz <mo...@ymkatz.net> wrote:
>
>> I know that negative experience isn't so helpful to diagnose an issue, but
>> we have a very similar setup that's been in place for over 10 years, and
>> we've never seen such a thing.
>>
>> Moshe
>>
>>
>>
>> On Mon, Aug 21, 2017 at 12:09 PM, greg whynott <greg.whyn...@gmail.com>
>> wrote:
>>
>>> I'm not seeking help but rather thought I'd share an experience we had
>> last
>>> week which has caused quite a hit on the confidence levels of pfSense.
>>>
>>> I tried to find where it may of been human error but seen no evidence of
>>> such.  Happy to upload logs to any member of the team should they care to
>>> investigate for their own reasons.
>>>
>>>
>>>
>>> We have pfsense with 5 zones connected to the internet via gigabit, all
>>> physical interfaces.  From time to time we'll saturate the line for days
>> at
>>> a time,  keeping pfsense busy (media co).
>>>
>>> Zones:
>>> Inside
>>> Outside
>>> WiFi
>>> DMZ1
>>> DMZ2
>>>
>>>
>>>
>>> The zone of concern is the WiFI zone.   Its rule set is very simple.
>>>
>>> 1. Allow from wifi to inside webmail server on port 443/80.
>>> 2. Block all from wifi to inside any any.
>>> 3. Allow from wifi to internet any any.
>>>
>>>
>>> This was tested when the policy was put into place last winter and
>>> functioned as expected. Fast forward,  140 days up-time at this
>> point.
>>>
>>> Helpdesk staff informs me people on the wifi are able to mount internal
>>> CIFS shares and browse internal web resources.
>>>
>>> I look at it,  verify this is the case using tcpdump on the wifi
>>> interface.
>>>
>>> look at the rules,  disable and re-enable them,  nothing changes.
>>>
>>> There is an update waiting to be applied.  We apply the update and
>> reboot.
>>> (in hind sight, wish we didn't but were getting the "fix asap!!" message)
>>>
>>> when it comes up again,  all is back to "normal".  Policy is being
>>> respected.
>>>
>>>
>>> It seems as if at some point the policy stopped working,  even a
>> flip/flop
>>> of the rule set didn't help.  No one has made changes in that zone since
>>> the device was deployed.
>>>
>>>
>>> As you can imagine this is a cause of huge concern for us.  I've been
>> using
>>> pfSense for about 11 years and this was quite the blow..  I hope it was
>>> something we did,  but I can't think of how things could become so broken
>>> that disabling the rule then re enabling it did nothing to correct...
>>>
>>>
>>> Has anyone else experienced policy 'failing' after a period of time?
>>>
>>> take care,
>>> greg
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Routing Vlan

2017-08-17 Thread Steve Yates
On the interface(s) is "Block private networks" checked?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WolfSec-Support
Sent: Thursday, August 17, 2017 3:31 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Routing Vlan

Hi,

- does the Testclient .50.20 has as Standard gateway the .50.1 ?
- does the L3 switch know in routing table that the 192.168.0.0/24 network
is behind .50.2
- check pfsense NAT setup - may NAT on pfsense causes this ? try to disable
nat here for a test
- also check routes on pfsense

BR
Stephan


2017-08-17 0:00 GMT+02:00 Getzan Avila <get...@gmail.com>:

> Hi List,
>
> I will appreciate all your help.
>
> I'm setting up a VLAN Scenario with a L3 Switch, create a VLAN50 (Voice)
> with IP 192.168.50.1  in the switch. The PFsense LAN is the 192.168.0.1 and
> the PFSense VLAN50 IP is 192.168.50.2, I can ping que host in the VLAN50
> and viceversa. But when a tried to access the Server in the LAN IP
> 192.168.0.201. received this error
>
> VLAN50 udp 192.168.50.20:9301 -> 192.168.0.201:9300 NO_TRAFFIC:SINGLE
> 1.207
> K / 0 165 KiB / 0 B
>
> I setup in the firewall i the LAN interface,accept all IPV4 traffic for the
> VLAN50 and the same for VLAN50 to LAN.
>
>
> Thks in advance.
>
> regards
>
> Getzan
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.2 upgrade only offers 2.3.3_1

2017-07-28 Thread Steve Yates
What happens if you try the fix for my "Update to 2.3.4(_1) fails (Not Found)" 
thread?

"https://forum.pfsense.org/index.php?topic=125873.msg695386#msg695386

I did that procedure as stated (switch to dev, check for update via SSH, 
cancel, switch to stable) and the update installs now."

I am wondering if the update check is not always picking up newer update info 
for some reason.

To answer your question I know I've skipped revisions before.  I am fairly 
certain I've skipped minor versions also.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Brian Candler
Sent: Friday, July 28, 2017 3:43 AM
To: pfSense support and discussion <list@lists.pfsense.org>
Subject: [pfSense] 2.3.2 upgrade only offers 2.3.3_1

I have an instance of 2.3.2, and when I ask for system updates it only 
tells me that 2.3.3_1 is available - whereas I know 2.3.4_1 has been 
released.

Is that expected? That is, do I need to go stepwise to 2.3.3_1, reboot, 
and then upgrade again?  Or should I have been offered the direct upgrade?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Update to 2.3.4(_1) fails (Not Found)

2017-07-27 Thread Steve Yates
FWIW, I just updated two others from 2.3.3_1 to 2.3.4_1 without this issue.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Tuesday, July 25, 2017 5:35 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Update to 2.3.4(_1) fails (Not Found)

I tried again today and it failed.  I found this post 
https://forum.pfsense.org/index.php?topic=134042.0 which referred to:

https://forum.pfsense.org/index.php?topic=125873.msg695386#msg695386

I did that procedure as stated (switch to dev, check for update via SSH, 
cancel, switch to stable) and the update installs now.  Log shows:

[1/75] Fetching pfSense-rc-2.3.4_1.txz: . done

Looks like it was maybe stuck looking for 2.3.4 and should have been looking 
for 2.3.4_1?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Monday, July 24, 2017 12:39 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] Update to 2.3.4(_1) fails (Not Found)

This happened last week so I thought I'd wait a bit and try again.  I'm 
updating from 2.3.3_1 to 2.3.4_1.

Error: pkg: 
https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not 
Found
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Update to 2.3.4(_1) fails (Not Found)

2017-07-25 Thread Steve Yates
I tried again today and it failed.  I found this post 
https://forum.pfsense.org/index.php?topic=134042.0 which referred to:

https://forum.pfsense.org/index.php?topic=125873.msg695386#msg695386

I did that procedure as stated (switch to dev, check for update via SSH, 
cancel, switch to stable) and the update installs now.  Log shows:

[1/75] Fetching pfSense-rc-2.3.4_1.txz: . done

Looks like it was maybe stuck looking for 2.3.4 and should have been looking 
for 2.3.4_1?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Monday, July 24, 2017 12:39 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] Update to 2.3.4(_1) fails (Not Found)

This happened last week so I thought I'd wait a bit and try again.  I'm 
updating from 2.3.3_1 to 2.3.4_1.

Error: pkg: 
https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not 
Found

Remembering earlier conversations, pfSense uses an SRV record for downloading, 
so:

; <<>> DiG 9.10.3-P4 <<>> srv _https._tcp.pkg.pfsense.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54700
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_https._tcp.pkg.pfsense.org.   IN  SRV

;; ANSWER SECTION:
_https._tcp.pkg.pfsense.org. 60 IN  SRV 10 10 443 files00.netgate.com.
_https._tcp.pkg.pfsense.org. 60 IN  SRV 10 10 443 files01.netgate.com.

;; ADDITIONAL SECTION:
files00.netgate.com.3471IN  A   162.208.119.41
files00.netgate.com.3471IN  2610:1c1:0:6::41
files01.netgate.com.3231IN  A   162.208.119.40
files01.netgate.com.3231IN  2610:1c1:0:6::40

However 
https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz 
shows a 404 error?  https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/ 
does not list that file...it lists several 2.3.4_1 files.

Should a version upgrade from 2.3.3_1 to 2.3.4 and then to 2.3.4_1, 
which is what I recall from earlier upgrades?  Or straight to 2.3.4_1 in which 
case the upgrader seems to be looking for an old file...?

Update Settings is using Stable (Default) branch.

Log shows:

>>> Updating repositories metadata... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
>>> Unlocking package pfSense-kernel-pfSense... done.
>>> Downloading upgrade packages... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (129 candidates): .. done
Processing candidates (129 candidates): . done
The following 76 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
(...long list...)

Installed packages to be REINSTALLED:
(...15 packages...)

Number of packages to be upgraded: 61
Number of packages to be reinstalled: 15

The process will require 1 MiB more space.
68 MiB to be downloaded.
pkg: 
https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not 
Found
>>> Locking package pfSense-kernel-pfSense... done.
Failed

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Update to 2.3.4(_1) fails (Not Found)

2017-07-25 Thread Steve Yates
Hmm, OK, if my theory is correct those will see the patch OK, but it is the 
2.3.4 file that is missing.

I had just started updating from 2.3.3 but saw that 2.3.4_1 was coming out 
shortly and thought I'd do them together (well, in sequence, but one set of 
reboots) like I have in the past.  So I have one I can do from 2.3.4 but not 
until out of hours.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Doug Lytle
Sent: Tuesday, July 25, 2017 2:28 PM
To: pfSense <list@lists.pfsense.org>
Subject: Re: [pfSense] Update to 2.3.4(_1) fails (Not Found)

>>> Hmm, has anyone been able to upgrade from 2.3.x or earlier to 2.3.4_1 since 
>>> its release Thursday?  Or perhaps everyone on this list was on 2.3.4 
>>> already...  :)

All of my systems are currently 2.3.4, I'll be doing updates tonight when I get 
home

Doug
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Update to 2.3.4(_1) fails (Not Found)

2017-07-25 Thread Steve Yates
Hmm, has anyone been able to upgrade from 2.3.x or earlier to 2.3.4_1 since its 
release Thursday?  Or perhaps everyone on this list was on 2.3.4 already...  :)

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Monday, July 24, 2017 12:39 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] Update to 2.3.4(_1) fails (Not Found)

This happened last week so I thought I'd wait a bit and try again.  I'm 
updating from 2.3.3_1 to 2.3.4_1.

Error: pkg: 
https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not 
Found

Remembering earlier conversations, pfSense uses an SRV record for downloading, 
so:

; <<>> DiG 9.10.3-P4 <<>> srv _https._tcp.pkg.pfsense.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54700
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_https._tcp.pkg.pfsense.org.   IN  SRV

;; ANSWER SECTION:
_https._tcp.pkg.pfsense.org. 60 IN  SRV 10 10 443 files00.netgate.com.
_https._tcp.pkg.pfsense.org. 60 IN  SRV 10 10 443 files01.netgate.com.

;; ADDITIONAL SECTION:
files00.netgate.com.3471IN  A   162.208.119.41
files00.netgate.com.3471IN  2610:1c1:0:6::41
files01.netgate.com.3231IN  A   162.208.119.40
files01.netgate.com.3231IN  2610:1c1:0:6::40

However 
https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz 
shows a 404 error?  https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/ 
does not list that file...it lists several 2.3.4_1 files.

Should a version upgrade from 2.3.3_1 to 2.3.4 and then to 2.3.4_1, 
which is what I recall from earlier upgrades?  Or straight to 2.3.4_1 in which 
case the upgrader seems to be looking for an old file...?

Update Settings is using Stable (Default) branch.

Log shows:

>>> Updating repositories metadata... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
>>> Unlocking package pfSense-kernel-pfSense... done.
>>> Downloading upgrade packages... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (129 candidates): .. done
Processing candidates (129 candidates): . done
The following 76 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
(...long list...)

Installed packages to be REINSTALLED:
(...15 packages...)

Number of packages to be upgraded: 61
Number of packages to be reinstalled: 15

The process will require 1 MiB more space.
68 MiB to be downloaded.
pkg: 
https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not 
Found
>>> Locking package pfSense-kernel-pfSense... done.
Failed

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Update to 2.3.4(_1) fails (Not Found)

2017-07-24 Thread Steve Yates
This happened last week so I thought I'd wait a bit and try again.  I'm 
updating from 2.3.3_1 to 2.3.4_1.

Error: pkg: 
https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not 
Found

Remembering earlier conversations, pfSense uses an SRV record for downloading, 
so:

; <<>> DiG 9.10.3-P4 <<>> srv _https._tcp.pkg.pfsense.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54700
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_https._tcp.pkg.pfsense.org.   IN  SRV

;; ANSWER SECTION:
_https._tcp.pkg.pfsense.org. 60 IN  SRV 10 10 443 files00.netgate.com.
_https._tcp.pkg.pfsense.org. 60 IN  SRV 10 10 443 files01.netgate.com.

;; ADDITIONAL SECTION:
files00.netgate.com.3471IN  A   162.208.119.41
files00.netgate.com.3471IN  2610:1c1:0:6::41
files01.netgate.com.3231IN  A   162.208.119.40
files01.netgate.com.3231IN  2610:1c1:0:6::40

However 
https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz 
shows a 404 error?  https://files00.netgate.com/pfSense_v2_3_4_amd64-core/All/ 
does not list that file...it lists several 2.3.4_1 files.

Should a version upgrade from 2.3.3_1 to 2.3.4 and then to 2.3.4_1, 
which is what I recall from earlier upgrades?  Or straight to 2.3.4_1 in which 
case the upgrader seems to be looking for an old file...?

Update Settings is using Stable (Default) branch.

Log shows:

>>> Updating repositories metadata... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
>>> Unlocking package pfSense-kernel-pfSense... done.
>>> Downloading upgrade packages... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (129 candidates): .. done
Processing candidates (129 candidates): . done
The following 76 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
(...long list...)

Installed packages to be REINSTALLED:
(...15 packages...)

Number of packages to be upgraded: 61
Number of packages to be reinstalled: 15

The process will require 1 MiB more space.
68 MiB to be downloaded.
pkg: 
https://pkg.pfsense.org/pfSense_v2_3_4_amd64-core/All/pfSense-rc-2.3.4.txz: Not 
Found
>>> Locking package pfSense-kernel-pfSense... done.
Failed

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Upgrading versions - uninstall packages?

2017-07-21 Thread Steve Yates
Ah, I see, thanks.  I read right over that word I guess!

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of J. Hellenthal
Sent: Thursday, July 20, 2017 6:26 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Upgrading versions - uninstall packages?

Ah that makes sense major upgrade I wasn’t considering for this but I’d 
consider major in this case to be from 1.x to 2.x to 3.x as x=minor in 
accordance with FreeBSD development. Hope that clears that up.

Major.Minor.Revision_PatchLevel

-- 
 Onward!, 
 Jason Hellenthal, 
 Systems & Network Admin, 
 Mobile: 0x9CA0BD58, 
 JJH48-ARIN

On Jul 20, 2017, at 17:02, Steve Yates <st...@teamits.com> wrote:

I figured they were probably harmless but this may be my first time upgrading 
with pfBlockerNG installed.

https://doc.pfsense.org/index.php/Upgrade_Guide#Packages

To save a click, the entire section's text:
"It is always safest to remove packages before upgrading to a new major 
release. Packages will be reinstalled afterward, but are frequently a source of 
problems. To ensure a smooth upgrade, note the installed packages, remove them, 
perform the upgrade, and then reinstall whichever packages are necessary."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of J. Hellenthal
Sent: Thursday, July 20, 2017 4:54 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Upgrading versions - uninstall packages?

I for one have not had to do this thus far. But those pfB messages are harmless 
and more of an alert that you will need to reload the IP tables afterwards but 
that’s trivial. Keep in mind that I have not done that upgrade yet in a test 
environment before a maintenance window I have on Saturday.

Curious do you have a link of where it states to remove those ? I’d like to 
review the reason why as I can’t see anything other than they just don’t want 
you to block IP comm to the update servers.

-- 
Onward!, 
Jason Hellenthal, 
Systems & Network Admin, 
Mobile: 0x9CA0BD58, 
JJH48-ARIN

On Jul 20, 2017, at 16:27, Steve Yates <st...@teamits.com> wrote:

I started to upgrade from 2.3.3_1 to 2.3.4_1 today and as instructed by the 
docs I uninstalled Suricata and PFBlockerNG first.  I immediately got a flood 
of alerts like "Unresolvable source alias 'pfB_GeoIPUSv4' for rule ...".  Those 
are of course popular packages.  Do you all normally uninstall and reinstall 
either or both of those two packages during version upgrades?

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrading versions - uninstall packages?

2017-07-20 Thread Steve Yates
I figured they were probably harmless but this may be my first time upgrading 
with pfBlockerNG installed.

https://doc.pfsense.org/index.php/Upgrade_Guide#Packages

To save a click, the entire section's text:
"It is always safest to remove packages before upgrading to a new major 
release. Packages will be reinstalled afterward, but are frequently a source of 
problems. To ensure a smooth upgrade, note the installed packages, remove them, 
perform the upgrade, and then reinstall whichever packages are necessary."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of J. Hellenthal
Sent: Thursday, July 20, 2017 4:54 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Upgrading versions - uninstall packages?

I for one have not had to do this thus far. But those pfB messages are harmless 
and more of an alert that you will need to reload the IP tables afterwards but 
that’s trivial. Keep in mind that I have not done that upgrade yet in a test 
environment before a maintenance window I have on Saturday.

Curious do you have a link of where it states to remove those ? I’d like to 
review the reason why as I can’t see anything other than they just don’t want 
you to block IP comm to the update servers.

-- 
 Onward!, 
 Jason Hellenthal, 
 Systems & Network Admin, 
 Mobile: 0x9CA0BD58, 
 JJH48-ARIN

On Jul 20, 2017, at 16:27, Steve Yates <st...@teamits.com> wrote:

I started to upgrade from 2.3.3_1 to 2.3.4_1 today and as instructed by the 
docs I uninstalled Suricata and PFBlockerNG first.  I immediately got a flood 
of alerts like "Unresolvable source alias 'pfB_GeoIPUSv4' for rule ...".  Those 
are of course popular packages.  Do you all normally uninstall and reinstall 
either or both of those two packages during version upgrades?

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Upgrading versions - uninstall packages?

2017-07-20 Thread Steve Yates
I started to upgrade from 2.3.3_1 to 2.3.4_1 today and as instructed by the 
docs I uninstalled Suricata and PFBlockerNG first.  I immediately got a flood 
of alerts like "Unresolvable source alias 'pfB_GeoIPUSv4' for rule ...".  Those 
are of course popular packages.  Do you all normally uninstall and reinstall 
either or both of those two packages during version upgrades?

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.4-RELEASE (amd64) - Kernel Panics

2017-07-13 Thread Steve Yates
Are you running limiters in an HA configuration by chance?  There's a known 
issue there. (https://forum.pfsense.org/index.php?topic=87541.new;topicseen#new)

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg
Sent: Wednesday, July 12, 2017 8:44 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] 2.3.4-RELEASE (amd64) - Kernel Panics

Hello,

I just upgraded 2.3.something to 2.3.4 and immediately upon reboot
experienced kernel panics/crash dumps over and over.  The system would
cycle over and over.

I stopped the process thinking I had a bad raid but upon a fresh install of
2.3.4 I experienced the same thing, except this time the system rebooted 2
times with the panics:

<118>Synchronizing user settings...


Fatal trap 12: page fault while in kernel mode
cpuid = 4; apic id = 04
fault virtual address= 0x0
fault code= supervisor read data, page not present
instruction pointer= 0x20:0x80d716ee
stack pointer= 0x28:0xfe0467c5ea00
frame pointer= 0x28:0xfe0467c5ea20
code segment= base 0x0, limit 0xf, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags= interrupt enabled, resume, IOPL = 0
current process= 12 (swi1: pfsync)

And then fixed itself.  I proceeded to reboot it a few times with no more
panics.

I submitted a crash dump to pfsense but has anyone seen this on x64 intel
hardware?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] MBR restore

2017-06-30 Thread Steve Yates
Restoring the config will install packages on the new device, also, as I recall.


-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg
Sent: Friday, June 30, 2017 10:15 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] MBR restore

To pile on.  The config is manually editable also.

In fact sometimes you have to edit it when moving to new hardware because
the interface names are not the same.

It is by far the best way to move a pfsense install...

On Fri, Jun 30, 2017 at 10:35 AM, Steve Yates <st...@teamits.com> wrote:

> If you can log into the old one, use Diagnostics/Backup & Restore to
> download the config.  Restore it to the new one and it will prompt to remap
> the interfaces (WAN=em0, etc).
>
> Searching, it looks like the file on disk is /conf/config.xml?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Nicola
> Ferrari (#554252)
> Sent: Friday, June 30, 2017 9:31 AM
> To: list@lists.pfsense.org
> Subject: Re: [pfSense] MBR restore
>
> On 30/06/2017 16:20, Steve Yates wrote:
> >  Even if the config wasn't exported (the original died) it might be
> faster to copy the file off the drive from wherever it lives?
> >
>
> Thanks Steve for your suggestion.
> I'm not an expert in PfSense.. What file(s) do we need to trasfer from
> the original install, to restore config in a new one?
>
> N
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] MBR restore

2017-06-30 Thread Steve Yates
If you can log into the old one, use Diagnostics/Backup & Restore to download 
the config.  Restore it to the new one and it will prompt to remap the 
interfaces (WAN=em0, etc).

Searching, it looks like the file on disk is /conf/config.xml?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Nicola Ferrari 
(#554252)
Sent: Friday, June 30, 2017 9:31 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] MBR restore

On 30/06/2017 16:20, Steve Yates wrote:
>  Even if the config wasn't exported (the original died) it might be faster to 
> copy the file off the drive from wherever it lives?
> 

Thanks Steve for your suggestion.
I'm not an expert in PfSense.. What file(s) do we need to trasfer from
the original install, to restore config in a new one?

N
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] MBR restore

2017-06-30 Thread Steve Yates
Agreed that is likely the easiest way.  Installation is fast and config restore 
trivial.  Even if the config wasn't exported (the original died) it might be 
faster to copy the file off the drive from wherever it lives?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Kostas Backas
Sent: Friday, June 30, 2017 6:17 AM
To: list@lists.pfsense.org; pfSense Support and Discussion Mailing List 
<list@lists.pfsense.org>
Subject: Re: [pfSense] MBR restore

Maybe install a fresh version and restore a backup?

Kostas

Sent from my iPhone

From: List <list-boun...@lists.pfsense.org> on behalf of Nicola Ferrari 
(#554252) <nick-li...@posteo.eu>
Sent: Friday, June 30, 2017 2:02:47 PM
To: list@lists.pfsense.org
Subject: [pfSense] MBR restore

Hi guys!

I'm writing here since one of my collegues had to move a pfsense install
to new hardware, so imaged the pfsense using clonezilla but forgot to
enable the option to save MBR also.

So, after restoring the image, pfSense is no more able to boot.

What's the best way to restore the MBR on an existing and
already-configured pfSense install?

Thanks to everybody!
Nick

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] bulk update of multiple aliases & rules

2017-06-29 Thread Steve Yates
On the off chance they're coming from another pfSense, perhaps export the 
configs and copy/paste.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Lee Damon
Sent: Thursday, June 29, 2017 4:17 PM
To: list@lists.pfsense.org
Subject: [pfSense] bulk update of multiple aliases & rules

I need to add roughly 200 aliases and 100 rules to a new (redundant)
firewall set.

They're currently set up so any alias or rule added to one via the GUI
shows up on the other one automagically.

However, instead of sitting there and manually creating every alias and
every rule I would really like to do a bulk update. I'm reasonably sure
the alias-url option is "one alias with lots of entries" as opposed to
"lots of aliases" so I'm looking for alternatives.

Any suggestions on easy and reliable methods of doing mass updates like
this?

thanks,
nomad
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Network interruption on pfSense Firewall

2017-05-19 Thread Steve Yates
>> Can you try to set disable hardware offloading in pfsense advanced.
>What would that do?

In Xen, at least, it's basically necessary to get usable throughput 
from VirtIO adapters.  It also solved a slew of false positives in our Suricata 
setup on our previous virtualization, and I want to say on at least one 
physical server also since we have it disabled there.  Worst case it uses a bit 
more CPU and you can turn it back on pretty easily.

https://doc.pfsense.org/index.php/Lost_Traffic_/_Packets_Disappear
https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards#TSO.2FLRO

(
https://doc.pfsense.org/index.php/VirtIO_Driver_Support
Xen/KVM networking will not work using default hypervisor settings!: 
https://forum.pfsense.org/index.php?topic=88467.0
)

--

Steve Yates
ITS, Inc.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Restoring at remote location before deployment

2017-05-18 Thread Steve Yates
We did something similar when setting up our data center routers.  
Added a public subnet on the LAN side of our own pfSense, NATted to the 
Internet.  It works because of the NAT so the public IPs don't leave our 
office.  The data center routers had another public subnet on their LAN side 
(since we have a /25 block routed to us), so as I recall there were a few 
routing configuration changes to ensure traffic for those IPs was routed back 
inside our office and didn't go out to the Internet.  But for just one public 
IP that isn't necessary.

So I suppose a workaround would be to put the WAN gateway IP in your 
own pfSense and the new router would talk to it.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Mark Wiater
Sent: Thursday, May 18, 2017 8:27 AM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Restoring at remote location before deployment



On 5/17/2017 3:44 PM, Steven Spencer wrote:
> All,
>
> When restoring a configuration for a site, we often do so from the home
> office and then deploy after we are sure hardware is working as
> expected. That means that we are restoring a backup and then on reboot,
> their is no active WAN (because the WAN IP is set for the remote
> location on restore)

I do the same, build up the system in the home office for testing.

I've created a separate environment within the home office that allows 
for the unit under test to hit the internet after getting natted to the 
home office's ip addr.








esses.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] How To install MySQL on Pfsense 2.4

2017-05-16 Thread Steve Yates
Supposedly one can just install FreeBSD packages 
(https://doc.pfsense.org/index.php/Installing_FreeBSD_Packages ) along with 
manually installing any dependencies, but as the page says it "may break the 
firewall."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Sean Cavanaugh
Sent: Tuesday, May 16, 2017 4:59 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4

Best practice is to run as few services as possible on a firewall to reduce the 
possible attack footprint. The more services you run on the firewall, the more 
vulnerable it becomes to being broken into.

That is why the recommendation to virtualize the box and at least logically 
partition the services away from affecting the firewall.



-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of 
rai...@ultra-secure.de
Sent: Tuesday, May 16, 2017 8:04 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4


Am 2017-05-16 13:30, schrieb Sean Cavanaugh:
> The only sane way to do this on a single box would be by installing a 
> hypervisor on the server ( such as VMware ESXi) and running pfsense as 
> a virtual machine within it as well as a second virtual machine to 
> host any other non-firewall related applications (MySQL, FreeRADIUS).
> 
> There is obviously going to be a performance hit from sharing the 
> resources but should be minimal if all you are doing is hosting a user 
> database and RADIUS server for pfSense.



While it may not be the most clever idea, technically it should be possible, 
right?

I'm not too familiar with the inner workings of pfSense - but I assume there is 
a partition or directory in the installation that (provided pfSense is 
installed on a HD and not a read-only medium) persists data over reboots.

One would need to start it with that directory as dbdir.

It's possible to run Snort, haproxy. So, why not MySQL?

OP will have to learn how to create packages, and store the
configuration:
https://doc.pfsense.org/index.php/Developing_Packages
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] uncomplete update to 2.3.4, no route to host

2017-05-12 Thread Steve Yates
They're missing the DNS record for pkg.pfsense.org.  Per the SOA 
ad...@netgate.com is the contact; I've bcc'd this there.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Stefan Fuhrmann
Sent: Thursday, May 11, 2017 11:18 AM
To: list@lists.pfsense.org
Subject: [pfSense] uncomplete update to 2.3.4, no route to host

Hello all,

I did an update via console and there are some packages open:

Enter an option: 13

>>> Updating repositories metadata... 
Updating pfSense-core repository catalogue...
pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-
pfSense-core.sqlite) failed: No such file or directory
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-core/meta.txz: No route to 
host
repository pfSense-core has no meta file, using default settings
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-core/packagesite.txz: No 
route to host
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-
pfSense.sqlite) failed: No such file or directory
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-pfSense_v2_3_4/meta.txz: No 
route to host
repository pfSense has no meta file, using default settings
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_i386-pfSense_v2_3_4/
packagesite.txz: No route to host
Unable to update repository pfSense
Error updating repositories!
*** Welcome to pfSense 2.3.4-RELEASE (i386 full-install) on border ***

a dig shows:

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45499
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pkg.pfsense.org.   IN  A

;; AUTHORITY SECTION:
pfsense.org.300 IN  SOA ns1.netgate.com. 
admin.netgate.com. 201608310 3600 7200 1209600 3600

;; Query time: 193 msec
;; SERVER: 10.100.100.10#53(10.100.100.10)
;; WHEN: Thu May 11 18:09:16 CEST 2017
;; MSG SIZE  rcvd: 101



there is no such host pkg.pfsense.org and I can not find any pfSense-
core.sqlite on the system.

Can someone help?

Tia Stefan

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Traffic shaping setup for one IP

2017-04-19 Thread Steve Yates
Goal: limit traffic from one LAN server to a certain remote IP:port for an 
rsync connection.  Have that traffic be lower priority and perhaps have a 
bandwidth limit, although the docs say ALTQ can't set limits and to use 
limiters.  All other traffic can be "normal" or equal.

If I run the shaping wizard choosing HFSC and one random thing to limit, then 
it creates a floating rule I can use as a sample to create a new one for the 
target IP:port.  I get that part.

On the page to edit the created queue qOthersLow, what is the Bandwidth 
percentage (default 5%) used for?  Especially, given there are max and min 
bandwidth rows right below that?  In my case I'm fine with the rsync using up 
to 60% of the outgoing bandwidth as long as it's a lower priority (minimum 1%). 
 Do I set Bandwidth to 60%?  Or set Bandwidth to 1%  and Max Bandwidth For 
Queue to m1=60%?

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Limiter on LAN side not applying to NATted connection

2017-04-19 Thread Steve Yates
https://doc.pfsense.org/index.php/Limiters#Known_limitations

"On pfSense 2.2 and 2.3, limiters cannot be used on firewall rules residing on 
interfaces where NAT applies. This limits their use to LAN-type interfaces 
only, and not WANs, in most circumstances. This has been fixed on pfSense 2.4. 
Bug #4326"

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg
Sent: Wednesday, April 19, 2017 2:33 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Limiter on LAN side not applying to NATted connection

On Wed, Apr 19, 2017 at 2:46 PM, Steve Yates <st...@teamits.com> wrote:

> I suppose.  From the states/traffic recorded next to each rule, It
> looks like the WAN firewall rule applies and the LAN firewall rule does
> not.  Per the docs WAN side limiters will work (again?) in pfSense 2.4 but
> not 2.2-2.3.
>
> --
>
> Steve Yates
> ITS, Inc.
>
>
> Steve,
>
> Is this an ingress vs egress question?
>
> http://pfsensesetup.com/egress-filtering-with-pfsense/
>
> That is if you are trying to limit something 'in' you would need to put the
> rule on the WAN side?
>
>
> ___
>

I do not know about the docs but since it is a single TCP stream in will
not just the WAN rule apply?

What docs are you talking about?  I would figure limiters would work on any
interface.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Limiter on LAN side not applying to NATted connection

2017-04-19 Thread Steve Yates
I suppose.  From the states/traffic recorded next to each rule, It 
looks like the WAN firewall rule applies and the LAN firewall rule does not.  
Per the docs WAN side limiters will work (again?) in pfSense 2.4 but not 
2.2-2.3.

--

Steve Yates
ITS, Inc.


Steve,

Is this an ingress vs egress question?

http://pfsensesetup.com/egress-filtering-with-pfsense/

That is if you are trying to limit something 'in' you would need to put the
rule on the WAN side?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Limiter on LAN side not applying to NATted connection

2017-04-18 Thread Steve Yates
I understand it's ideal to have limiters on the sending end.  It's a long story 
but I'm trying to set them on the receiving end of an rsync copy.

I understand in 2.2-2.3 one should have them on the LAN interface.  This is on 
2.3.3_1.

In this scenario the remote server is x.x.x.x and the LAN computer is 
10.1.2.12:22, and we have a NAT rule forwarding port  to 22.

Firewall rule:
IPv4 TCP/UDPx.x.x.x *   10.1.2.12   22 (SSH)
Two limiters are set on in/out.
This firewall rule shows zero traffic in or out.  No other firewall rules show 
traffic from * to LAN.

Diagnostics/States shows:
LAN tcp x.x.x.x:46098 -> 10.1.2.12:22 (and shows traffic)

Is the rule+limiter not being applied because the port  is NATted to 22?  
Or because the NAT happens on the WAN side and the LAN rule isn't even used?

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

2017-03-23 Thread Steve Yates
Yes we don't have any DHCP in our CARP environment.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of hamid ashraf
Sent: Thursday, March 23, 2017 6:01 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

Dear Steve, 

Thanks for taking time to see my email. 

Yes you can say I have two issues but both are inter-related in my case. As 
CARP does not advertise it self as Gateway in case of DHCPv6 and in my case I 
have configured DHCPv6 which is not replicated to backup firewall and in case 
master goes down...in vein. So you are static assignment in your case for IPv6?
Regards
Hamid
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

2017-03-22 Thread Steve Yates
Interesting...we have not seen that problem with IPv6 and CARP.  I just looked 
and the backup is showing Backup for all IPs.

I do occasionally, like after our 2.3.2 to 2.3.3_1 upgrade, where one IP does 
get stuck as Master on the backup after the primary is updated and restarts.  I 
am fairly certain it was an IPv4 address though, and is not a new issue.  
Restarting fixes it.

Hamid, are you saying you have two issues, that IPv6 is not being synced and 
that DHCPv6 is not being synced?  We aren't using DHCPv6 but have not seen any 
issues with IPv6 and CARP.  IPv6 connectivity shouldn't be related to whether 
DHCPv6 is running, as long as the PCs have addresses...?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jochen Becker
Sent: Wednesday, March 22, 2017 1:25 PM
To: hamid ashraf <moonlight20082...@yahoo.com>; pfSense Support and Discussion 
Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

Hi Hamid,

can you check whether your IPv6 CARP Addresses are in agood condition 
after 10-15 minutes of uptime?
I have a problem with multiple setups where CARPv6 changes to dual 
master after 10 minutes. IPv6 connectivity is nearly impossible with 
that setup. However IPv4 and CARP with v4 are working as they should.
Those problems appeared short after the update to 2.3.3p1.
See also the forum post: https://forum.pfsense.org/index.php?topic=127342.0

Cheers

Jochen

On 22.03.2017 19:16, hamid ashraf wrote:
> Hi,
>
> I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. 
> CARP configured between both firewalls  for IPv4 and all the configurations 
> are successfully syncing. When I configured the DHCPv6 on master firewall, 
> that configuration didn't replicated to the backup one and everything works 
> perfectly from outside to inside and vice versa on master. When firewall 
> failover IPv6 connectivity is gone. My questions:
>
> 1. Does pfsense does not support IPv6 Failover?
> 2. Does pfsense does not support DHCPv6 failover as I observed nothing has 
> been synced to backup firewall, related to DHCPv6?
> 3. Please suggest a design to get IPv6, IPv4 workig together in failover with 
> DHCPv6 synced between them and if the firewall failover it should be seemless.
> Diagram attached for your reference.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Netgate Firmware

2017-03-21 Thread Steve Yates
Note despite the thread subject, the affected models are:

SG-2220
SG-2440
SG-4860
SG-8860
SG-4860-1U
SG-8860-1U

However, what is the symptom?  We have a handful of these in service at various 
clients but have not noticed any issues that we're aware of.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon Gerdes
Sent: Tuesday, March 21, 2017 12:57 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Netgate Firmware


Topic: SG-2440 bios upgrade: 

https://forum.pfsense.org/index.php?topic=127418.msg703237#msg703237


On Mon, 2017-03-20 at 19:49 -0500, Richard A. Relph wrote:
> OK, now you guys have me curious…
> 
> I have a Netgate SG-2440 purchased directly from Netgate. I’ve
> received no emails. I don’t frequent the forums. But I am aware of an
> “alleged” chip issue, which I believe my unit is susceptible to.
> 
> Can someone provide a link to a relevant forum thread?
> 
> Thanks,
> Richard
> 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Client doesn't work if there are multiple network interfaces

2017-03-13 Thread Steve Yates
I am not sure I understand the configuration, however, if you forward a port 
via NAT, pfSense should default to adding a matching firewall rule for it.  If 
you are trying to access the WAN IP from inside the LAN, you will need to 
enable NAT reflection.

You will also need firewall rules allowing traffic between interfaces.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Manh Nguyen Tien
Sent: Saturday, March 11, 2017 4:19 AM
To: list@lists.pfsense.org
Subject: [pfSense] Client doesn't work if there are multiple network interfaces

Hello everyone.
I've been stuck for a couple of days setting up a network using virtual
machines.
Could anyone give me some suggestions?

I couldn't access my application if the box has multiple network interfaces.
It has one interface (virtualbox internal network) to connect to pfSense
box.
Another interface is for bridged adapter so my computer can talk to it via
LAN.
My application port can't be reached through pfSense although I forward it
correctly.

I check with another box having only one net interface to pfSense and it
runs without problems.
My client can connect to the service using pfSense's IP and forwarded port.
The real production network has the same schema, only app server stays
behind pfsense for public clients and it also need LAN network to
communicate with other LAN only servers.
So I have some questions:

Q1: Do I need to force all the machines to communicate via pfSense router
only?
Q2: If multiple network interfaces do cause problems, what can I do to
investigate more?

Or maybe someone could share experiences about deploying on Linode.com with
resemble architecture (public app servers with pfSense, Linode's private
LAN for databases), I would very appreciate that.

Thank you in advance.
Manh.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] small problem with squid

2017-02-14 Thread Steve Yates
If I'm following, you're using a public IP:port.  Did you set up NAT 
Reflection?  (System/Advanced/Firewall & NAT)

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Berg
Sent: Monday, February 13, 2017 3:45 PM
To: list@lists.pfsense.org
Subject: [pfSense] small problem with squid

Just set up a new pfsense box, my own hardware running the latest 
release, 2.3.2-RELEASE-p1.  So far it's been pretty smooth but I just 
ran into one glitch I can't quite figure out.

I've got two NAT rules that redirect incoming ports 80xx and 80xy to two 
different web servers internal to my network.  My external IP is 
resolved using DynDNS and everything works nicely from my iPad when I'm 
off the local network.

But using the same hostname:port when I'm connected to the WiFi I get no 
response and the squid Real Time page shows a "TCP_DENIED/403" entry for 
one of the systems, and "TCP_MISS_ABORTED/000" for the other.

Using the local IP when on the WiFi works as expected and I see

13.02.2017 15:43:00 10.x.x.x TCP_MISS/200 
http://10.x.x.x/path/to/webpage - 10.x.x.x

I'm fairly new to pfsense and squid so I've probably missed something 
simple but I'd appreciate a tip or pointer to where to go to fix this issue.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] SG-1000 and VPN

2017-01-26 Thread Steve Yates
> It currently does 21mbps IPsec (aes-gcm-128), in a lab environment, because 
> there is no driver for the crypto core (yet).
> OpenVPN is slightly slower (19 Mbps).

Thanks.  That is probably sufficient for most applications since one or both 
ends is likely limited by Internet upload speed anyway.

--

Steve Yates
ITS, Inc.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] PFsense 2.3.2-P1 dies

2017-01-25 Thread Steve Yates
That's interesting, we had a drive that kept dropping out and we couldn't 
figure out why as all tests passed.  We replaced the drive and then found the 
"Hard disk standby time" setting was set.  Turned that off and it's been fine.  
That setting has been my suspicion...

At the time the console would show a stream of errors that pointed to the 
drive, don't recall them now of course.

--

Steve Yates
ITS, Inc.

-Original Message-

I had an issue at one point with hard disks dropping out because of the idle 
time set on my Western Digital drives.  You say you just upgraded.
>From what version?  I did not see it until v2.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] SG-1000 and VPN

2017-01-25 Thread Steve Yates
That's what I'm trying to ask, if the SG-1000 would work for that.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of A Mohan Rao
Sent: Tuesday, January 24, 2017 11:41 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] SG-1000 and VPN

better u can use site to site vpn is best solution.

On Wed, Jan 25, 2017 at 11:08 AM, WebDawg <webd...@gmail.com> wrote:

> On Tue, Jan 17, 2017 at 10:16 AM, Steve Yates <st...@teamits.com> wrote:
>
> > We have a client who wants to set up one remote user (in a 
> > fixed
> > location) with a hardware VPN connection back to the office.  The 
> > office has about 5 active PCs at any given time.  This would be the 
> > only VPN
> user.
> >
> > Has anyone used one of the new micro SG-1000 units with a 
> > VPN yet?  Either as a remote site or as a SOHO router + VPN host?  
> > Just wondering how the ARM CPU would stack up.  The specs say 200k 
> > active
> > (non-VPN) connections...
> >
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] SG-1000 and VPN

2017-01-24 Thread Steve Yates
We have a client who wants to set up one remote user (in a fixed 
location) with a hardware VPN connection back to the office.  The office has 
about 5 active PCs at any given time.  This would be the only VPN user.

Has anyone used one of the new micro SG-1000 units with a VPN yet?  
Either as a remote site or as a SOHO router + VPN host?  Just wondering how the 
ARM CPU would stack up.  The specs say 200k active (non-VPN) connections...

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Aliases grouping

2016-12-07 Thread Steve Yates
2.2 and earlier colored the field/text box background red if it would 
take an alias, as I recall.  Looks like that was removed with the new GUI in 
2.3?  If you start typing it will "autocomplete" with matching aliases.  
Agreed, the Firewall/Aliases/Edit page should probably say that we can type in 
an alias.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin
Sent: Wednesday, December 7, 2016 1:56 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Aliases grouping

Great .. thanx all ...

At first it's not obvious that we can enter "name" in those box.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] rules for blocking some ip from internet not working

2016-11-30 Thread Steve Yates
Blocking from 93.174.93.46 to WAN address blocks traffic to the pfSense.

It sounds like you are using NAT for the port 25 forwarding.  You should end up 
with a rule allowing traffic from any to 10.20.1.1 on port 25.  You must 
therefore block from 93.174.93.46 to 10.20.1.1.  That rule should be above the 
rule allowing from any to 10.20.1.1 on port 25.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Yoel Jimenez 
del Valle
Sent: Wednesday, November 30, 2016 9:50 AM
To: list@lists.pfsense.org
Subject: [pfSense] rules for blocking some ip from internet not working

I have pfsense 2.3.2_p1 i have a rule to allow all connection to port 25 for 
smtp is the last rule in wan rules
1.2.3.4 allow any  to 2.2.2.2:25 map to 10.20.1.1:25 its working ok I had other 
rules to block some ip but any of the are working Block source:93.174.93.46 
destination wanaddress or thisfirewall  but still can access port 25 There is 
any way pfsense can block those connections skipping the preference of allow to 
port 25

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense + carp + ha

2016-11-16 Thread Steve Yates
System/High Availability Sync page shows checkboxes for what to sync.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Wednesday, November 16, 2016 1:05 AM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] pfsense + carp + ha

ok. does it also sync all settings like ipsec and openvpn keys?

Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense + carp + ha

2016-11-15 Thread Steve Yates
Any hardware should work fine.  They recommend a separate NIC/port for 
the sync traffic since if syncing states there can be a lot of traffic (if not 
syncing state there is probably very little).  I don't think it needs to be 
identical hardware but the rules would need to copy over so it would need the 
same ports.

One gotcha that caught me...under "System/High Availability 
Sync/Configuration Synchronization Settings (XMLRPC Sync)" there is a "Remote 
System Username" field.  That field is ignored, and "admin" is always used.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Tuesday, November 15, 2016 2:20 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfsense + carp + ha

Hi List,

What are requirements for pfsense ha clustering? does any of x86 hardware work 
with ha? does hardware need to be identical?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] rules cleanup and approval process

2016-10-21 Thread Steve Yates
Not sure.  Router restart?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin
Sent: Friday, October 21, 2016 11:08 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] rules cleanup and approval process

hoo yeah .. sorry I didn't pay enough attention to that column...  So when are 
those number get reset ? How can I manually reset those number?

--
 !
   ( o o )
 --oOO(_)OOo--
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster


2016-10-21 10:35 GMT-04:00 Steve Yates <st...@teamits.com>:

> The Rules page logs traffic for the rule, in bytes, in the 
> States column.  You can also set allow rules to log traffic but that 
> will be a lot of log entries.
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc 
> Paulin
> Sent: Friday, October 21, 2016 9:27 AM
> To: pfSense Support and Discussion Mailing List 
> <list@lists.pfsense.org>
> Subject: [pfSense] rules cleanup and approval process
>
> Hi,
> I am in the final stage to review pfsense and I was wondering if 
> there's a way to do the following
>
> 1. Is there way to enable an approval process. For exmaple let say I 
> added rule ABC, then in order that the rules can be apply, the change 
> must be approve by someone else.
> 2. How can we know which rule is mostly use and which are unused? Is 
> theres some kind of way to create a report of the top 10 less use rules  ?
>
> Thanx for your help
>
>   -Luc
> 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] rules cleanup and approval process

2016-10-21 Thread Steve Yates
The Rules page logs traffic for the rule, in bytes, in the States 
column.  You can also set allow rules to log traffic but that will be a lot of 
log entries.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin
Sent: Friday, October 21, 2016 9:27 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] rules cleanup and approval process

Hi,
I am in the final stage to review pfsense and I was wondering if there's a way 
to do the following

1. Is there way to enable an approval process. For exmaple let say I added rule 
ABC, then in order that the rules can be apply, the change must be approve by 
someone else.
2. How can we know which rule is mostly use and which are unused? Is theres 
some kind of way to create a report of the top 10 less use rules  ?

Thanx for your help

  -Luc


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsync_undefer_state: unable to find deferred state

2016-10-18 Thread Steve Yates
I thought I'd post again to see if anyone has an idea of how to fix 
"pfsync_undefer_state: unable to find deferred state"? I found an August blog 
post 
http://phil.lavin.me.uk/2016/08/solved-pfsense-pfsync_undefer_state-unable-to-find-deferred-state/
 which says to turn off HA state syncing completely.  I haven't gone that far 
but did check "No pfSync" on the firewall rule per the below, to no avail.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Friday, July 8, 2016 4:30 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] pfsync_undefer_state: unable to find deferred state

I found thread
https://forum.pfsense.org/index.php?topic=87541.60
...and posted there but it's old and references 2.1.x and 2.2.x versions.  
After upgrading from 2.2.6 to 2.3.1_5 we get a long spew of this logged during 
a Limiter-limited rsync each night (it also shows on the console screen):

Jul 8 02:47:36  kernel  defer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred state

Jul 8 02:47:36  kernel  _undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_und
 efer_state: unable to find deferred statepf

Jul 8 02:47:36  kernel  ync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_undefer_state: unable to find deferred statepfsync_undefer_state: 
unable to find deferred statepfsync_undefer_state: unable to find deferred 
statepfsync_
 undefer_state: unable to find deferred stat


It continues while traffic that triggers the limiter rule is in effect and ends 
immediately upon traffic's end.

The Limiter set up is only using Firewall\Traffic Shaper\Limiters:
LimitBackupUpLAN
50Mbit/sOvernight [Mon - Sun / 0:00-6:45]
15Mbit/sDay
LimitBackupUpLAN
50Mbit/sOvernight
15Mbit/sDay

The limiter is on a rule on the LAN interface, with "In / Out pipe" set.  It 
only matches to one IP.  Neither checking "No pfSync" nor setting "State type" 
to None seem to have any effect.  I think that's the equivalent of what they 
mentioned in the [forum.pfsense.org] thread... 'unchek  the flag "State Type" 
to "NO pfsync".'

I can duplicate this at will...in this case an "rsync --dry-run" is plenty.

It doesn't seem to have any effect on traffic since the copy works fine, it 
appears to just be a logging issue.

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Change WAN interface

2016-10-14 Thread Steve Yates
Interfaces/(assign) page should have drop downs to pick the interface.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin
Sent: Friday, October 14, 2016 1:16 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] Change WAN interface

How can I assign the wan interface to another interface ...
Let say I initally assign WAN to bge0, but then I need to move WAN to bge3  How 
can this be done Look like we can't delete the assign WAN interface.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense in ha - sync interface rule disapear

2016-10-13 Thread Steve Yates
The rules should sync at every rule change. (alias, etc.)  If states 
are syncing those are in real time.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin
Sent: Thursday, October 13, 2016 12:00 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfsense in ha - sync interface rule disapear

I think I am good now .. I have delete the sync interface and then recreate it 
... All look good now and system is syncing  beetween each-other.

One more question, can we change the frequency of the sync ? Look like the 
default is ~10min

  -Luc


--
 !
   ( o o )
 --oOO(_)OOo--
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster


2016-10-13 12:13 GMT-04:00 Steve Yates <st...@teamits.com>:

> What version pfSense?  We are on 2.3.2 without the latest patch 
> (2.3.2_1), using CARP/sync, since whatever version was in spring 2015, 
> and haven't had this issue.
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc 
> Paulin
> Sent: Thursday, October 13, 2016 10:11 AM
> To: pfSense Support and Discussion Mailing List 
> <list@lists.pfsense.org>
> Subject: Re: [pfSense] pfsense in ha - sync interface rule disapear
>
> Rule is disapearing on the slave only ...
> Yes both firewall's interface's description are the same and assign to 
> the same interface...
>
>   -Luc
>
>
>
>
>
> --
>  !
>( o o )
>  --oOO(_)OOo--
>Luc Paulin
>email: paulinster(at)gmail.com
>Skype: paulinster
>
>
> 2016-10-13 11:00 GMT-04:00 Steve Yates <st...@teamits.com>:
>
> > Are your rules disappearing on the slave, the master, or both?
> >
> > Brainstorming, do both have the same name for the pfsync interface?
> > Meaning the slave isn't named PFSYNC-SLAVE or something like that?
> >
> > --
> >
> > Steve Yates
> > ITS, Inc.
> >
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc 
> > Paulin
> > Sent: Thursday, October 13, 2016 9:10 AM
> > To: list@lists.pfsense.org
> > Subject: [pfSense] pfsense in ha - sync interface rule disapear
> >
> > Hi Everyone,
> > I am new to pfsense and I have to say to that I am very impressed to 
> > see all the feature available out of box.
> >
> > I am currently testing it to see how well it work and perform for 
> > our environement. We would like to replace our HA linux firewall 
> > running IPTable/fwbuiler scripts.  Currently trying to setup the HA 
> > but having hard time to make it work properly. I am following the 
> > wiki guide ( https://doc.pfsense.org/index.php/Configuring_pfSense_
> > Hardware_Redundancy_(CARP)
> > ).
> >
> > The issue that I have is that the rule I added on both firewall to 
> > allow SYNC interface to communicate keep disapear on the slave 
> > firewall once the connection got established.  So XMLRPC did copy 
> > rules from master to slave, but the PFSYNC interface rules disapear, 
> > therefore this cause communication issue after
> > (/rc.filter_synchronize: New alert found: A communications error 
> > occurred while attempting XMLRPC sync with username admin
> > https://172.16.199.2:443.)
> >
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense in ha - sync interface rule disapear

2016-10-13 Thread Steve Yates
What version pfSense?  We are on 2.3.2 without the latest patch (2.3.2_1), 
using CARP/sync, since whatever version was in spring 2015, and haven't had 
this issue.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc Paulin
Sent: Thursday, October 13, 2016 10:11 AM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] pfsense in ha - sync interface rule disapear

Rule is disapearing on the slave only ...
Yes both firewall's interface's description are the same and assign to the same 
interface...

  -Luc





--
 !
   ( o o )
 --oOO(_)OOo--
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster


2016-10-13 11:00 GMT-04:00 Steve Yates <st...@teamits.com>:

> Are your rules disappearing on the slave, the master, or both?
>
> Brainstorming, do both have the same name for the pfsync interface?
> Meaning the slave isn't named PFSYNC-SLAVE or something like that?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Luc 
> Paulin
> Sent: Thursday, October 13, 2016 9:10 AM
> To: list@lists.pfsense.org
> Subject: [pfSense] pfsense in ha - sync interface rule disapear
>
> Hi Everyone,
> I am new to pfsense and I have to say to that I am very impressed to 
> see all the feature available out of box.
>
> I am currently testing it to see how well it work and perform for our 
> environement. We would like to replace our HA linux firewall running 
> IPTable/fwbuiler scripts.  Currently trying to setup the HA but having 
> hard time to make it work properly. I am following the wiki guide ( 
> https://doc.pfsense.org/index.php/Configuring_pfSense_
> Hardware_Redundancy_(CARP)
> ).
>
> The issue that I have is that the rule I added on both firewall to 
> allow SYNC interface to communicate keep disapear on the slave 
> firewall once the connection got established.  So XMLRPC did copy 
> rules from master to slave, but the PFSYNC interface rules disapear, 
> therefore this cause communication issue after  
> (/rc.filter_synchronize: New alert found: A communications error 
> occurred while attempting XMLRPC sync with username admin
> https://172.16.199.2:443.)
>
> 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


  1   2   >