Re: [pfSense] How to Install PFSENSE in VM
You need to unzip the file first. 7zip worked for me. --Tiernan On 30 June 2015 09:32:06 GMT+01:00, putra kurnia Ramadana ramadana.sibar...@gmail.com wrote: Dear Friends, I was completed download pfsense on my laptop, so, I want to install pfsense use my laptop in VM. but why it can't install ? the format file of pfsense is iso.gz please help me to install pfsense on my laptop ? Thank You. *Sincerely Yours, * *Putra Kurnia Ramadana* ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How to Install PFSENSE in VM
As mentioned by Jostein in another post, it depends on your VM host: VMWare, hyper-v, virtual box, all have options to attach an ISO to a VM. Google is your friend! Good luck! --Tiernan On 30 June 2015 10:04:21 GMT+01:00, putra kurnia Ramadana ramadana.sibar...@gmail.com wrote: Dear Mr. Tiernan, I was extract pfsense, so what can I do after unzip ? I have to burn it of ? Thank's *Sincerely Yours, * *Putra Kurnia Ramadana* ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Pfsense on VMware in Hetzner
So, i installed Mikrotik routeros in the same VM, just replacing the disk, and it seems stable... So, it might be an issue with the pfsense config... Now to remember how to use routeros... --Tiernan On 10 June 2015 14:46:01 GMT+01:00, Tiernan OToole tier...@tiernanotoole.net wrote: I actually did a full reinstall of the VM, and left the ips out, and it still had issues. I added the ips as a single block then, and it's still falling over... Going to try a different OS, just to see if it's a problem with Hetzner or the box... Would prefer to keep pfsense, since it's what I got at home, but it's now annoying me that I keep losing connectivity... --Tiernan On 10 June 2015 14:42:54 GMT+01:00, Moshe Katz mo...@ymkatz.net wrote: Do you have the IP alias entered once for the whole /29 subnet or do you have all of the addresses entered as individual virtual IPs? We had a similar issue when we switched from Verizon DSL to Verizon FIOS many years ago - the Virtual IPs had worked on the DSL when they had been defined as a group, but on the FIOS we were losing our connections about once an hour, exactly like you are seeing. We tried everything we could think of and then, in desperation, removed the Virtual IPs and re-added them one by one. That solved our problem, though nobody we spoke to at that time is really sure why. (As far as we can tell, this isn't a pfSense bug, because our other backup internet connection - a T1 line - works perfectly with the Virtual IPs defined all together in one rule.) It could be worth a try. Moshe On Jun 10, 2015 3:19 AM, Tiernan OToole tier...@tiernanotoole.net wrote: Good morning. I have an esx box running on the Hetzner network. It has 2 ip addresses (one for the box and one for one vm). That VM is a pfsense VM. That ip then has a static route from Hetzner for a /29 block. And all seems to work... For about an hour... During that hour, all VMs behind the pfsense box are online, can see the internet, etc... But then pfsense loses connectivity to wan and then gives up... If i reboot the box, it sorts it out. If i kill the wan link and bring it back, it comes back, but an hour or so later it's gone again... Hetzner suggested giving it a static ip (was getting it from their dhcp) and also said that it should respond to arp requests... Not it has a static ip, and the /29 is setup in virtual ips for proxy arp, and it's still falling over... And by falling over, gateway pings fail. It was originally set to ping their gateway, then I changed to Google DNS, but again, about an hour later and it fails... Any ideas? Thanks. --Tiernan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Pfsense on VMware in Hetzner
So, the cm has its own ip and mac, which Hetzner gave me. So, there is no spoofing and the VMware host has no network issues either. Sent from Outlook _ From: Philipp Tölke pt+pfse...@fos4x.de Sent: Wednesday, June 10, 2015 8:32 a.m. Subject: Re: [pfSense] Pfsense on VMware in Hetzner To: pfSense Support and Discussion Mailing List list@lists.pfsense.org Hi, On 10.06.2015 09:18, Tiernan OToole wrote: I have an esx box running on the Hetzner network. It has 2 ip addresses (one for the box and one for one vm). That VM is a pfsense VM. That ip then has a static route from Hetzner for a /29 block. And all seems to work... For about an hour... During that hour, all VMs behind the pfsense box are online, can see the internet, etc... But then pfsense loses connectivity to wan and then gives up... I had the same problem on Hetzner with just one IP: I had set that on the pfSense and would reach the VM-Host via NAT. After about an hour the connection stopped. My solution was to change the MAC of the pfSense to the MAC of the real network card (and obviously change the MAC on the card); my assumption is that Hetzner does some clever stuff with anti-spoofing. Since you need an IP on both the host and the VM you probably can't do anything without talking to Hetzner about this. Cheers, -- Philipp Tölke ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Pfsense on VMware in Hetzner
I actually did a full reinstall of the VM, and left the ips out, and it still had issues. I added the ips as a single block then, and it's still falling over... Going to try a different OS, just to see if it's a problem with Hetzner or the box... Would prefer to keep pfsense, since it's what I got at home, but it's now annoying me that I keep losing connectivity... --Tiernan On 10 June 2015 14:42:54 GMT+01:00, Moshe Katz mo...@ymkatz.net wrote: Do you have the IP alias entered once for the whole /29 subnet or do you have all of the addresses entered as individual virtual IPs? We had a similar issue when we switched from Verizon DSL to Verizon FIOS many years ago - the Virtual IPs had worked on the DSL when they had been defined as a group, but on the FIOS we were losing our connections about once an hour, exactly like you are seeing. We tried everything we could think of and then, in desperation, removed the Virtual IPs and re-added them one by one. That solved our problem, though nobody we spoke to at that time is really sure why. (As far as we can tell, this isn't a pfSense bug, because our other backup internet connection - a T1 line - works perfectly with the Virtual IPs defined all together in one rule.) It could be worth a try. Moshe On Jun 10, 2015 3:19 AM, Tiernan OToole tier...@tiernanotoole.net wrote: Good morning. I have an esx box running on the Hetzner network. It has 2 ip addresses (one for the box and one for one vm). That VM is a pfsense VM. That ip then has a static route from Hetzner for a /29 block. And all seems to work... For about an hour... During that hour, all VMs behind the pfsense box are online, can see the internet, etc... But then pfsense loses connectivity to wan and then gives up... If i reboot the box, it sorts it out. If i kill the wan link and bring it back, it comes back, but an hour or so later it's gone again... Hetzner suggested giving it a static ip (was getting it from their dhcp) and also said that it should respond to arp requests... Not it has a static ip, and the /29 is setup in virtual ips for proxy arp, and it's still falling over... And by falling over, gateway pings fail. It was originally set to ping their gateway, then I changed to Google DNS, but again, about an hour later and it fails... Any ideas? Thanks. --Tiernan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Using on Fiber
What guest you running? Could it be the virtual nic that's connected to the VM? --Tiernan On 5 June 2015 16:43:16 GMT+01:00, Ryan Coleman ryan.cole...@cwis.biz wrote: On Jun 5, 2015, at 10:12 AM, Brennan H. McNenly bmcne...@singularisit.com wrote: And those of you with VMware experience… if I run the virtual firewall I would need to have at least a VMware Essentials license to come close to the throughput, right? Since the IOps are capped at something like 10MB/sec in the free version. There are no IOP or throughput limits on the free version of the ESXi hypervisor. The VMWare Essentials license gets you vSphere which can be used to manage up to three ESXi hosts. This also lets you setup an HA cluster with those hosts. Otherwise you can run ESXi stand alone for free without vSphere and without any performance limits. Hmm. I wonder why my file transfers never exceed 10MB/sec then… I’ve been trying to migrate many TB of data via SCP to the datastore but I also have similar caps when doing FTP over the LAN to a server. If there’s someone here that would be interested in giving me a hand with this off list I’d be most appreciative. Moving 13TB of data at 10MB/sec has been very challenging. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] load balancing between multiple IPSec tunnels
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Morning all. Might be a stupid question (or even idea) but i will ask anyway. I have a server in Germany with a PFSense VM on it. I also have a PFSesne machine in Dublin. The machine in Germany has a 1Gb uplink, and the machine in Dublin has 2 cable modems at 240 down 24 up and a VSDL link at about 100 down 20 up. I have managed to get a single IPSec tunnel working between 1 of the Cable modems and the German box, but now i am wondering about getting 2 more (one for each connection) running and balancing all three... Since they would be hitting the same machine, could it work? Before anyone shouts, i know there is an overhead on IPSec tunnels, but given that the upstream of a single connection i have maxes out at 24mb, and the upstream between 3 should (theoretically) be 68, even with an overhead, it should (hopefully) be more than 24mb/s... So, is any of this possible? or practical? Thanks. - --Tiernan -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVXJTrAAoJECWDUKjOk5r1KjkQAJmfAC6q/d1HJwIxbMFTEuzn nZO2lAqALM/kBIMZTMlZxa9z3mupH1hZJhejwS5D/npijwOZ7F6TdXD81iAdliOY 2HwxtsQ2LWx0hRAXF0zvfJ96IymQaCbdqXQ4N2/mDRaKYO/WbD0QBuS5zHnx2vve Ag9GweOW/kdH6fzzzQECfNKARzIigjYYvYAukGri3P3OJjREgtvCmGdyqDLUySXU sVbCvgbAQT5RGTwTpQhuQpeqcQbeZtNSYe4Y8RJBqC2LgdIEvZYLN1xmndHyI/fm CaMuWucHfotoGxM4CWH8sFszqW6ID+UwJ8EeOvTh2Bry4xeOE+Z+2oJDYKMQ/e+d JXeMj1wMP8DQV4DrabjM9bmw/ZY+U/uocQBNizfHA4eG5MrsBh9KAPLg3BuRiy0b ZIiYcjCDOvDipO/g885AtVN443Gm+0EUhQGMLJ/OQZV5gl/160wAy2g4PlYoYP9P W9MdfwUKQ9s7gqnZ1VcErjUWCLAlb+lYvokcRMdWtXfPVAtAomfAobW5cCKx1I2r o6UUenDIRp0nAW2B98NPDEsm1BdHq9M0aMo8Qu/Bf3MVZeGBgo575i4VU4y3i+Ks OBQUMlABPZTxOES0MiC9CI6Xv5+1J2G4InjWRCDGCRvylUtYxS30tX4/9GOKNQUx S9H/PlHQD/WipcWHXyYI =XxNE -END PGP SIGNATURE- ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] load balancing between multiple IPSec tunnels
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thanks for the details. I will read up a bit more on this and try out that document. Thanks. - --Tiernan On 20/05/2015 16:16, WebDawg wrote: On Wed, May 20, 2015 at 7:54 AM, Tiernan OToole tier...@tiernanotoole.net wrote: if i a reading correctly, i would be thinking Layer 2 would essentially be at a frame level, so it would be closer to Link Aggregation with Ethernet connections... - --Tiernan People have done it. I have tried it with OpenVPN and while I got it working, the connections I used were the not the best type of connections to the scenario. They were wireless. I have yet to see any tests posted from other people doing it. The connections that I used were very latent. I did it all manually with Debian boxes. I think latency is a big problem because of how layer2 bonding works and how it handles packets. If I remember correctly it likes symmetric connections too. Or at least two connections with the same upstream and downstream. You could try it but optimally you would want to stick with layer three as this is totally different then bonding two T1's or DSL modems together. They are not tunnelling Layer2 over Layer3. Fail over with this tunnelling method worked very well though when I tried it. But so would layer3. The test results I remember from my experiment were only marginally faster but it really would have been nice to try on some wired connections that have some stability and I would think may be able to sync at some level. I am by no means a bonding expert. I documented some of my journey here if you are interested: http://wiki.hackspherelabs.com/index.php?title=Connection_and_VPN_Bond ing ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVXKfjAAoJECWDUKjOk5r1HWoP/idV7RTIfvdYkcTg0KwlSVIa CENYrTvkpRtx6Ye1MvU6gIvgFXI/2qngAenkE51+BuYUeObOJRFTQS2iR6k1Wdsw YWdYKSnTA+6Tmw6Ur47Q8ttNaIfE44zLQlE12MqSeCCbPv99izaoFbaxifNitKcC e2F/MBM6M9Pbm99Q/pV+/RERVv1KM67BlIHAlMefNdJJjPPKIqTwkqn5oVSa4dpd WNmtRKNRAvl26vgIrLJ5fP4S0dFQ9FFT1KpeYi9As2oum84KBcGomeTj31lCHBk1 ggc6hu8exff+Mqa/R9bwfMJScWhhdCxEjHqtl32S1EgxlsedqO+kF0uTYOwnOsa5 mMPJh+p7E5ORUfHy0AS2TDdQjpcXh06Aq+cZpc/pG5VdsP5CQ0K7Aj8MajE7QDNm kWijMNLYNnU4zem9xUW07i2pPUXLlhjkN7ZcwWHEN7n3doujU9deS470jprYQyNo Bjqr1uh3wMzbjeIR16I+QEp+MSulUNHwfsvN+knZ8a7nnyO1umBoDOaOFiLSgbSN Jbj2kHrJA7tBYsR4EavdyTYrC1ee2Je7X95DRGp+AmJbqg9c52L4QHP9IEnTxrWq Zsr/IuBmgE939LNHGIGIZGIURqmmAG2LmfALKL2XECG/1DuM2cO2y3Q8IFpipzdv iey3zvIwBp9PKW5Kt7x7 =AV/o -END PGP SIGNATURE- ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] load balancing between multiple IPSec tunnels
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 if i a reading correctly, i would be thinking Layer 2 would essentially be at a frame level, so it would be closer to Link Aggregation with Ethernet connections... - --Tiernan On 20/05/2015 15:41, WebDawg wrote: On Wed, May 20, 2015 at 7:06 AM, Tiernan OToole tier...@tiernanotoole.net wrote: Morning all. Might be a stupid question (or even idea) but i will ask anyway. I have a server in Germany with a PFSense VM on it. I also have a PFSesne machine in Dublin. The machine in Germany has a 1Gb uplink, and the machine in Dublin has 2 cable modems at 240 down 24 up and a VSDL link at about 100 down 20 up. I have managed to get a single IPSec tunnel working between 1 of the Cable modems and the German box, but now i am wondering about getting 2 more (one for each connection) running and balancing all three... Since they would be hitting the same machine, could it work? Before anyone shouts, i know there is an overhead on IPSec tunnels, but given that the upstream of a single connection i have maxes out at 24mb, and the upstream between 3 should (theoretically) be 68, even with an overhead, it should (hopefully) be more than 24mb/s... So, is any of this possible? or practical? Thanks. --Tiernan __ Do you plan to bond the connections at layer2 or is this a layer3 thing? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVXKAcAAoJECWDUKjOk5r1tC8P/jimvIir6MHjapgpPmSUPsig 95Ig0NAvJA7+LMjgf3BNINmB6MmuLsu671ZSiJf4yubG4gSq0G9oJnlsV2EzSZre yf6XHm8XnwlCQE/P+M2QnJ74Bc2xYa2sha5qnU2/svcemx7ytYRCW5McPMqVFjUS SpZcdMkdASpO6KZXgid1oAE4HTuR35uDwrgfqSO0wjh/bzV+cSjaa9kDb9yHUtwc HFqyKfvoh3E0KrTkJLGRep2AG8rOB1EVVwHd091c6IcqX2oIhgoRgPEQqV0GsoGV 0rwofSG+0OwEBnKMz3GQEbK1gfhZNn8tBKXXgh9Y0TeANLK4mJgpdo1aixIqBYeJ Kn50gkTAEwQTa/6iPJNIRfnIw8V+5wxl4Eho7nlyL5AjX+A7ov0K300w1ZFAkSHT 5Fmejq9jvx8yPX6bZiarZ8Hv4FZGuZsJGhMGlAlQXq1uaXEPLbh1PrpDpe94PCdp bHyG1N+tGNriFEqiYX+NirWca3l6VWmimIfa0/DWm+FGJhHZDQfDUEVo0IpJ9zkn L5XCfcDx+CTX4+M91J7ZPRGgCW4RoDu8MQJrPxcfzbEq1ZWm510ZaG/y9b6anXUI jJU6lrissAkFyWm2AutV4dEAqRq8ZfTXc25g6Z+GC0oTk+JLWdaoKSwFHbq9E9cs rqmX25jlFiDm1OWcvezL =j+LO -END PGP SIGNATURE- ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] MultiWan and Transparent Proxy and PFSnese 2.2
Morning all. Might be a stupid question, but here goes nothing... I have a PFSense 2.2 box with 3 WAN links (2x240mb and a 70mb). I have transparent Squid running, but all traffic only goes to the default WAN connection (WAN1). I have found a few articles on how to get squid to use the multi wan gateway, but all are either very old (pre 2.1) or broke my web server (I'm hosting sites in house). Is there a definitive guide for how to do this properly on 2.2? Thanks. --Tiernan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bundling multiple OVPN client connection into one fat pipe...
Thanks for the link. I will try it out and see what i can find... all the connections are stable enough... its just trying to get extra upload capacity... If OVPN has too much overhead, what would be the next option? Thanks. --Tiernan From: List list-boun...@lists.pfsense.org on behalf of WebDawg webd...@gmail.com Sent: 30 March 2015 17:58 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Bundling multiple OVPN client connection into one fat pipe... On Mon, Mar 30, 2015 at 3:01 AM, Tiernan OToole tier...@tiernanotoole.iemailto:tier...@tiernanotoole.ie wrote: Morning all.. Stupid(ish) question for you... I have a PFSense box in the house with 3 internet connections (2x240/24 cable modems and a 70ish/20mb VDSL line). I am wondering if i setup 3 OVPN connections to a single (large) Cloud or Dedicated box, can I bundle the 3 connections into a single large connection? Again, might be pie-in-the-sky stuff here, but just a question... Thanks. --Tiernan I have done this, there is overhead involved, and bonding tap connections. I tried this with very latent and slow connections, and I did not have good luck with it, and while my notes are not detailed/organized as well as they should be you can have a look here: http://wiki.hackspherelabs.com/index.php?title=Connection_and_VPN_Bonding I did have some luck with stable connections, but I still had to hurry though it, so no official information. I really think you may have better luck bonding the symmetric connections. There is also different types of bonding you can experiment with. Web... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bundling multiple OVPN client connection into one fat pipe...
Grand job. Thanks for the info! --Tiernan From: List list-boun...@lists.pfsense.org on behalf of Chris Bagnall pfse...@lists.minotaur.cc Sent: 01 April 2015 12:38 To: list@lists.pfsense.org Subject: Re: [pfSense] Bundling multiple OVPN client connection into one fat pipe... On 30/3/15 6:58 pm, WebDawg wrote: I have done this, there is overhead involved, and bonding tap connections. I tried this with very latent and slow connections, and I did not have good luck with it I've tried this on even relatively fast (80/20 FTTC) connections, and performance is still a far cry from the combined total of the connections involved. Based on my limited testing it was very much a case of diminishing returns: adding a second connection to the mix increased overall throughput by around 40%, but adding a third connection to that mix only increased things by about 10%. I had similar experiences using PPP bonding, and using Mikrotik's own EoIP tunnels, so pfSense isn't the limiting factor. As I understand it, the problem is usually packets arriving out of order at the far end leading to retransmissions of the apparently 'missing' packets. In my experience, a mix of load balancing and policy-based routing nearly always works better than link aggregation on variable-speed WAN connections. Kind regards, Chris -- This email is made from 100% recycled electrons ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Dynamic DNS and Route 53
Thanks for the reply. In the case of the domain below, that was manually set. The domain I wanted updated was checked in the AWS console directly, and still had the old value… I will try modify the php file and see if I can get it to show whats going on. Thanks. --Tiernan From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz Sent: Wednesday 11 March 2015 13:40 To: pfSense support and discussion Subject: Re: [pfSense] Dynamic DNS and Route 53 Just three things to add to what Brian said. For Windows hosts, run ipconfig /flushdns to clear the cache. (You can also use /displaydns to set what's in the cache, but you're going to have to ease through the entire thing so it's probably not worth it.) If you are using Google Chrome (on any platform), you will also need to clear its cache. Go to chrome://net-internals, click DNS, and click the clear button. Finally, the easiest way to see the raw request and response is probably by opening up the PHP file that runs DNS updates and adding a bunch of echo statements. I don't have a pfSense box in front of me at the moment to see which file it is, but I'm guessing it's not too hard to find. Just make sure to remove your changes when you are done. Moshe Sorry for top-posting. Sent from a mobile device. On Mar 11, 2015 8:48 AM, Brian Candler b.cand...@pobox.commailto:b.cand...@pobox.com wrote: On 11/03/2015 10:09, Tiernan OToole wrote: Any tips on checking this properly? How can i see what is being sent and received from the server? I don't know about that (tcpdump perhaps), but here's how to check what's published in the DNS: $ dig +trace @8.8.8.8http://8.8.8.8 tiernanotoolephotography.comhttp://tiernanotoolephotography.com. a ; DiG 9.8.3-P1 +trace @8.8.8.8http://8.8.8.8 tiernanotoolephotography.comhttp://tiernanotoolephotography.com. a ; (1 server found) ;; global options: +cmd .2466INNSl.root-servers.nethttp://l.root-servers.net. .2466INNSh.root-servers.nethttp://h.root-servers.net. .2466INNSk.root-servers.nethttp://k.root-servers.net. .2466INNSi.root-servers.nethttp://i.root-servers.net. .2466INNSg.root-servers.nethttp://g.root-servers.net. .2466INNSj.root-servers.nethttp://j.root-servers.net. .2466INNSd.root-servers.nethttp://d.root-servers.net. .2466INNSa.root-servers.nethttp://a.root-servers.net. .2466INNSf.root-servers.nethttp://f.root-servers.net. .2466INNSb.root-servers.nethttp://b.root-servers.net. .2466INNSm.root-servers.nethttp://m.root-servers.net. .2466INNSe.root-servers.nethttp://e.root-servers.net. .2466INNSc.root-servers.nethttp://c.root-servers.net. ;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 51 ms com.172800INNS a.gtld-servers.nethttp://a.gtld-servers.net. com.172800INNS b.gtld-servers.nethttp://b.gtld-servers.net. com.172800INNS c.gtld-servers.nethttp://c.gtld-servers.net. com.172800INNS d.gtld-servers.nethttp://d.gtld-servers.net. com.172800INNS e.gtld-servers.nethttp://e.gtld-servers.net. com.172800INNS f.gtld-servers.nethttp://f.gtld-servers.net. com.172800INNS g.gtld-servers.nethttp://g.gtld-servers.net. com.172800INNS h.gtld-servers.nethttp://h.gtld-servers.net. com.172800INNS i.gtld-servers.nethttp://i.gtld-servers.net. com.172800INNS j.gtld-servers.nethttp://j.gtld-servers.net. com.172800INNS k.gtld-servers.nethttp://k.gtld-servers.net. com.172800INNS l.gtld-servers.nethttp://l.gtld-servers.net. com.172800INNS m.gtld-servers.nethttp://m.gtld-servers.net. ;; Received 506 bytes from 192.203.230.10#53(192.203.230.10) in 33 ms tiernanotoolephotography.comhttp://tiernanotoolephotography.com. 172800 IN NS ns-99.awsdns-12.comhttp://ns-99.awsdns-12.com. tiernanotoolephotography.comhttp://tiernanotoolephotography.com. 172800 IN NS ns-718.awsdns-25.nethttp://ns-718.awsdns-25.net. tiernanotoolephotography.comhttp://tiernanotoolephotography.com. 172800 IN NS ns-1318.awsdns-36.orghttp://ns-1318.awsdns-36.org. tiernanotoolephotography.comhttp://tiernanotoolephotography.com. 172800 IN NS ns-1983.awsdns-55.co.ukhttp://ns-1983.awsdns-55.co.uk. ;; Received 214 bytes from 192.31.80.30#53(192.31.80.30) in 119 ms tiernanotoolephotography.comhttp://tiernanotoolephotography.com. 300 INA 79.97.100.91 tiernanotoolephotography.comhttp://tiernanotoolephotography.com. 172800 IN NS ns-1318.awsdns-36.orghttp://ns-1318.awsdns-36.org. tiernanotoolephotography.comhttp
[pfSense] Multi WAN IPv6
Morning all. Just reading though the docs and found the following: https://doc.pfsense.org/index.php/Multi-WAN_for_IPv6 and https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker But there is a problem... The Multi-WAN one assumes that both WAN connections give IPv6 addresses, which in my case is false, and the Tunnel Broker assumes you have one WAN connection... Last time i tried this, mind you with a different router, all traffic went though one connection (the one the tunnel broker knew about) and nothing went though the rest... Any one done this before? Thanks. --Tiernan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bulk Editing settings on the PFSense dashboard
Bit of a pain with a reboot though... I will have a look and see what I can do! Thanks. --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Bagnall Sent: Saturday 21 February 2015 23:13 To: list@lists.pfsense.org Subject: Re: [pfSense] Bulk Editing settings on the PFSense dashboard On 21/2/15 10:54 pm, Tiernan OToole wrote: Meh Sounds like a bit of a pain... is there no command line options? The pfSense config file is pretty standard XML, so you could always knock something together in your scripting language of choice to batch add the config sections you need. I've done it in the past in a few lines of PHP when adding a large range of NAT rules for a client (one port to each machine, but 50+ machines on their LAN). Kind regards, Chris -- This email is made from 100% recycled electrons ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Dual Port NIC ports
My PFSense machine has a single Dual Port gigabit Intel Nic and 2 Quad port nics, as well as a single port nic and an onboard nic. All, bar the dual port nic are on PCI-Express ports. The Dual port nic is a PCIX card in a PCI slot... I think once you have the bandwidth on the motherboard to support it, you should be grand. Checking Wikipedia, the slowest PCI-Express connections are 250Mbytes (2 Gigabits) per second for a 1x slot. And then multiply that by the number of Xes in the slot (the cards I have are 4x cards and are on either 4 or 8x slots. 4x card is 8Gigabits a second). Different generations give different speeds too... more details here: http://en.wikipedia.org/wiki/PCI_Express Long story short, I don't think it matters as long as you have a fast enough bus... biggest advantage is lower space requirements... biggest disadvantage I can think is if you lose one card, you lose booth ports... --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Joe Laffey Sent: Saturday 21 February 2015 23:26 To: pfSense Support and Discussion Mailing List Subject: [pfSense] Dual Port NIC ports Hi, Is there any advantage or disadvantage to using the the two port on a dual port NIC vs. one port each on two different dual port NICs? I am building a new box, and it has two dual port Intel NICs (as well as a legacy Intel NIC and a couple of Marvels on the mobo). Does it matter at all which interfaces I put on which ports of those dual port NICs? A lot of data (video frames) is frequently moved between the DMZ and the LAN. So I would want that to be the fastest. (Sorry if this goes through twice. I sent from the wrong address the first time and it was rejected.) Thanks, -- Joe Laffey The Stable Visual Effects http://TheStable.tv/?e37581M/ ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bulk Editing settings on the PFSense dashboard
Meh…. Sounds like a bit of a pain… is there no command line options? From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Ryan Coleman Sent: Friday 20 February 2015 14:46 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Bulk Editing settings on the PFSense dashboard Easiest solution is to export your settings ( from the Backup/Restore submenu) and manually make the changes, import the file and reboot. On Feb 20, 2015, at 8:11 AM, Tiernan OToole tier...@tiernanotoole.iemailto:tier...@tiernanotoole.ie wrote: Morning lads and lassies... I have a question about bulk editing settings on PFSense. I am in the process of adding a shed load of Dynamic DNS records to a router, but at the moment i need to do this one... at... a... time... which is SLOW... and painful... So, is there a way to do this on PFSense? and not just dyndns, but for firewall rules, dns records, etc? Thanks. --Tiernan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Bulk Editing settings on the PFSense dashboard
Morning lads and lassies... I have a question about bulk editing settings on PFSense. I am in the process of adding a shed load of Dynamic DNS records to a router, but at the moment i need to do this one... at... a... time... which is SLOW... and painful... ? So, is there a way to do this on PFSense? and not just dyndns, but for firewall rules, dns records, etc? Thanks. --Tiernan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid not logging traffic
Torrents wouldn't be tracked. They are going over a non HTTP connection. If you want to check the connection, BandwithD might be what your looking for. --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Brian Caouette Sent: Monday 16 February 2015 17:17 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Squid not logging traffic bbs.dlois.com:/lightsquid/day_detail.cgi?year=2015month=02day=16 Dell wired and Roku are the busiest devices yet report almost no traffic. Sent from my iPad On Feb 15, 2015, at 11:09 PM, Volker Kuhlmann list0...@paradise.net.nz wrote: On Mon 16 Feb 2015 03:53:55 NZDT +1300, Brian Caouette wrote: I just noticed squid is not logging all traffic. The last few nights I've used plex on my roku connected to my friends server. The only thing showing in light squid Are you talking about squid or light squid? Aren't they different packages? Squid logs the number of bytes transferred, which means it can write the log entry only after the connection is closed the time stamps seems to be the one of when the log entry was written, not when the connection was opened. When is a streaming connection closed? Perhaps more to the point, what port does the stream use? Is it one handled by squid in the first place? Volker -- Volker Kuhlmann http://volker.top.geek.nz/Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running Out of /var
I had a similar problem and it was Squid taking up space for the logs... mind you, i bumped up the storage available... I think i may have also set squid to use less space... cant remember off the top of my head now... hope this helps. --Tiernan From: List list-boun...@lists.pfsense.org on behalf of Thomas Guldener tgulde...@bluewin.ch Sent: 16 February 2015 11:58 To: pfSense support and discussion Subject: [pfSense] Running Out of /var I have a Problem with my DS437 box. After a reboot the /var drive will run out of free disk in minutes. Anyone a Idea, what it could be? g. thomas Version 2.2-RELEASE (amd64) built on Thu Jan 22 14:03:54 CST 2015 FreeBSD 10.1-RELEASE-p4 You are on the latest version. Platformnanobsd (4g) NanoBSD Boot Slice pfsense0 / da0s1 (ro) CPU TypeIntel(R) Celeron(R) CPU 1037U @ 1.80GHz 2 CPUs: 1 package(s) x 2 core(s) CPU usage 2% Memory usage2% of 15283 MB Disk usage / (ufs): 12% of 1.8G /cf (ufs): 1% of 49M /tmp (ufs in RAM): 1% of 38M /var (ufs in RAM): 108% of 58M ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multi-WAN port forwarding
I cant seem to get the firewall checker happy, but i have managed to tell it to use static ports for anything coming from that machine and also set that machine to always go out though one particular WAN connection... some bits are working... some not... Still annoying... --Tiernan From: List list-boun...@lists.pfsense.org on behalf of Jim Spaloss jspal...@gmail.com Sent: 13 February 2015 23:07 To: pfSense support and discussion Subject: Re: [pfSense] Multi-WAN port forwarding I am running 3CX with PFSense in several installations. Are you using Advanved Outbound NAT with static mappings to your PBX? I usually need to do this for SIP (UDP:5060) stun (UDP:5090) and RTP (UDP:9000-9050) in order to make the 3CX firewall checker happy. On Feb 13, 2015 4:02 PM, Tiernan OToole tier...@tiernanotoole.iemailto:tier...@tiernanotoole.ie wrote: Im using 3CX, and it seems their firewall rule checker is a bit weird... I have managed to get some outgoing calls working by skipping the firewall checker... Still trying to configure incoming calls... but any help would be appreciated! Thanks. --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.orgmailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Spencer Sent: Friday 13 February 2015 20:44 To: list@lists.pfsense.orgmailto:list@lists.pfsense.org Subject: Re: [pfSense] Multi-WAN port forwarding What VOIP platform is it? We have successfully implemented firewall allow rules for our Digium Switchvox PBX using PfSense. We might have similar rule set requirements if that helps at all. On 02/13/2015 01:01 PM, Tiernan OToole wrote: Right... So after a bit of digging, I found the following from my VoIP Server provider: http://www.3cx.com/blog/voip-howto/pfsense-firewall/ They walked me though setting up the firewall rules, and port preservation, which worked to an extent... originally, no traffic was hitting the required ports (5060, 5090 and 9000-9099) but now it is... Its still getting blocked somewhere, but at least it’s a start! Now more digging! --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.orgmailto:list-boun...@lists.pfsense.org] On Behalf Of Jon Gerdes Sent: Friday 13 February 2015 13:57 To: list@lists.pfsense.orgmailto:list@lists.pfsense.org Subject: Re: [pfSense] Multi-WAN port forwarding On Thu, 2015-02-12 at 21:13 +, Tiernan OToole wrote: Thanks for the tip Chris (Doh!) but tried setting it to UDP and still no luck... --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.orgmailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L Sent: Thursday 12 February 2015 20:36 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Multi-WAN port forwarding SIP is UDP, not TCP. On Feb 12, 2015, at 12:33 PM, Tiernan OToole tier...@tiernanotoole.iemailto:tier...@tiernanotoole.ie wrote: Morning all. I have a question I hope someone can help me with. I have my PFSense server with 3 WAN connections, load balanced and I need to start forwarding ports, specifically SIP ports. I have done port forwarding on port 80, and it works grand, but doing the same steps with 5060, not so much… The steps I took was: Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both *, dest = WAN1 address, dst port 5060, nat IP (internal ip of the voip box), nat ports 5060 Did this for each WAN connection and again for other ports… but the VoIP firewall checker is still telling me the ports aint open… What am I doing wrong? It works on port 80! Why not SIP?! Thanks. --Tiernan Start by making sure that traffic is actually hitting the rule. Enable logging on the rule and/or run a packet capture on the pfSense box with the interface set to the WAN link, proto UDP port 5060. You could also do a pcap on the LAN interface with the IP of the PBX to see both directions. Install Wireshark obn your PC to look deeply into the pcap (download button) Once you get SIP to work which is usually pretty easy, then you get to diagnose why you get one way audio (RTP). Hopefully that wont happen. Symmetric RTP is your friend here ... Another thing to watch out for is SIP ALGs upstream of the pfSense and making sure that your VoIP system knows its external IP address. Cheers Jon ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131tel:308-382-8764%20Ext.%201131 Mobile 402-765-8010tel:402-765-8010
Re: [pfSense] Multi-WAN port forwarding
Right... So after a bit of digging, I found the following from my VoIP Server provider: http://www.3cx.com/blog/voip-howto/pfsense-firewall/ They walked me though setting up the firewall rules, and port preservation, which worked to an extent... originally, no traffic was hitting the required ports (5060, 5090 and 9000-9099) but now it is... Its still getting blocked somewhere, but at least it’s a start! Now more digging! --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon Gerdes Sent: Friday 13 February 2015 13:57 To: list@lists.pfsense.org Subject: Re: [pfSense] Multi-WAN port forwarding On Thu, 2015-02-12 at 21:13 +, Tiernan OToole wrote: Thanks for the tip Chris (Doh!) but tried setting it to UDP and still no luck... --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L Sent: Thursday 12 February 2015 20:36 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Multi-WAN port forwarding SIP is UDP, not TCP. On Feb 12, 2015, at 12:33 PM, Tiernan OToole tier...@tiernanotoole.ie wrote: Morning all. I have a question I hope someone can help me with. I have my PFSense server with 3 WAN connections, load balanced and I need to start forwarding ports, specifically SIP ports. I have done port forwarding on port 80, and it works grand, but doing the same steps with 5060, not so much… The steps I took was: Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both *, dest = WAN1 address, dst port 5060, nat IP (internal ip of the voip box), nat ports 5060 Did this for each WAN connection and again for other ports… but the VoIP firewall checker is still telling me the ports aint open… What am I doing wrong? It works on port 80! Why not SIP?! Thanks. --Tiernan Start by making sure that traffic is actually hitting the rule. Enable logging on the rule and/or run a packet capture on the pfSense box with the interface set to the WAN link, proto UDP port 5060. You could also do a pcap on the LAN interface with the IP of the PBX to see both directions. Install Wireshark obn your PC to look deeply into the pcap (download button) Once you get SIP to work which is usually pretty easy, then you get to diagnose why you get one way audio (RTP). Hopefully that wont happen. Symmetric RTP is your friend here ... Another thing to watch out for is SIP ALGs upstream of the pfSense and making sure that your VoIP system knows its external IP address. Cheers Jon ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multi-WAN port forwarding
Im using 3CX, and it seems their firewall rule checker is a bit weird... I have managed to get some outgoing calls working by skipping the firewall checker... Still trying to configure incoming calls... but any help would be appreciated! Thanks. --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Spencer Sent: Friday 13 February 2015 20:44 To: list@lists.pfsense.org Subject: Re: [pfSense] Multi-WAN port forwarding What VOIP platform is it? We have successfully implemented firewall allow rules for our Digium Switchvox PBX using PfSense. We might have similar rule set requirements if that helps at all. On 02/13/2015 01:01 PM, Tiernan OToole wrote: Right... So after a bit of digging, I found the following from my VoIP Server provider: http://www.3cx.com/blog/voip-howto/pfsense-firewall/ They walked me though setting up the firewall rules, and port preservation, which worked to an extent... originally, no traffic was hitting the required ports (5060, 5090 and 9000-9099) but now it is... Its still getting blocked somewhere, but at least it’s a start! Now more digging! --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon Gerdes Sent: Friday 13 February 2015 13:57 To: list@lists.pfsense.org Subject: Re: [pfSense] Multi-WAN port forwarding On Thu, 2015-02-12 at 21:13 +, Tiernan OToole wrote: Thanks for the tip Chris (Doh!) but tried setting it to UDP and still no luck... --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L Sent: Thursday 12 February 2015 20:36 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Multi-WAN port forwarding SIP is UDP, not TCP. On Feb 12, 2015, at 12:33 PM, Tiernan OToole tier...@tiernanotoole.ie wrote: Morning all. I have a question I hope someone can help me with. I have my PFSense server with 3 WAN connections, load balanced and I need to start forwarding ports, specifically SIP ports. I have done port forwarding on port 80, and it works grand, but doing the same steps with 5060, not so much… The steps I took was: Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both *, dest = WAN1 address, dst port 5060, nat IP (internal ip of the voip box), nat ports 5060 Did this for each WAN connection and again for other ports… but the VoIP firewall checker is still telling me the ports aint open… What am I doing wrong? It works on port 80! Why not SIP?! Thanks. --Tiernan Start by making sure that traffic is actually hitting the rule. Enable logging on the rule and/or run a packet capture on the pfSense box with the interface set to the WAN link, proto UDP port 5060. You could also do a pcap on the LAN interface with the IP of the PBX to see both directions. Install Wireshark obn your PC to look deeply into the pcap (download button) Once you get SIP to work which is usually pretty easy, then you get to diagnose why you get one way audio (RTP). Hopefully that wont happen. Symmetric RTP is your friend here ... Another thing to watch out for is SIP ALGs upstream of the pfSense and making sure that your VoIP system knows its external IP address. Cheers Jon ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Multi-WAN port forwarding
Morning all. I have a question I hope someone can help me with. I have my PFSense server with 3 WAN connections, load balanced and I need to start forwarding ports, specifically SIP ports. I have done port forwarding on port 80, and it works grand, but doing the same steps with 5060, not so much... The steps I took was: Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both *, dest = WAN1 address, dst port 5060, nat IP (internal ip of the voip box), nat ports 5060 Did this for each WAN connection and again for other ports... but the VoIP firewall checker is still telling me the ports aint open... What am I doing wrong? It works on port 80! Why not SIP?! Thanks. --Tiernan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multi-WAN port forwarding
Thanks for the tip Chris (Doh!) but tried setting it to UDP and still no luck... --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L Sent: Thursday 12 February 2015 20:36 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Multi-WAN port forwarding SIP is UDP, not TCP. On Feb 12, 2015, at 12:33 PM, Tiernan OToole tier...@tiernanotoole.ie wrote: Morning all. I have a question I hope someone can help me with. I have my PFSense server with 3 WAN connections, load balanced and I need to start forwarding ports, specifically SIP ports. I have done port forwarding on port 80, and it works grand, but doing the same steps with 5060, not so much… The steps I took was: Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both *, dest = WAN1 address, dst port 5060, nat IP (internal ip of the voip box), nat ports 5060 Did this for each WAN connection and again for other ports… but the VoIP firewall checker is still telling me the ports aint open… What am I doing wrong? It works on port 80! Why not SIP?! Thanks. --Tiernan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Multi-WAN port forwarding
When I created the nat rule, add associated filter rule is default... There is a filter rule for each port... As for the lock down, the plan is to lock it down when it works! --Tiernan On Thu, Feb 12, 2015 at 3:07 PM -0800, Chris Bagnall pfse...@lists.minotaur.ccmailto:pfse...@lists.minotaur.cc wrote: On 12 Feb 2015, at 20:33, Tiernan OToole tier...@tiernanotoole.ie wrote: The steps I took was: Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both *, dest = 5060, nat IP (internal ip of the voip box), nat ports 5060 Did this for each WAN connection and again for other ports… but the VoIP firewall the ports aint open… What am I doing wrong? It works on port 80! Why not SIP?! What did you select for “Filter Rule Association” ? If I recall correctly, selecting ‘pass’ won’t work in a multi-WAN environment; you need to let it create a linked filter rule. (as an aside, unless you specifically want SIP calls from the internet at large, you might want to lock down your incoming SIP rules to only allow connections from your SIP supplier - there are just too many SIP attacks out there these days to leave it open to the world unless you really need to) Kind regards, Chris -- C.M. Bagnall This email is made from 100% recycled electrons ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Migrating from RouterOS to PFSense
Hi WebDawg. Thanks for the reply. I have been looking at these floating rules, but might have gotten something wrong. I have a floating rule which says: Proto TCP IPv4, source and port are *, destination BBC (alias to their ip block) port is * gateway is my UK VPN server, queue none, schedule none. If I tell my open VPN client to not use the routing, BBC wont work... If I do, then all my traffic looks like its coming from the UK (BBC and others) but all traffic is not flowing out though the VPN... Im a little confused to this... In the mail below I ask: I think thats all the major issues i have... I think (but could be wrong) i have the second one working, but i would like to know if there is a better way of doing it then as follows: Firewall, Rules, LAN and i have a connection that says Dest is IP block, dest port *, source is LAN Net, source IP is *, gateway is upstream i want to send to. And you answer: Seems right, your are going to need floating for the other gateway direction. How do you mean by this? Thanks again. --Tiernan -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg Sent: Tuesday 10 February 2015 16:25 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Migrating from RouterOS to PFSense On Tue, Feb 10, 2015 at 1:41 AM, Tiernan OToole tier...@tiernanotoole.ie wrote: Good morning all. For the year or so, i have been running Microtik Router OS on either their own hardware or my own hardware, and all has mostly been good, bar the fact the OS wont see more than 2Gb of ram and my machine has 8... Anyway, i decided to install PFsense 2.2 on a new hard drive and plugged in into my existing hardware, but now i have some questions about getting this fully working the same way it worked on RouterOS. First, some background. The machine in question is an old HP Proliant ML110 G5 server with an Intel Core2Quad, 8Gb ram, i think its a 500Gb hdd (just grabbed the first one i could fix) and a mix of network cards giving a total of 12 GigE connections. There are 3 WAN connections (2 Cable modems at 200/20 and a VDSL at 100/20, closer to 70ish.) The cable modems give out public IPs (they are in Bridged mode) and the machine gets an IP via DHCP. The VDSL is PPPoE. I have managed to get a somewhat basic load balancing setup working, and it does seem to work grand. Speedtest.net, which now seems to be multithreaded, is giving me download speeds of anywhere from 420 - 480mb/s. Now, the real question: In RouterOS i could do the following: Any incoming traffic (from the LAN) from a given IP address, could be routed though a given upstream connection, be that a specific WAN connection or a VPN connection. You should be able to do this with firewall rules and specifying gateways. *https://doc.pfsense.org/index.php/Multi-WAN#Overview Any Incoming traffic (from the LAN) to a given IP address or network (for example BBC) could be routed though a given upstream provider, again WAN or VPN I think you would need to use floating rules for this. Firewall rules on Interface and Group tabs process traffic in the Inbound direction and are processed from the top down, stopping at the first match. Where no user-configured firewall rules match, traffic is denied. Only what is explicitly allowed via firewall rules will be passed. *https://doc.pfsense.org/index.php/Firewall_Rule_Basics Floating Rules are advanced Firewall Rules which can apply in any direction and to any or multiple interfaces. Floating Rules are defined under Firewall Rules on the Floating tab. *https://doc.pfsense.org/index.php/What_are_Floating_Rules All incoming requests that come from a particular WAN connection (eg, web web request on port 80) will return over that connection, so traffic requested on port 80 on WAN 1 will be returned to the client on WAN1. Would this not just be NAT in general? https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense I guess I could see how things may get mixed depending on your configuration. I think thats all the major issues i have... I think (but could be wrong) i have the second one working, but i would like to know if there is a better way of doing it then as follows: Firewall, Rules, LAN and i have a connection that says Dest is IP block, dest port *, source is LAN Net, source IP is *, gateway is upstream i want to send to. Seems right, your are going to need floating for the other gateway direction. This is the top option, and at the bottom are the standard allow everything out connections... It processes rules from top to bottom and when matching one stops. Am i doing this right? Thanks again! --Tiernan ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Migrating from RouterOS to PFSense
Yea, they do use a cdn, but their backend servers are on their subnet... It worked perfectly on mikrotik this way... --Tiernan On Wed, Feb 11, 2015 at 3:15 PM -0800, Chris Bagnall pfse...@lists.minotaur.ccmailto:pfse...@lists.minotaur.cc wrote: On 11/2/15 8:37 pm, Tiernan OToole wrote: Proto TCP IPv4, source and port are *, destination BBC (alias to their ip block) port is * gateway is my UK VPN server, queue none, schedule none. If I tell my open VPN client to not use the routing, BBC wont work... If I do, then all my traffic looks like its coming from the UK (BBC and others) but all traffic is not flowing out though the VPN... Im a little confused to this... I assume you're doing this to get past the GeoIP region-blocking on BBC iPlayer. It's worth mentioning that - if I recall correctly - the BBC don't actually host most of their content on their own IP block; much of it goes via CDNs which will inevitably have their own netblocks. So you may find you have to route a much larger chunk of address space via your VPN than originally planned. Kind regards, Chris -- This email is made from 100% recycled electrons ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Migrating from RouterOS to PFSense
? Good morning all. For the year or so, i have been running Microtik Router OS on either their own hardware or my own hardware, and all has mostly been good, bar the fact the OS wont see more than 2Gb of ram and my machine has 8... Anyway, i decided to install PFsense 2.2 on a new hard drive and plugged in into my existing hardware, but now i have some questions about getting this fully working the same way it worked on RouterOS. First, some background. The machine in question is an old HP Proliant ML110 G5 server with an Intel Core2Quad, 8Gb ram, i think its a 500Gb hdd (just grabbed the first one i could fix) and a mix of network cards giving a total of 12 GigE connections. There are 3 WAN connections (2 Cable modems at 200/20 and a VDSL at 100/20, closer to 70ish.) The cable modems give out public IPs (they are in Bridged mode) and the machine gets an IP via DHCP. The VDSL is PPPoE. I have managed to get a somewhat basic load balancing setup working, and it does seem to work grand. Speedtest.net, which now seems to be multithreaded, is giving me download speeds of anywhere from 420 - 480mb/s. Now, the real question: In RouterOS i could do the following: Any incoming traffic (from the LAN) from a given IP address, could be routed though a given upstream connection, be that a specific WAN connection or a VPN connection. Any Incoming traffic (from the LAN) to a given IP address or network (for example BBC) could be routed though a given upstream provider, again WAN or VPN All incoming requests that come from a particular WAN connection (eg, web web request on port 80) will return over that connection, so traffic requested on port 80 on WAN 1 will be returned to the client on WAN1. I think thats all the major issues i have... I think (but could be wrong) i have the second one working, but i would like to know if there is a better way of doing it then as follows: Firewall, Rules, LAN and i have a connection that says Dest is IP block, dest port *, source is LAN Net, source IP is *, gateway is upstream i want to send to. This is the top option, and at the bottom are the standard allow everything out connections... Am i doing this right? Thanks again! --Tiernan? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
