Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

2018-05-16 Thread WebDawg
I have to do these upgrades remotely, I have very little choice.

What is the difference between executing the php installer via point
and click and doing the upgrade via ssh?

I see the entire upgrade, and the last thing I see before I get
disconnected is the call for reboot.

It is high risk compared to serial, but when you are doing the job
remotely, and the pfsense device is your core router, how do I log in
and see the serial data?

On Wed, May 16, 2018 at 12:20 PM, Vick Khera <vi...@khera.org> wrote:
> On Wed, May 16, 2018 at 10:50 AM, WebDawg <webd...@gmail.com> wrote:
>
>> I upgrade via the console now.  Not to say that the GUI is broken, but
>> I must have been a victim of when it was.  I have seen what kpa is
>> talking about in that forum thread too.  It is why I always ssh in and
>> update from console.
>>
>
> Wow. I call that a high risk upgrade method. Once it logs you out of ssh,
> you just sit there and hope it comes back up. You need to hook your serial
> port (or virtual serial port if you have a BMC that supports that) up as
> the real device console so you can monitor the entire process.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

2018-05-16 Thread WebDawg
I upgrade via the console now.  Not to say that the GUI is broken, but
I must have been a victim of when it was.  I have seen what kpa is
talking about in that forum thread too.  It is why I always ssh in and
update from console.

On Wed, May 16, 2018 at 10:13 AM, Steve Yates  wrote:
> Huh, I should remember to look there first.  So used to this list. 
>
> The "sort of scary" part is comments like "Same thing here.  The page 
> reported the upgrade had failed.  We waited about two minutes and the page 
> refreshed and we logged in.  The upgrade had worked after all."  Like it's 
> running in the background despite the failure?  And I ran it a second time 
> during this?  That's what "KPA" posted last night: "The WebGUI upgrade still 
> seems to suffer from the same problem as it did a while ago which is that it 
> gets disconnected from the real upgrade run and reports a failure when the 
> upgrade is actually running successfully in the background."
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List  On Behalf Of John Kline
> Sent: Tuesday, May 15, 2018 10:29 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata
>
> Many of us a e seeing this.
> See:https://forum.pfsense.org/index.php?topic=147853.0
>
>
>
>
> On Tuesday, May 15, 2018, 7:53 PM, Steve Yates  wrote:
>
> I upgraded two routers from 2.4.2 to 2.4.3 and today to 2.4.3_1.  One is an 
> SG-3100 and one is a PC.  On both, both times, the upgrade almost immediately 
> fails, but if I try again it works.  I click the pending-update icon on the 
> dashboard to go to System Update and it detects the update.  I start and I 
> get:
>
> ">>> Updating repositories metadata... done.
> 2.4.3_1 version of pfSense is available"
>
> Then a red bar at the top of the page, "System update failed!"
>
> If I click the already-highlighted System Update tab again, confirm the 
> update, it then immediately installs.
>
> Is anyone else seeing this?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS configurazione under VPN

2018-05-13 Thread WebDawg
"In any case, if you configure your DNS Resolver to use the LAN
interface as outgoing interface, the DNS Resolver should use the same
routing than your computer, VPN or not."

Can anyone confirm that this is true?  I never tested it, but it would
be nice to get a confirm.  I had an issue, similar to what Antonio is
trying to do, that required something like this in the past.

Also, are not the firewall rules ingress only, what would be the
relationship between the DNS resolver being on an ingress interface
instead of egrees?  How does it 'set it self up' on this interface?

On Mon, May 7, 2018 at 4:36 AM, Stephane Bouvard  wrote:
> Hi,
>
> Try this :
>
> - Create a gateway group (System / Routing / Gateway Groups) with VPN
> Gateway as Tier 1 and WAN Gateway as Tier 2
>
> - Use this gateway group as outgoing gateway (in my config, i use a LAN
> Firewall rule with the created gateway group, and i use LAN as outgoing
> interface for my DNS Resolver).
>
> In any case, if you configure your DNS Resolver to use the LAN interface as
> outgoing interface, the DNS Resolver should use the same routing than your
> computer, VPN or not.
>
>
>
>
> Le 07-05-18 à 01:09, Antonio a écrit :
>>
>> After messing around for much of the weekend and reading a bit here and
>> there I have made one small step to achieving my goal. Basically, I am
>> able to bound the DNS Resolver to the VPN interface by selecting it
>> under "Outgoing Network Interfaces". This all traffic goes through the
>> VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com,
>> I do not have any leaks and this is very positive.
>>
>> The only problem is that when the VPN link fails, then I cannot resolve
>> DNS queries anymore on my LAN devices. So, what I need to do now, is
>> understand how I can achieve this automatically, i.e. when the VPN link
>> comes up, it tells the DNS Resolver to route through the VPN tunnel;
>> when the VPN link is down, it tells the DNS Resolver to route the DBS
>> queries through the LAN interface. Any suggestions?
>
> --
> Bien à vous...
>
>  _  Envie de vous concentrer sur votre coeur de métier ?
> (_'Nous gérons et surveillons vos serveurs pour vous
> ,_)téphane Bouvard   http://www.myown.eu
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] unbound - dhcpleases - and more

2018-05-03 Thread WebDawg
Can anyone comment on this?

On Mon, Apr 30, 2018 at 6:16 PM, WebDawg <webd...@gmail.com> wrote:
> Hello,
>
> I was recently looking into an issue unrelated, I think, to the
> following questions and information:
>
> I am experiencing the same symptoms/log entries as in the following posts:
>
> https://forum.pfsense.org/index.php?topic=137015.0
> https://forum.pfsense.org/index.php?topic=130335.0
> and
> https://redmine.pfsense.org/issues/7592
>
> It looks like I can find some forum posts going back to 2015.
>
> The log entries I am getting:
>
> When I edit a DHCP static reservation:
>
> Apr 30 17:53:53 php-fpm
> /services_dhcp_edit.php: The command '/usr/sbin/arp -d
> '192.168.178.221'' returned exit code '1', the output was 'arp:
> writing to routing socket: No such file or directory'
>
> Apr 30 17:55:54 dhcpleases
> /etc/hosts changed size from original!
> Apr 30 17:55:54 dhcpleases
> Could not deliver signal HUP to process because its pidfile
> (/var/run/unbound.pid) does not exist, No such process.
> Apr 30 17:55:54 dhcpleases
> kqueue error: unkown
>
> It looks like it does restart unbound here:
>
> Apr 30 17:55:55 unbound 63972:0 info: start of service (unbound 1.6.8).
> Apr 30 17:55:55 unbound 63972:0 info: service stopped (unbound 1.6.8).
> Apr 30 17:55:55 unbound 63972:0 info: server stats for thread 0: 0
> queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by
> ip ratelimiting
>
> I have read anything about this issue from:  it is just a cosmetic
> message that needs to be ignored/ to: it is causing major problems in
> my network (I think this side of it was a bug in the past)
>
> I have reached out on IRC and it seems like no one was around to answer me.
>
> Above happens when I edit a DHCP reservation, and I get the same log
> messages when unbound gets a new DHCP client, as I have it adding the
> hostnames to the hosts file.  Seen here:
>
> Apr 30 17:28:51 check_reload_status
> Syncing firewall
> Apr 30 17:28:55 dhcpleases
> /etc/hosts changed size from original!
> Apr 30 17:28:55 dhcpleases
> Could not deliver signal HUP to process because its pidfile
> (/var/run/unbound.pid) does not exist, No such process.
> Apr 30 17:28:55 dhcpleases
> kqueue error: unkown
>
> Has anyone been down this path before or can any devs chime in?  Does
> unbound reply to DNS requests when it is HUPed?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] unbound - dhcpleases - and more

2018-04-30 Thread WebDawg
Hello,

I was recently looking into an issue unrelated, I think, to the
following questions and information:

I am experiencing the same symptoms/log entries as in the following posts:

https://forum.pfsense.org/index.php?topic=137015.0
https://forum.pfsense.org/index.php?topic=130335.0
and
https://redmine.pfsense.org/issues/7592

It looks like I can find some forum posts going back to 2015.

The log entries I am getting:

When I edit a DHCP static reservation:

Apr 30 17:53:53 php-fpm
/services_dhcp_edit.php: The command '/usr/sbin/arp -d
'192.168.178.221'' returned exit code '1', the output was 'arp:
writing to routing socket: No such file or directory'

Apr 30 17:55:54 dhcpleases
/etc/hosts changed size from original!
Apr 30 17:55:54 dhcpleases
Could not deliver signal HUP to process because its pidfile
(/var/run/unbound.pid) does not exist, No such process.
Apr 30 17:55:54 dhcpleases
kqueue error: unkown

It looks like it does restart unbound here:

Apr 30 17:55:55 unbound 63972:0 info: start of service (unbound 1.6.8).
Apr 30 17:55:55 unbound 63972:0 info: service stopped (unbound 1.6.8).
Apr 30 17:55:55 unbound 63972:0 info: server stats for thread 0: 0
queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by
ip ratelimiting

I have read anything about this issue from:  it is just a cosmetic
message that needs to be ignored/ to: it is causing major problems in
my network (I think this side of it was a bug in the past)

I have reached out on IRC and it seems like no one was around to answer me.

Above happens when I edit a DHCP reservation, and I get the same log
messages when unbound gets a new DHCP client, as I have it adding the
hostnames to the hosts file.  Seen here:

Apr 30 17:28:51 check_reload_status
Syncing firewall
Apr 30 17:28:55 dhcpleases
/etc/hosts changed size from original!
Apr 30 17:28:55 dhcpleases
Could not deliver signal HUP to process because its pidfile
(/var/run/unbound.pid) does not exist, No such process.
Apr 30 17:28:55 dhcpleases
kqueue error: unkown

Has anyone been down this path before or can any devs chime in?  Does
unbound reply to DNS requests when it is HUPed?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Need Help setting up new SG-4860

2018-04-19 Thread WebDawg
I actually noticed an issue on these devices.  I have not filed a bug
report yet.  The setup wizard fails when their is no internet.

I think it has to do with/ ntp sync.

On Thu, Apr 19, 2018, 5:38 PM Eero Volotinen  wrote:

>  so, what is the main issue?
>
> Eero
>
> pe 20. huhtik. 2018 klo 0.35 Bryan Hemedinger 
> kirjoitti:
>
> > I received the Netgate unit SG-4860 and need help setting it up
> >
> >
> > Bryan Hemedinger D.O.P.
> > 954-722-2223
> > Photography Dept.
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Port forwards don't work on one machine

2018-02-25 Thread WebDawg
No problem.  Been there before.

On Sun, Feb 18, 2018 at 4:54 PM, Marco <li...@homerow.info> wrote:
> On Wed, 14 Feb 2018 18:07:42 -0500
> WebDawg <webd...@gmail.com> wrote:
>
>> It is most likely the ISP device.
>
> Indeed, it was.
>
> I redid the whole pfSense config and the issue persisted. Then I
> redid the ISP device config and it worked. In the end I changed
> nothing, same config as before, but now it works for some magical
> reason.
>
> Thanks to all of you for the support and sorry for the noise (of
> having nothing to do with pfSense).
>
> Marco
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Port forwards don't work on one machine

2018-02-14 Thread WebDawg
It is most likely the ISP device.

On Sun, Feb 11, 2018 at 2:12 PM, Marco  wrote:
> Hi,
>
> I have set up port forwarding multiple times in the past and it has always
> worked. But I now have a machine that fails to forward a port. No clue why.
> Maybe I'm missing the obvious here.
>
> My network:
>
>   Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1)
>
> For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG,
> used IPs instead of aliases.
>
> 1) The port forward from the WAN to 10.0.30.21 is set up.
>
> https://i.imgur.com/V8vlN1Z.png
>
> 2) A corresponding WAN rule is created as well:
>
> https://i.imgur.com/N7ulwha.png
>
>   On another machine this already is enough to get it working. But not on this
>   one. Nmap shows “filtered”.
>
> 3) Confirming the port 8000 is actually open on 10.0.30.21:
>
> https://i.imgur.com/KcaSP6T.png
>
>   Yes, it is.
>
> 4) Now testing from the external IP:
>
> https://i.imgur.com/QnWQuIO.png
>
>   Nope!
>
>   Again using an external service:
>
> https://i.imgur.com/v4KaivE.png
>
>   No, James!
>
> 5) States:
>
> https://i.imgur.com/Rf1kjbf.png
>
> 6) Packet capture:
>
> https://i.imgur.com/xT3qFXW.png
>
>
> I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
>
>> Common Problems
>>
>> 1. NAT and firewall rules not correctly added (see How can I forward ports 
>> with pfSense?)
>
> I guess it's all correct, works on another machine.
>
>> Hint: Do NOT set a source port
>
> not set
>
>> 2. Firewall enabled on client machine
>
> nope
>
>> 3. Client machine is not using pfSense as its default gateway
>
> pfSense is the default gateway
>
>> 4. Client machine not actually listening on the port being forwarded
>
> It is, see
>
>   https://i.imgur.com/KcaSP6T.png
>
>> 5. ISP or something upstream of pfSense is blocking the port being forwarded
>
> I guess the states table and packet capture should be empty if that's the
> case, right?
>
>> 6. Trying to test from inside the local network, need to test from an 
>> outside machine
>
> Tested both, see
>
>   https://i.imgur.com/QnWQuIO.png
>   https://i.imgur.com/v4KaivE.png
>
>> 7. Incorrect or missing Virtual IP configuration for additional public IP 
>> addresses
>
> No clue, haven't configured anything virtual.
>
>> 8. The pfSense router is not the border router. If there is something else 
>> between pfSense and the ISP, the port forwards and associated rules must be 
>> replicated there.
>
> True, pfSense is not the border router, ISP provided “NAT gateway” is. Device
> is configured to forward everything to the pfSense box, though.
>
>> 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must 
>> be added both to and from the server's IP in order for a port forward to 
>> work behind a Captive Portal.
>
> nope
>
>> 10. If this is on a WAN that is not the default gateway, make sure there is 
>> a gateway chosen on this WAN interface, or the firewall rules for the port 
>> forward would not reply back via the correct gateway.
>
> WAN is default gateway
>
>> 11. If this is on a WAN that is not the default gateway, ensure the traffic 
>> for the port forward is NOT passed in via Floating Rules or an Interface 
>> Group. Only rules present on the WAN's interface tab under Firewall Rules 
>> will have the reply-to keyword to ensure the traffic responds properly via 
>> the expected gateway.
>
> didn't configure floating rules
>
>> 12. If this is on a WAN that is not the default gateway, make sure the 
>> firewall rule(s) allowing the traffic in do not have the box checked to 
>> disable reply-to.
>
> not the case
>
>> 13. If this is on a WAN that is not the default gateway, make sure the 
>> master reply-to disable switch is not checked under System > Advanced, on 
>> the Firewall/NAT tab.
>
> not the case
>
>> 14. WAN rules should NOT have a gateway set, so make sure that the rules for 
>> the port forward do NOT have a gateway configured on the actual rule.
>
> see
>
> https://i.imgur.com/N7ulwha.png
>
>> 15. If the traffic appears to be forwarding in to an unexpected device, it 
>> may be happening due to UPnP. Check Status > UPnP to see if an internal 
>> service has configured a port forward unexpectedly. If so, disable UPnP on 
>> either that device or on the firewall.
>
> UPnP is not used
>
> I guess I'm missing the obvious here, since port forwards are rather
> straightforward in pfSense and have never given me troubles in the past. A
> nudge in the right direction is appreciated.
>
> Marco
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Squid transparent with SSL interception - CA certificate problem

2018-02-06 Thread WebDawg
You may just want to switch to inspection.

On Tue, Feb 6, 2018 at 10:44 AM, Paul Mather  wrote:
> On Feb 6, 2018, at 10:03 AM, Roberto Carna  wrote:
>
>> Dear Alex, so there is no solution to the given problem ???
>>
>> I refer to install a CA private certificate in mobile devices and let
>> them navigate and use applications through a transparent proxy without
>> SSL errors...
>
>
> It could be that the applications and devices you consider "don't work 
> correctly" are employing certificate and public key pinning (see, e.g., 
> https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning 
>  and 
> https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning 
> ).  It is a technique 
> intended to defend against the very kind of certificate misuse in which you 
> appear to be engaged.
>
> Cheers,
>
> Paul.
>
>
>>
>> Regards,
>>
>> 2018-02-06 11:35 GMT-03:00 Alex Threlfall :
>>> They may be hard coded to look at only their own CA to prevent MiM attacks,
>>> or use their own certificate store (for a similar behaviour).
>>>
>>> Alex.
>>>
 -Original Message-
 From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Roberto
 Carna
 Sent: 06 February 2018 13:32
 To: pfSense Support and Discussion Mailing List 
 Subject: [pfSense] Squid transparent with SSL interception - CA
>>> certificate
 problem

 People, I've setup a transparent Squid proxy for WiFi clients. I'm using
>>> SSL
 interception so I had to generate a CA private certificate (generated from
 pfSense certificate manager tab).

 But when I add this CA private certificate to several Android an Iphone
 devices in order to proxify and filter SSL applications, some of the
>>> Android
 devices don't work correctly: Facebook an Instagram don't load the
>>> profiles
 and Mercadolibre doesn't open the menu. In the other Android and Iphone
 devices, everything works OK.

 Can this problem be related to the CA certificate (maybe I have to use a
>>> given
 digest algorithm and key lenght) or is this an Android intrinsec problem
 depending of OS version???

 Thanks a lot.

 ROBERT
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Transparent proxy for WiFi users

2018-01-11 Thread WebDawg
It could be web sockets, this could show you what I mean:

https://asana.com/guide/help/faq/connectivity#gl-websockets

You have to white-list some stuff sometimes to get it to work
correctly, but I think that is what I was intercepting vs inspecting.
This was an example white list I had for skype and asana:

asana.com sling.is apps.skypeassets.com login.skype.com pipe.skype.com
secure.skype.com config.skype.com api.skype.com ui.skype.com
s.gateway.messenger.live.com get.skype.com dsn13.d.skype.net
mobile.pipe.aria.microsoft.com a.config.skype.com www.skypeassets.com
dr.skype.net apps.skype.com api.asm.skype.com sync.app.asana.com

Try white-listing problem sites.

On Thu, Jan 11, 2018 at 10:30 AM, Roberto Carna
<robertocarn...@gmail.com> wrote:
> Dear, I've created a self signed CA Certificate in pfSEnse, in order
> to use it in the SSL Filtering / Spice All from Squid.
>
> This CA certificate is NOT installed in none of the device clients
> (notebooks, cell phones, etc), because is imposible to ask each WiFi
> user to install it.
>
> Everything works OK, except certains cases, for example:
>
> - Facebook app sometimes doesn't load the user profiles, I have to
> close Facebook and open it again
> - Mercadolibre is the same, it doesn't load the content and after that
> I have to close and open the app
>
> Why certain apps don't work OK until I close and restart them ???
>
> Thanks a lot again!!!
>
>
>
> 2018-01-10 3:51 GMT-03:00 WebDawg <webd...@gmail.com>:
>> Can you just do inspection on this and have it stop acting as a true proxy?
>>
>> Splice All:
>> This configuration is suitable if you want to use the SquidGuard
>> package for web filtering.
>> All destinations will be spliced. SquidGuard can do its job of denying
>> or allowing destinations according its rules, as it does with HTTP.
>> You do not need to install the CA certificate configured below on clients.
>> Content filtering (such as Antivirus) will not be available for SSL sites.
>>
>> On Tue, Jan 2, 2018 at 11:01 AM, Elijah Savage <esav...@digitalrage.org> 
>> wrote:
>>> Interested in what sort of problems you are seeing.
>>>
>>> I use the same setup in a small environment let's call it home :) with many
>>> different devices and have not seen any issues.
>>>
>>> -Original Message-
>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer
>>> Duffner
>>> Sent: Tuesday, January 02, 2018 10:01 AM
>>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
>>> Subject: Re: [pfSense] Transparent proxy for WiFi users
>>>
>>>
>>>
>>>> Am 02.01.2018 um 14:46 schrieb Roberto Carna <robertocarn...@gmail.com>:
>>>>
>>>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
>>>> in order to filter HTTP and HTTPS web content for different types of
>>>> WiFi clients on my company:
>>>>
>>>> - Android (different versions)
>>>> - Notebooks Windows 7/10
>>>> - Iphone
>>>> - Etc.
>>>>
>>>> In some cases, depending on the device Operating System, some apps
>>>> experiment problems, for example Facebook and some others.
>>>>
>>>
>>>
>>>
>>>
>>> Apps that do hardwired Key-Pinning (everything from Apple, Google and
>>> probably TFB, too) will not work.
>>> You have to make exemptions, AFAIK.
>>>
>>> Same for ebanking and related.
>>>
>>>
>>>
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Transparent proxy for WiFi users

2018-01-09 Thread WebDawg
Can you just do inspection on this and have it stop acting as a true proxy?

Splice All:
This configuration is suitable if you want to use the SquidGuard
package for web filtering.
All destinations will be spliced. SquidGuard can do its job of denying
or allowing destinations according its rules, as it does with HTTP.
You do not need to install the CA certificate configured below on clients.
Content filtering (such as Antivirus) will not be available for SSL sites.

On Tue, Jan 2, 2018 at 11:01 AM, Elijah Savage  wrote:
> Interested in what sort of problems you are seeing.
>
> I use the same setup in a small environment let's call it home :) with many
> different devices and have not seen any issues.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Rainer
> Duffner
> Sent: Tuesday, January 02, 2018 10:01 AM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] Transparent proxy for WiFi users
>
>
>
>> Am 02.01.2018 um 14:46 schrieb Roberto Carna :
>>
>> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
>> in order to filter HTTP and HTTPS web content for different types of
>> WiFi clients on my company:
>>
>> - Android (different versions)
>> - Notebooks Windows 7/10
>> - Iphone
>> - Etc.
>>
>> In some cases, depending on the device Operating System, some apps
>> experiment problems, for example Facebook and some others.
>>
>
>
>
>
> Apps that do hardwired Key-Pinning (everything from Apple, Google and
> probably TFB, too) will not work.
> You have to make exemptions, AFAIK.
>
> Same for ebanking and related.
>
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfSense and SIP

2018-01-09 Thread WebDawg
I think you need to look into state tracking:

https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

I had an issue like this though with some advanced vpn routing I was
doing and pfsense was killing states when I routed more then once.  Is
that your case?  If pfsense cannot track the entire state I think at
one point it considers it dead and kills it.

I think you want to set State type to "none".  Let us know if it works.

On Tue, Jan 9, 2018 at 11:01 AM, Giles Coochey  wrote:
>
>
> On 09-01-2018 15:49, Roberto Carna wrote:
>>
>> Special thanks to both of you...
>>
>> With ANY I mean "all TCP and UDP ports".
>>
>> Maybe when the remote peer sends to my PBX the SIP packet with the SIP
>> Options, the response from the PBX is a SIP packet defined as
>> ESTABLISHED trafficand this ESTABLISHED feature is not working or
>> not defined in pfSEnse firewall rules ??? Because the SIP response
>> packet from PBX to the remote peer is not a new traffic, is an
>> established traffic
>>
>
> Well, certainly being able to run a packet capture on the PBX will aid your
> troubleshooting, at least to see if _any_ packets are being received by the
> SIP peer...
>
> You need to ensure that you _don't_ have siproxd package installed, as this
> can interfere with your non-NAT set up.
>
>
>
>> Thanks a lot again, regards!!!
>>
>> 2018-01-09 12:17 GMT-03:00 Giles Coochey :
>>>
>>> On 09/01/2018 14:34, Roberto Carna wrote:


 Dear, I have an Asterisk PBX in a DMZ behind a pfSense and a remote
 peer out of the pfSense. I connect PBX and Peer in order to establish
 a SIP trunk.

 In the path "PBX -- pfSense -- SIP trunk peer" there is no NAT at all.

 So we have generated two firewall rules:

 PBX --> SIP Peer with ANY
 SIP Peer --> PBX with ANY
>>>
>>>
>>>
>>> When you say any, is it a bit unclear, Protocol any? or TCP any, UDP any?
>>>
>>> Could you elaborate on the exact rules you have set up?
>>>

 But often the SIP packets coming from the SIP Peer don't cross the
 pfSEnse to PBX. The packets never reach my PBX.

 Is there any feature I have to enable/disable in pfSense in order to
 work with SIP protocol to have established the SIP trunk ???

 The SIP trunk provider tell me that the SIP Options they send me are
 not responded by us.

 Thanks a lot,

 ROBERT
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
>>>
>>>
>>>
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] SSH Bruteforce

2017-12-20 Thread WebDawg
Also make sure to use private key and public key

On Dec 20, 2017 5:53 AM, "Daniel"  wrote:

> Hi there,
>
>
>
> anyone now how to prevent SSH Bruteforce attackes in my network?
>
> I wanted to have a Firewall which counts SSH Connections from the same IP
> and when it reach the defined limit the IP will be block.
>
>
>
> I know I can change the SSH port but I also want to know is there is an
> option to limit such kind of attacks.
>
>
>
> Cheers
>
>
>
> Daniel
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-05 Thread WebDawg
I had the same thing happen to me but before 2.4 came out.

I have quite a few of these in production I don't know what I'll do. It
seems like there are quite a few reports of 2.3 to 2.4 failing even on
official Hardware.

Does anybody have any insight to what's going on?

Ever since pfSense switched over to the new upgrade method it seems like
every once in awhile an upgrade problem creeps up even on my end.

I've seen quite a few instances of where I go to upgrade via the web GUI
and it corrupts the package database. In fact I have one box right now that
runs official Hardware that I think is stuck on 2.3 until I get to it
physically.

Why is the upgrade process so unstable all of a sudden?

On Dec 5, 2017 4:48 PM, "Pete Boyd"  wrote:

> On 05/12/2017 13:47, Eero Volotinen wrote:
> > well. take backup of config and ask operator to reinstall box from usb
> > stick & restore backup?
>
> Yeah. This went from bad to worse today, I eventually lost contact with
> it, so this is what I'm going to do.
>
> Thanks for your help.
>
>
> --
> Pete Boyd
>
> Open Plan IT - http://openplanit.co.uk
> The Golden Ear - http://thegoldenear.org
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Multiple OpenVPNs (site to site) to one head end

2017-11-22 Thread WebDawg
I have done site to site vpns and usually you have to add some static
routes and check firewall rules.

On Wed, Nov 22, 2017 at 11:34 AM, Ryan Coleman  wrote:
> I want to pass the entire traffic from a few locations through one master.
>
> I have one site working. But when I try to connect the second site it kills 
> the first.
>
> I have IPSec for some basic network connections as a backup for the moment 
> that allows me to get to customer servers but I want to run all my traffic 
> because… Comcast.
>
> I have Gig Fiber at the headend, bandwidth is not an issue.
>
> Does anyone have a tried/tested example of getting either OpenVPN full tunnel 
> working on a (multiple sites)-to-(one site) or an IPSec configuration example 
> that would allow for 100% routing?
>
> My guinea pig is my home network. I have one customer that is also on Comcast 
> that is using the full site-to-site tunnel and I cannot afford to drop during 
> store hours.
>
> Thanks!
>
> —
> Ryan
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.4 consistently crashes daily

2017-11-22 Thread WebDawg
The bridging may need tested and filed as a bug.

On Wed, Nov 22, 2017 at 11:15 AM, Liwei <xieli...@gmail.com> wrote:
> On Thu, 23 Nov 2017 at 00:38 WebDawg <webd...@gmail.com> wrote:
>
>> I am glad that you seemed to have resolved it, does the serial port
>> get the standard kernel messages...
>>
>
> It isn't really solved though as I have to take our bridged VPNs offline.
>
> Yes it does, but nothing relevant gets spewed out of the serial port before
> the panic comes up. The first sign I can see on the serial port of things
> going wrong is the kernel panic itself.
>
>
>>
>> usually you log in and tail some log files
>>
>
> Got it
>
>
>>
>> (bridging our oVPN tap interfaces to the main and private LANs)
>>
>> This was bridging done in pfSense right?
>>
>
> That's right.
>
>
>>
>> On Wed, Nov 22, 2017 at 8:07 AM, Liwei <xieli...@gmail.com> wrote:
>> > On Tue, 21 Nov 2017 at 01:08 WebDawg <webd...@gmail.com> wrote:
>> >
>> >> It should work though.  A great many people virtualize pfSense:
>> >>
>> >> https://doc.pfsense.org/index.php/PfSense_on_VMware_vSphere_/_ESXi
>> >>
>> >> Here is some more information:
>> >>
>> >> https://doc.pfsense.org/index.php/VirtIO_Driver_Support
>> >> https://doc.pfsense.org/index.php/Lost_Traffic_/_Packets_Disappear
>> >> https://doc.pfsense.org/index.php/Virtualizing_pfSense_on_Proxmox
>> >>
>> >> I know what it is like to ask for support and see people stop helping
>> >> because something is virtualized.  I have seen bad code fail in
>> >> virtualization situations only to here 'do not virtualize'.
>> >>
>> >> From what I know, BSD has trouble with NIC interfaces and such.  Do
>> >> you have any limiters or QOS installed?  I would take a look at the
>> >> nic interfaces first.  Can you actively monitor the log to look for
>> >> errors once the VM is booted?
>> >>
>> >> I virtualized pfSense on proxmox about a year ago and BSD hated the
>> >> cpu timers and such.  I would get so many issues from it until I
>> >> figured it out but everything was plain as day in the kernel messages
>> >> that were outputted.
>> >>
>> >> There is an ova file available via the gold subscription:
>> >>
>> >> https://doc.pfsense.org/index.php/VMware_Appliance
>> >>
>> >> You need to get more information for me to help further.  It would be
>> >> great to get a copy of some logs.
>> >>
>> >> Here is a XenServer thread:
>> >> https://forum.pfsense.org/index.php?topic=88467
>> >>
>> >> Last time I virtualized the big deal was hvm nic vs pvhvm NIC.  You
>> >> could do limiters on one (I think hvm) but the NIC's become CPU bound
>> >> because of how HVM works.  I could only push like 10-30 mbits out of
>> >> an i3 processor.
>> >>
>> >> I do not know if this has been solved, or if it is solvable.  pfSense
>> >> follows FreeBSD so most of the fixes for this come from FreeBSD,
>> >> though pfSense had/has some of its own kernel hacks.
>> >>
>> >>
>> >>
>> > Hi Vick, thanks for the assistance, nonetheless!
>> >
>> > Hi WebDawg,
>> > Yeah, I guessed as much that the problem should be on my side,
>> because
>> > something this fatal should already be widely reported.
>> >
>> > I don't have any limiters or QoS set. I've set up logging of the
>> serial
>> > port so at least I know what are the events leading up to the crash.
>> > Nothing interesting though, it just... happens. How do I set up log
>> > monitoring? My guess is I'll probably have to turn on remote syslog and
>> log
>> > over. Will set up when I get the chance.
>> >
>> > The odd thing is this is a 7+ years old setup (but we did do a fresh
>> > install of 2.3 when we upgraded hardware 1+ years ago), and we never had
>> > any serious issues. In fact it was purring along nicely on 2.3 since it
>> was
>> > first installed, until we upgraded to 2.4.
>> >
>> > I'm pretty confident of the hardware since it is only a year old, the
>> > other VMs are not having any issues, and reverting to 2.3 works fine.
>> Thus
>> > based on a hunch I decided to remove a couple of bridge interfaces
>> > (bridging our oVPN tap int

Re: [pfSense] pfSense 2.4 consistently crashes daily

2017-11-22 Thread WebDawg
I am glad that you seemed to have resolved it, does the serial port
get the standard kernel messages...

usually you log in and tail some log files

(bridging our oVPN tap interfaces to the main and private LANs)

This was bridging done in pfSense right?

On Wed, Nov 22, 2017 at 8:07 AM, Liwei <xieli...@gmail.com> wrote:
> On Tue, 21 Nov 2017 at 01:08 WebDawg <webd...@gmail.com> wrote:
>
>> It should work though.  A great many people virtualize pfSense:
>>
>> https://doc.pfsense.org/index.php/PfSense_on_VMware_vSphere_/_ESXi
>>
>> Here is some more information:
>>
>> https://doc.pfsense.org/index.php/VirtIO_Driver_Support
>> https://doc.pfsense.org/index.php/Lost_Traffic_/_Packets_Disappear
>> https://doc.pfsense.org/index.php/Virtualizing_pfSense_on_Proxmox
>>
>> I know what it is like to ask for support and see people stop helping
>> because something is virtualized.  I have seen bad code fail in
>> virtualization situations only to here 'do not virtualize'.
>>
>> From what I know, BSD has trouble with NIC interfaces and such.  Do
>> you have any limiters or QOS installed?  I would take a look at the
>> nic interfaces first.  Can you actively monitor the log to look for
>> errors once the VM is booted?
>>
>> I virtualized pfSense on proxmox about a year ago and BSD hated the
>> cpu timers and such.  I would get so many issues from it until I
>> figured it out but everything was plain as day in the kernel messages
>> that were outputted.
>>
>> There is an ova file available via the gold subscription:
>>
>> https://doc.pfsense.org/index.php/VMware_Appliance
>>
>> You need to get more information for me to help further.  It would be
>> great to get a copy of some logs.
>>
>> Here is a XenServer thread:
>> https://forum.pfsense.org/index.php?topic=88467
>>
>> Last time I virtualized the big deal was hvm nic vs pvhvm NIC.  You
>> could do limiters on one (I think hvm) but the NIC's become CPU bound
>> because of how HVM works.  I could only push like 10-30 mbits out of
>> an i3 processor.
>>
>> I do not know if this has been solved, or if it is solvable.  pfSense
>> follows FreeBSD so most of the fixes for this come from FreeBSD,
>> though pfSense had/has some of its own kernel hacks.
>>
>>
>>
> Hi Vick, thanks for the assistance, nonetheless!
>
> Hi WebDawg,
> Yeah, I guessed as much that the problem should be on my side, because
> something this fatal should already be widely reported.
>
> I don't have any limiters or QoS set. I've set up logging of the serial
> port so at least I know what are the events leading up to the crash.
> Nothing interesting though, it just... happens. How do I set up log
> monitoring? My guess is I'll probably have to turn on remote syslog and log
> over. Will set up when I get the chance.
>
> The odd thing is this is a 7+ years old setup (but we did do a fresh
> install of 2.3 when we upgraded hardware 1+ years ago), and we never had
> any serious issues. In fact it was purring along nicely on 2.3 since it was
> first installed, until we upgraded to 2.4.
>
> I'm pretty confident of the hardware since it is only a year old, the
> other VMs are not having any issues, and reverting to 2.3 works fine. Thus
> based on a hunch I decided to remove a couple of bridge interfaces
> (bridging our oVPN tap interfaces to the main and private LANs) when I sent
> my first email to the list.
>
> The crashes haven't occurred since then for 2 days. I'm not sure if it
> is a coincidence or not, but it does seem like my configuration may be
> triggering some bug. Or I may have mis-configured something.
>
> I'll continue to iterate things around to narrow down the problem, but
> given that I have to wait a few days after each change to be sure on
> whether it crashes or not, any suggestion is very welcome!
>
> Warm regards,
> Liwei
> --
> Clear Skies,LiweiCo-Founder, CTO
>
> TinyMOS
>
>
> <http://tinymos.com/> <https://www.facebook.com/thetinymos/>
> <https://www.instagram.com/thetinymos/> <https://twitter.com/thetinymos>
>
> 21 Heng Mui Keng Terrace, Level 1 The Hangar, Singapore 119613
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfSense 2.4 consistently crashes daily

2017-11-20 Thread WebDawg
It should work though.  A great many people virtualize pfSense:

https://doc.pfsense.org/index.php/PfSense_on_VMware_vSphere_/_ESXi

Here is some more information:

https://doc.pfsense.org/index.php/VirtIO_Driver_Support
https://doc.pfsense.org/index.php/Lost_Traffic_/_Packets_Disappear
https://doc.pfsense.org/index.php/Virtualizing_pfSense_on_Proxmox

I know what it is like to ask for support and see people stop helping
because something is virtualized.  I have seen bad code fail in
virtualization situations only to here 'do not virtualize'.

>From what I know, BSD has trouble with NIC interfaces and such.  Do
you have any limiters or QOS installed?  I would take a look at the
nic interfaces first.  Can you actively monitor the log to look for
errors once the VM is booted?

I virtualized pfSense on proxmox about a year ago and BSD hated the
cpu timers and such.  I would get so many issues from it until I
figured it out but everything was plain as day in the kernel messages
that were outputted.

There is an ova file available via the gold subscription:

https://doc.pfsense.org/index.php/VMware_Appliance

You need to get more information for me to help further.  It would be
great to get a copy of some logs.

Here is a XenServer thread:  https://forum.pfsense.org/index.php?topic=88467

Last time I virtualized the big deal was hvm nic vs pvhvm NIC.  You
could do limiters on one (I think hvm) but the NIC's become CPU bound
because of how HVM works.  I could only push like 10-30 mbits out of
an i3 processor.

I do not know if this has been solved, or if it is solvable.  pfSense
follows FreeBSD so most of the fixes for this come from FreeBSD,
though pfSense had/has some of its own kernel hacks.



On Mon, Nov 20, 2017 at 10:58 AM, Vick Khera  wrote:
> Oh, so you're not running it on hardware, but inside ESXi? Then I have no
> more ideas for you. You should mention these things when asking for help,
> by the way.
>
>
> On Mon, Nov 20, 2017 at 8:12 AM, Liwei  wrote:
>
>> Thanks for the quick reply. It is a Supermicro 5018A-FTN4 based on
>> the A1SRi-2758F which contains an Atom C2758. RAM tests are fine. This
>> machine also contains a few other VMs which are running fine.
>>
>> By the way, I missed out reporting the crash itself:
>>
>> Fatal trap 12: page fault while in kernel mode
>> cpuid = 2; apic id = 02
>> fault virtual address = 0x60
>> fault code = supervisor read data, page not present
>> instruction pointer = 0x20:0x80cbcb0f
>> stack pointer = 0x28:0xfe02390bf070
>> frame pointer = 0x28:0xfe02390bf070
>> code segment = base 0x0, limit 0xf, type 0x1b
>> = DPL 0, pres 1, long 1, def32 0, gran 1
>> processor eflags = interrupt enabled, resume, IOPL = 0
>> current process = 12 (irq267: vmx0)
>>
>> On Mon, 20 Nov 2017 at 20:55 Vick Khera  wrote:
>>
>> > On Mon, Nov 20, 2017 at 7:36 AM, Liwei  wrote:
>> >
>> > >
>> > > Anyone has any idea what's going on? Restoring to pfSense 2.3 seems
>> > to
>> > > solve this problem, so it is more likely a software than hardware
>> issue.
>> > >
>> > >
>> > What's your hardware? Have you tested your RAM using memtest86?
>> > ___
>> > pfSense mailing list
>> > https://lists.pfsense.org/mailman/listinfo/list
>> > Support the project with Gold! https://pfsense.org/gold
>> >
>> --
>> Clear Skies,LiweiCo-Founder, CTO
>>
>> TinyMOS
>>
>>
>>  
>>  
>>
>> 21 Heng Mui Keng Terrace, Level 1 The Hangar, Singapore 119613
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfSense 2.4 consistently crashes daily

2017-11-20 Thread WebDawg
What virt software?

On Mon, Nov 20, 2017 at 7:12 AM, Liwei  wrote:
> Thanks for the quick reply. It is a Supermicro 5018A-FTN4 based on
> the A1SRi-2758F which contains an Atom C2758. RAM tests are fine. This
> machine also contains a few other VMs which are running fine.
>
> By the way, I missed out reporting the crash itself:
>
> Fatal trap 12: page fault while in kernel mode
> cpuid = 2; apic id = 02
> fault virtual address = 0x60
> fault code = supervisor read data, page not present
> instruction pointer = 0x20:0x80cbcb0f
> stack pointer = 0x28:0xfe02390bf070
> frame pointer = 0x28:0xfe02390bf070
> code segment = base 0x0, limit 0xf, type 0x1b
> = DPL 0, pres 1, long 1, def32 0, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = 12 (irq267: vmx0)
>
> On Mon, 20 Nov 2017 at 20:55 Vick Khera  wrote:
>
>> On Mon, Nov 20, 2017 at 7:36 AM, Liwei  wrote:
>>
>> >
>> > Anyone has any idea what's going on? Restoring to pfSense 2.3 seems
>> to
>> > solve this problem, so it is more likely a software than hardware issue.
>> >
>> >
>> What's your hardware? Have you tested your RAM using memtest86?
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
> --
> Clear Skies,LiweiCo-Founder, CTO
>
> TinyMOS
>
>
>  
>  
>
> 21 Heng Mui Keng Terrace, Level 1 The Hangar, Singapore 119613
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Error Captive Portal

2017-11-18 Thread WebDawg
Did you ever provide more detail here?

On Thu, Nov 16, 2017 at 3:15 AM, Doug Lytle  wrote:
> On 11/16/2017 01:28 AM, Kleber Carvalho wrote:
>>
>> Any idea what can I do about it ?
>
>
> You could start off by providing what version you're running.
>
> Doug
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] acme package: wrong agreement URL

2017-11-18 Thread WebDawg
Did you report this as a bug?

On Thu, Nov 16, 2017 at 4:36 AM, Brian Candler  wrote:
> Trying to use the acme package with pfsense 2.4.1 and the LetsEncrypt
> staging server
>
> Certificate enrolment failed, although all the output was in green.
>
> /tmp/acme//acme_issuecert.log shows HTTP 400 errors, with the
> following response:
>
> [Thu Nov 16 10:28:19 UTC 2017]
> response='{"type":"urn:acme:error:malformed","detail":"Provided agreement
> URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does
> not match current agreement URL
> [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]","status":
> 400}'
>
> I couldn't see how to change this in the GUI, so I had to edit
> /usr/local/pkg/acme/acme.sh
>
> I presume the package needs updating?
>
> Thanks,
>
> Brian.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] quagga/bgp

2017-11-18 Thread WebDawg
That is on of the things I wish they would add, a configuration
interface that has all the pfsense txt for each config file so you can
mod it manually if needed.

On Fri, Nov 17, 2017 at 9:05 AM, Daniel  wrote:
> Ahhh that sounds cool.
> But i dont want to configure FRR via Webinterface. I want to to is via CLI.
> Should this be also possible?
>
> Cheers
>
> Daniel
>
> Am 17.11.17, 15:58 schrieb "Jim Pingle" :
>
> On 11/17/2017 08:29 AM, Daniel wrote:
> > I don’t want to use openBGPd and I also don’t want to use FRR because I 
> am completely new in FRR.
>
> If you know quagga, you know FRR. FRR is a fork of quagga and they work
> nearly the same. Most people probably won't know the difference, except
> that FRR will probably work better.
>
> Jim P.
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] OpenVPN binds to wrong interface with no ip

2017-11-08 Thread WebDawg
You should file a bug report.

On Nov 8, 2017 8:05 PM, "Adrian Zaugg" <a...@ente.limmat.ch> wrote:

>
>
> On 08.11.17 16:55, WebDawg wrote:
> > Do you know this to be true because credentials and such are hosted on
> > one interface, but not another?
>
> It is clear from the logs and from the credentials asf. as well.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] OpenVPN binds to wrong interface with no ip

2017-11-08 Thread WebDawg
Do you know this to be true because credentials and such are hosted on
one interface, but not another?

On Tue, Nov 7, 2017 at 8:43 PM, Adrian Zaugg  wrote:
>
> Hi
>
> With two WAN interfaces and with an OpenVPN server on each, bound to its
> interface, there is a wrong IP assertion in case the first interfaces
> does not get an IP.
>
> In Detail:
> - a system with two WAN interfaces that both get their IP by DHCP
> - on each WAN there is an OpenVPN Server configured, bound to one iface
> If for some reason no IP can be obtained on the first WAN interface, the
> OpenVPN instance actually bound to WAN1 does grab the IP of the WAN2
> interface. The second OpenVPN instance cannot start then and mourns
> "address already in use".
>
> I would expect that the OpenVPN instance of WAN1 doesn't grab the
> address of WAN2. It seems to me that this is a bug.
>
> Best regards, Adrian.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] may a bug / v2.4.x problems with more than 6 NIC's Intel pro1000 / emX

2017-11-06 Thread WebDawg
virtualized systems require much cpu resources.  I do not know if this
has changed dramatically but it comes down to pv drivers and such.

xenserver needs some tweaks too.

On Mon, Nov 6, 2017 at 10:31 AM, WolfSec-Support  wrote:
> Hi Jim,
>
>
> have seen no errors while boot
>
> all nics are shown in ifconfig
>
> in this case it is an virtualized system (KVM / OpenStack)
>
> netstat I need to make a test for you - actual system runs with 6 nics,
> so I need to modify before.
>
> BR
> Stephan
>
>
>
> Besten Dank.
>
> Freundliche Grüsse,
> WolfSec-Support
>
> WolfSec
> Postanschrift:
> Swiss Post Box: 104213
> Zürcherstrasse 161
> CH-8010 Zürich
>
> http://www.wolfsec.ch
>
>
> 2017-11-06 17:20 GMT+01:00 Jim Pingle :
>
>> On 11/05/2017 03:35 PM, WolfSec-Support wrote:
>> > remark:
>> > as written v2.3.4 works well WITHOUT tuned anything
>> >
>> > so seems to have an dependency with freebsd 11.1 kernel ?
>>
>> That doesn't mean much, the newer base/drivers could be enabling
>> features on the NICs that require more resources. It's not the first
>> time that's happened.
>>
>> Do you see any errors in the boot log (/var/log/dmesg.boot) or on the
>> console when it starts up with all of the NICs present?
>>
>> What does "netstat -m" show? "netstat -mb"?
>>
>> Is this bare metal hardware or a virtualized system? Describe the
>> hardware/hypervisor in more detail.
>>
>> Jim
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrade nanobsd 2.3.4 to 2.4.x

2017-10-26 Thread WebDawg
Did you do this for experimental purposes?

On Thu, Oct 26, 2017 at 12:19 PM, Odette Nsaka  wrote:
> Hi,
>
>  I tried to upgrade some pfSense 2.3.4-x amd64 on nanobsd running on 
> PC-engines APU2
> and APU3, to 2.4.x full install following the guide
>
>https://doc.pfsense.org/index.php/Upgrading_64-bit_NanoBSD_2.3_to_2.4
>
> I've collected a good number of failures (100%) related to the inconsistency 
> of the pkg
> database after the reboot, until I begun to integrate the guide at the above 
> link as follows:
> consider just the final chapter named "Script-Assisted Conversion" (copied 
> below) that is
> all you need to upgrade
>
> /Script-Assisted Conversion/
>
> /Many of the steps above can be automated using a script, however, a few 
> steps must still
> be made manually as in the above procedure./
>
> /Perform the steps in the Check Firewall Boot Partition subsection/
> /Perform the steps in the Change Package Repository subsection/
> /Fetch and run the script from a shell prompt:/
>
> / # fetch -o /root/ 
> https://raw.githubusercontent.com/pfsense/pfsense/RELENG_2_4_0/
> tools/scripts/pfSense-nanobsd_to_fullinstall.sh/
> / # /bin/sh pfSense-nanobsd_to_fullinstall.sh/
>
>  START ADDED PROCEDURE 
>
> Disable RAM Disks: from the GUI menu go to System => Advanced => 
> Miscellaneous, find
> the section "RAM Disk Settings" and uncheck "Use memory file system for /tmp 
> and /var"
>
> Reboot
>
>  END ADDED PROCEDURE 
>
> / # pfSense-upgrade -y/
>
>
> (If needed, after upgrade has successfully completed re-enable the RAM Disks 
> for /var and
> /tmp)
>
>
> Following these modified guide the upgrade process worked twice like a charm 
> on both
> the two attempts I made (100% success)
>
> Can anybody confirm that following the modified instructions the upgrade from 
> nanobsd
> to 2.4.x works fine?
>
> Thanks, maybe this will help someone.
>
> Cheers,
>  Odette
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] installing packages from CLI

2017-10-21 Thread WebDawg
Does the service work if you start it from the pfSense gui or on reboot?

Just wondering.

On Fri, Oct 20, 2017 at 4:00 PM, Arthur Wiebe
 wrote:
> I'm observing a behavior in pfSense that I'm trying to understand and not
> having much luck. I'm going to use the Avahi package as an example.
>
> Essentially, I've installed and configured the package pfSense-pkg-Avahi
> from the Package Manager web UI, and configured it as well.
> If I run `ps ax | grep avahi` over a shell it shows the "avahi-daemon"
> process running so it's all good at this point.
>
> But let's say for whatever reason whether as a developer trying to test a
> package I'm working on or I just want to install a package from the shell,
> I run:
> /usr/local/sbin/pfSense-upgrade -f -i pfSense-pkg-Avahi
> or simply (for same result):
> pkg install pfSense-pkg-Avahi
>
> It installs/reinstalls/upgrades fine but the avahi-daemon process starts
> and then is killed right before the script ends and I get back to the shell
> prompt.
>
> If I re-install the package from the Package Manager UI it seems to run
> that exact same command as I ran from the shell yet the avahi-daemon
> process remains running without an issue.
>
> Just to do another test I use the "Execute PHP Commands" tool
> under /diag_command.php and ran the following single line:
> mwexec_bg("/usr/local/sbin/pfSense-upgrade -f -i pfSense-pkg-Avahi");
>
> And I have the same result as running it from a shell.
>
> --
> Arthur Wiebe | +1 519-670-5255
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] bandwithd

2017-08-22 Thread WebDawg
Did you try a reboot and reinstall?

On Tue, Aug 22, 2017 at 5:15 PM, Daniel  wrote:
> Hi there,
>
> i installed BandwithD thought the Package Manager. After setup BandwithD I 
> got an error when I try to access bandwithD:
>
> Fatal error: Call to undefined function read_package_configurationfile() in 
> /usr/local/www/guiconfig.inc on line 1053 Call Stack: 0. 226984 1. 
> {main}() /usr/local/www/diag_bandwidthd.php:0 0.0243 3592344 2. 
> add_package_tabs() /usr/local/www/diag_bandwidthd.php:29 PHP ERROR: Type: 1, 
> File: /usr/local/www/guiconfig.inc, Line: 1053, Message: Call to undefined 
> function read_package_configurationfile()
>
> Is there any known issue? I am looking for an issue to Count traffic for each 
> IP.
>
> --
> Grüsse
>
> Daniel
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Internal Certificate and Internal Network.

2017-08-17 Thread WebDawg
I think there are settings for this.

Bypass Proxy for Private Address Destination
Do not forward traffic to Private Address Space (RFC 1918)
destinations. Destinations in Private Address Space (RFC 1918) are
passed directly through the firewall, not through the proxy server.


Do you want the traffic to go through the proxy?



On Thu, Aug 17, 2017 at 10:51 AM, Kleber Carvalho <kleb.li...@gmail.com> wrote:
> Hello,
>
>
>  The proxy is working well to external sites but we have an
> internal environment and the proxy is not able to find it.
>
>
>
> Regards.
>
>
>
> On Thu, Aug 17, 2017 at 4:30 PM, WebDawg <webd...@gmail.com> wrote:
>
>> You say the proxy does not work.
>>
>> What do you mean?
>>
>> What errors do you get?  What are you observations?
>>
>> On Wed, Aug 16, 2017 at 8:06 AM, Kleber Carvalho <kleb.li...@gmail.com>
>> wrote:
>> > Hello,
>> >
>> >We are having difficulties with Internal Certificates and
>> > Internal Network.
>> >  Below I will try to explain details about that.
>> >
>> > Our Pfsense is not gateway of our network and it is not transpaent proxy,
>> > all the browsers need the input configurations about proxy. int he proxy
>> is
>> > configured "HTTPS/SSL Inspection" and SquidGuard,  it is also integrated
>> > with Active Directory.
>> > All the outside traffic are working well but all the internal
>> sites/network
>> > are not working.
>> > We have a cerificate CA microsoft to all internal appliation, however our
>> > proxy does not work.
>> > I would like to know what i can do to solve this problem. your help will
>> be
>> > highly appreciated.
>> >
>> > Regards.
>> >
>> > --
>> >
>> > *Kleber da Silva CarvalhoProfissional Certificado.*
>> > *CCNA R**  |  **CCNA Security  |  **CCNP Security  |  **LPIC-1  |
>> >  LPIC-2 * *|*  *LPIC-3 * *|  * *LPIC-3 303 * *| **Novell CLA 11 * *|* *
>> Novell
>> > DCTS * *|* * ITIL v3 * *|* * COBIT 4.1*
>> > ___
>> > pfSense mailing list
>> > https://lists.pfsense.org/mailman/listinfo/list
>> > Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>
>
>
> --
>
> *Kleber da Silva CarvalhoProfissional Certificado.*
> *CCNA R**  |  **CCNA Security  |  **CCNP Security  |  **LPIC-1  |
>  LPIC-2 * *|*  *LPIC-3 * *|  * *LPIC-3 303 * *| **Novell CLA 11 * *|* * Novell
> DCTS * *|* * ITIL v3 * *|* * COBIT 4.1*
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Internal Certificate and Internal Network.

2017-08-17 Thread WebDawg
You say the proxy does not work.

What do you mean?

What errors do you get?  What are you observations?

On Wed, Aug 16, 2017 at 8:06 AM, Kleber Carvalho  wrote:
> Hello,
>
>We are having difficulties with Internal Certificates and
> Internal Network.
>  Below I will try to explain details about that.
>
> Our Pfsense is not gateway of our network and it is not transpaent proxy,
> all the browsers need the input configurations about proxy. int he proxy is
> configured "HTTPS/SSL Inspection" and SquidGuard,  it is also integrated
> with Active Directory.
> All the outside traffic are working well but all the internal sites/network
> are not working.
> We have a cerificate CA microsoft to all internal appliation, however our
> proxy does not work.
> I would like to know what i can do to solve this problem. your help will be
> highly appreciated.
>
> Regards.
>
> --
>
> *Kleber da Silva CarvalhoProfissional Certificado.*
> *CCNA R**  |  **CCNA Security  |  **CCNP Security  |  **LPIC-1  |
>  LPIC-2 * *|*  *LPIC-3 * *|  * *LPIC-3 303 * *| **Novell CLA 11 * *|* * Novell
> DCTS * *|* * ITIL v3 * *|* * COBIT 4.1*
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Factory Default / Cleanup(script) of binaries + config backups + etc

2017-08-04 Thread WebDawg
I am willing to bet that factory default removes packages and just
sets factory default config file...lets look at git hub

https://github.com/search?utf8=%E2%9C%93=org%3Apfsense+factory+reset=Code

https://github.com/search?utf8=%E2%9C%93=org%3Apfsense+reset_factory_defaults=Code

*https://github.com/pfsense/pfsense/blob/88fbd229e0d8fd9d2e2ba57c0c254bef23774393/src/etc/inc/config.lib.inc
Read the comments:
/* Remove all additional packages */
/* create conf directory, if necessary */
/* clear out /conf */
/* copy default configuration */

/*
Let write_config know that we are awaiting reload of the current config
to factory defaults. Either the system is about to reboot, throwing away
the current in-memory config as it shuts down, or the in-memory config
is about to be reloaded on-the-fly by parse_config.
In both cases, we want to ensure that write_config does not flush the
in-memory config back to disk.
*/

// If we need a reboot first then touch a different trigger file.

touch("/conf/trigger_initial_wizard_after_reboot")
touch("/conf/trigger_initial_wizard");
setup_serial_port();

On Thu, Jul 27, 2017 at 4:46 AM, WolfSec-Support  wrote:
> Hello,
>
>
> as written in documentation, a Factory Default does NOT:
> - remove binaries of packages
> - removes old configuration data backups
> - may not removing other things / logs etc
>
> Is there a way / document / script to cleanup a pfSense WITHOUT
> reinstallation ?
>
> Any help is appreciated.
> I would offer the list to do a document / summary / script with all your
> feedback afterwards.
>
> Also great it netgate would have a look / info onto this topic
>
> E.g. deleting:
>   /cf/conf/backup
> will NOT cleanup completely - last config is still available
>
> Kind Regards
> Stephan
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.4-RELEASE (amd64) - Kernel Panics

2017-07-13 Thread WebDawg
See, I do not think it is just me.

On Thu, Jul 13, 2017 at 11:12 AM, Moshe Katz <mo...@ymkatz.net> wrote:

> I saw a very similar crash when booting a fresh 2.3.4 install yesterday for
> the first time.
> I think it was before I had even configured it for the first time
> (assigning interfaces and addresses, etc).
> I rebooted the machine and then it came up fine and is still up with no
> trouble.
>
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
> On Wed, Jul 12, 2017 at 9:43 PM, WebDawg <webd...@gmail.com> wrote:
>
> > Hello,
> >
> > I just upgraded 2.3.something to 2.3.4 and immediately upon reboot
> > experienced kernel panics/crash dumps over and over.  The system would
> > cycle over and over.
> >
> > I stopped the process thinking I had a bad raid but upon a fresh install
> of
> > 2.3.4 I experienced the same thing, except this time the system rebooted
> 2
> > times with the panics:
> >
> > <118>Synchronizing user settings...
> >
> >
> > Fatal trap 12: page fault while in kernel mode
> > cpuid = 4; apic id = 04
> > fault virtual address= 0x0
> > fault code= supervisor read data, page not present
> > instruction pointer= 0x20:0x80d716ee
> > stack pointer= 0x28:0xfe0467c5ea00
> > frame pointer= 0x28:0xfe0467c5ea20
> > code segment= base 0x0, limit 0xf, type 0x1b
> > = DPL 0, pres 1, long 1, def32 0, gran 1
> > processor eflags= interrupt enabled, resume, IOPL = 0
> > current process= 12 (swi1: pfsync)
> >
> > And then fixed itself.  I proceeded to reboot it a few times with no more
> > panics.
> >
> > I submitted a crash dump to pfsense but has anyone seen this on x64 intel
> > hardware?
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.3.4-RELEASE (amd64) - Kernel Panics

2017-07-13 Thread WebDawg
No limiters.

On Thu, Jul 13, 2017 at 10:53 AM, Steve Yates <st...@teamits.com> wrote:

> Are you running limiters in an HA configuration by chance?  There's a
> known issue there. (https://forum.pfsense.org/index.php?topic=87541.new;
> topicseen#new)
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of WebDawg
> Sent: Wednesday, July 12, 2017 8:44 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] 2.3.4-RELEASE (amd64) - Kernel Panics
>
> Hello,
>
> I just upgraded 2.3.something to 2.3.4 and immediately upon reboot
> experienced kernel panics/crash dumps over and over.  The system would
> cycle over and over.
>
> I stopped the process thinking I had a bad raid but upon a fresh install of
> 2.3.4 I experienced the same thing, except this time the system rebooted 2
> times with the panics:
>
> <118>Synchronizing user settings...
>
>
> Fatal trap 12: page fault while in kernel mode
> cpuid = 4; apic id = 04
> fault virtual address= 0x0
> fault code= supervisor read data, page not present
> instruction pointer= 0x20:0x80d716ee
> stack pointer= 0x28:0xfe0467c5ea00
> frame pointer= 0x28:0xfe0467c5ea20
> code segment= base 0x0, limit 0xf, type 0x1b
> = DPL 0, pres 1, long 1, def32 0, gran 1
> processor eflags= interrupt enabled, resume, IOPL = 0
> current process= 12 (swi1: pfsync)
>
> And then fixed itself.  I proceeded to reboot it a few times with no more
> panics.
>
> I submitted a crash dump to pfsense but has anyone seen this on x64 intel
> hardware?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Chelsio T520 card transciever combatibility?

2017-07-13 Thread WebDawg
Did you ever find out?

On Tue, May 23, 2017 at 1:08 PM, Karl Fife  wrote:

> Does anyone have experience with the Chelsio T520 series of cards
> specifically as it relates to transceiver compatibility?
>
> SFP & SFP+:
>
> We have several applications where we could use these well-supported
> cards, some require use of SFP transceivers (not SFP+) such as 1000BASE-LX
> transceivers.  My understanding is that some cards (such as the Chelsio
> cards) can receive an SFP transceiver (negotiating down from SFP+) but
> requires explicit configuration.  Does anyone know if said configuration
> lives in the pfSense (e.g. blown away on reboot).
>
> Aftermarket Transeivers:
>
> Chelsio doesn't make 1000BASE-LX modules, and aftermarket modules appear
> to be marketed toward a particular brand of switch (Juniper, HP, Cisco,
> etc.).  Can I safely assume that they're largely interperable?
>
> Any help would be greatly appreciated.
> -K
>
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] 2.3.4-RELEASE (amd64) - Kernel Panics

2017-07-12 Thread WebDawg
Hello,

I just upgraded 2.3.something to 2.3.4 and immediately upon reboot
experienced kernel panics/crash dumps over and over.  The system would
cycle over and over.

I stopped the process thinking I had a bad raid but upon a fresh install of
2.3.4 I experienced the same thing, except this time the system rebooted 2
times with the panics:

<118>Synchronizing user settings...


Fatal trap 12: page fault while in kernel mode
cpuid = 4; apic id = 04
fault virtual address= 0x0
fault code= supervisor read data, page not present
instruction pointer= 0x20:0x80d716ee
stack pointer= 0x28:0xfe0467c5ea00
frame pointer= 0x28:0xfe0467c5ea20
code segment= base 0x0, limit 0xf, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags= interrupt enabled, resume, IOPL = 0
current process= 12 (swi1: pfsync)

And then fixed itself.  I proceeded to reboot it a few times with no more
panics.

I submitted a crash dump to pfsense but has anyone seen this on x64 intel
hardware?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] MBR restore

2017-06-30 Thread WebDawg
To pile on.  The config is manually editable also.

In fact sometimes you have to edit it when moving to new hardware because
the interface names are not the same.

It is by far the best way to move a pfsense install...

On Fri, Jun 30, 2017 at 10:35 AM, Steve Yates  wrote:

> If you can log into the old one, use Diagnostics/Backup & Restore to
> download the config.  Restore it to the new one and it will prompt to remap
> the interfaces (WAN=em0, etc).
>
> Searching, it looks like the file on disk is /conf/config.xml?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Nicola
> Ferrari (#554252)
> Sent: Friday, June 30, 2017 9:31 AM
> To: list@lists.pfsense.org
> Subject: Re: [pfSense] MBR restore
>
> On 30/06/2017 16:20, Steve Yates wrote:
> >  Even if the config wasn't exported (the original died) it might be
> faster to copy the file off the drive from wherever it lives?
> >
>
> Thanks Steve for your suggestion.
> I'm not an expert in PfSense.. What file(s) do we need to trasfer from
> the original install, to restore config in a new one?
>
> N
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] massive CARP Failover

2017-06-05 Thread WebDawg
On Fri, Jun 2, 2017 at 8:13 AM, Daniel  wrote:

> Hi there,
>
> i run 2 pfsense Firewalls. I tried to use CARP but it will turn over every
> 1-2-3 hours.
> Sometimes it is so fast the pf1 is master and pf2 has the routes. In this
> case I need to reboot the both Servers.
>
> After I tried a lot id ont find any solutions. I took a different brand
> (Sophos UTM) and here is the same behave.
> So I think this could be a network problem.
>
> Is there any important thinks which must be enabled or disabled in the
> Switch?
> Or need the Switch some special configurations?
>
> When I use Linux with Bondig it also switch the NICs very often.
>
> We use 2 Switches from Netgear JGS524Ev2
>
> Mayme someone has some experience with it?
>
> --
> Grüsse
>
> Daniel
> ___



Are your pfsync multicast messages being messed with by the switch.  If you
do not configure vlaning right I bet you this could be a problem.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Network interruption on pfSense Firewall

2017-05-19 Thread WebDawg
On Fri, May 19, 2017 at 10:18 AM, Ugo Bellavance <u...@lubik.ca> wrote:

> On 2017-05-19 10:09 AM, WebDawg wrote:
>
>> On Fri, May 19, 2017 at 9:46 AM, Ugo Bellavance <u...@lubik.ca> wrote:
>>
>> On 2017-05-19 08:24 AM, WebDawg wrote:
>>>
>>> Thanks for your quick answer.
>>>
>>> I mean.  Your net connection is dripping packets...is your gateway going
>>>
>>>> down?
>>>>
>>>>
>>> My external Nagios system saw nothing up to now (it always sees my
>>> gateway
>>> as up from the outside). But it only checks once every minute and the
>>> packet losses that I experience last about 15 seconds.  1/4 chance of
>>> seeing it when pooling every minute.
>>>
>>> Your ISP should do something...your WAN connection is going down...unless
>>>
>>>> you have a bad VM config.
>>>>
>>>>
>>> The firewall has been up for 187 days and we've been using this VM since
>>> 2012. However, there is more and more traffic going through the VM as
>>> time
>>> goes by. This problem happened about 6 times in the past year, but 3 of
>>> them were in the past 2 weeks.
>>>
>>> pfSense does do SOMETHING when a gateway goes down...do you have failover
>>>
>>>> internet setup?  When pfSense marks a connection as down and then back
>>>> up,
>>>> some of the things your are describing, I think, are supposed to happen.
>>>>
>>>>
>>> Only one WAN.
>>>
>>> You can adjust latency settings in the advanced settings of the gateway.
>>>
>>>> You can adjust loss settings too.  Some ISP QoS configs I think are
>>>> known
>>>> to drop ICMP in favor of higher priority things.  In that case it is
>>>> usually better to do your own QoS.
>>>>
>>>>
>>> That is interesting. I'll look into that.
>>>
>>> For some reason every T1 I have ever used had latent ICMP when loaded.  I
>>>
>>>> tried so many different QoS configs but I could only get it so good.
>>>>
>>>>
>>> In our case it's an ethernet link provided on a gigabit GPON. 50 mbps.
>>> But
>>> I can see that the problem occurs when traffic is at 50 mbps (backups
>>> replication) so I lowered the maximum bandwidth for the replication to 43
>>> mbps.
>>>
>>> If the IPS's equipement ignores your QoS (and I think that's what they
>>> do), if they decide to drop some ICMP messages, what will your own QoS
>>> do?
>>>
>>>
>>>
>>> There are specific types of QoS that are designed to stop the ISP's QoS
>> from coming into play.  CODELQ was part of that.
>>
>> https://www.bufferbloat.net/projects/bloat/wiki/What_can_I_
>> do_about_Bufferbloat/
>>
>> The general concept is to lower your max QoS speed to less then what the
>> max of your connection is for, but I always wondered how this would effect
>> things down the line, lets say if an ISP sells you 50mbits but then then
>> over provisions there back hauls.
>>
>
> That is approximately what I did. When we saturate the link, it is
> outboud, to a remote location where we have replicas of our backups. I have
> a limiter over there but it was either not working or not low enough. I
> lowered it more to avoid maxing out the pipe.
>
> There is also things that other ISP's have been caught doing in the past
>> like resetting torrent connections and such.
>>
>> I also would wonder about links that have, no QoS and what the default is
>> for things like that.  But that can be tested with iperf and ping over a
>> standard ethernet link I would guess.
>>
>> You should run iperf tests on your virtualized install while pinging and
>> watch your CPU load externally via your hypervisor.  I took a trip down
>> the
>> virtualized router path and I paid attention to 3 things.  Traffic shaping
>> support with PV type drivers, performance out of HVM drivers, and CPU
>> queues for virtual NICs when applicable.  I think the max I could get out
>> of the best VM choice with pfSense and a i3 processor was 100-300 mbits
>> and
>> some configurations would provide so little mbits it was laughable.
>>
>
> The thing is that this outbound traffic is going through a VPN tunnel so
> there is a CPU requirement for the encryption.
>
> pfSense graphs shows an average of all CPUs, but since we have only one
> VPN tunnel, I think that it cannot saturate all 3 vCPUs.
>
>
> __
>

If you have your router virtualized, there are CPU requirements for the
virtual NICs that I do not think you can see from 'inside'.

You have to look from the hypervisor in.  It depends on how you have
everything configured and what virtualisation you are using.  Are you using
PCI passthrough to have a true nic?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Network interruption on pfSense Firewall

2017-05-19 Thread WebDawg
On Fri, May 19, 2017 at 9:46 AM, Ugo Bellavance <u...@lubik.ca> wrote:

> On 2017-05-19 08:24 AM, WebDawg wrote:
>
> Thanks for your quick answer.
>
> I mean.  Your net connection is dripping packets...is your gateway going
>> down?
>>
>
> My external Nagios system saw nothing up to now (it always sees my gateway
> as up from the outside). But it only checks once every minute and the
> packet losses that I experience last about 15 seconds.  1/4 chance of
> seeing it when pooling every minute.
>
> Your ISP should do something...your WAN connection is going down...unless
>> you have a bad VM config.
>>
>
> The firewall has been up for 187 days and we've been using this VM since
> 2012. However, there is more and more traffic going through the VM as time
> goes by. This problem happened about 6 times in the past year, but 3 of
> them were in the past 2 weeks.
>
> pfSense does do SOMETHING when a gateway goes down...do you have failover
>> internet setup?  When pfSense marks a connection as down and then back up,
>> some of the things your are describing, I think, are supposed to happen.
>>
>
> Only one WAN.
>
> You can adjust latency settings in the advanced settings of the gateway.
>> You can adjust loss settings too.  Some ISP QoS configs I think are known
>> to drop ICMP in favor of higher priority things.  In that case it is
>> usually better to do your own QoS.
>>
>
> That is interesting. I'll look into that.
>
> For some reason every T1 I have ever used had latent ICMP when loaded.  I
>> tried so many different QoS configs but I could only get it so good.
>>
>
> In our case it's an ethernet link provided on a gigabit GPON. 50 mbps. But
> I can see that the problem occurs when traffic is at 50 mbps (backups
> replication) so I lowered the maximum bandwidth for the replication to 43
> mbps.
>
> If the IPS's equipement ignores your QoS (and I think that's what they
> do), if they decide to drop some ICMP messages, what will your own QoS do?
>
>
>
There are specific types of QoS that are designed to stop the ISP's QoS
from coming into play.  CODELQ was part of that.

https://www.bufferbloat.net/projects/bloat/wiki/What_can_I_do_about_Bufferbloat/

The general concept is to lower your max QoS speed to less then what the
max of your connection is for, but I always wondered how this would effect
things down the line, lets say if an ISP sells you 50mbits but then then
over provisions there back hauls.

There is also things that other ISP's have been caught doing in the past
like resetting torrent connections and such.

I also would wonder about links that have, no QoS and what the default is
for things like that.  But that can be tested with iperf and ping over a
standard ethernet link I would guess.

You should run iperf tests on your virtualized install while pinging and
watch your CPU load externally via your hypervisor.  I took a trip down the
virtualized router path and I paid attention to 3 things.  Traffic shaping
support with PV type drivers, performance out of HVM drivers, and CPU
queues for virtual NICs when applicable.  I think the max I could get out
of the best VM choice with pfSense and a i3 processor was 100-300 mbits and
some configurations would provide so little mbits it was laughable.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Network interruption on pfSense Firewall

2017-05-19 Thread WebDawg
Did you try a different gateway?

On Fri, May 19, 2017 at 8:53 AM, J. Hellenthal 
wrote:

> Interesting. I see this same thing on a SG2440 at one of our smaller
> installation sites with a dual gateway setup it experiences very similar
> likeness to the packet loss and high latency.
>
> All firmware is up-to-date... netgate boot & pfsense.
>
> Have not had the chance to look deeper into this as I believed it may be a
> problem on the remote end and the frequency of events were very quick and
> disappeared for greater than 24 hours at a time.
>
> --
>  Onward!,
>  Jason Hellenthal,
>  Systems & Network Admin,
>  Mobile: 0x9CA0BD58,
>  JJH48-ARIN
>
> On May 19, 2017, at 07:33, Angel Rengifo Cancino 
> wrote:
>
> On Fri, May 19, 2017 at 6:55 AM, Ugo Bellavance  wrote:
>
> > Hi,
> >
> > We sometimes experience what looks like service interruptions on our
> > pfSense firewall.  The first symptom was that we came in the office in
> the
> > morning and found that all the ssh sessions that were opened and going
> > through the firewall would be disconnected.
> >
> > I searched the pfsense logs and I found that:
> >
> > May 19 04:35:48 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2231us
> > stddev 1209us loss 21%
> > May 19 04:36:01 fw1 dpinger: ISP 206.55.90.97: Clear latency 2253us
> > stddev 1266us loss 15%
> > May 19 04:54:24 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2021us
> > stddev 1042us loss 22%
> > May 19 04:54:39 fw1 dpinger: ISP 206.55.90.97: Clear latency 2564us
> > stddev 6028us loss 19%
> > May 19 05:13:05 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2203us
> > stddev 1345us loss 21%
> > May 19 05:13:17 fw1 dpinger: ISP 206.55.90.97: Clear latency 2044us
> > stddev 870us loss 17%
> >
> > I opened a ticket with mi ISP, but I don't think that they'll find
> > anything. I must say they they're not the most knowledgeable.
> >
> > I've experienced such packet loss before and it was always ISP's fault.
> If
> your bandwidth usage is not full then there should not be a reason for
> lossing so many packets.
>
>
> >
> > According to the logs, everytime that happens, pfSense tries to do a few
> > things:
> >
> > - Update dyndns
> > - Restart VPN tunnels
> > - Reload filters
> >
> > I'll keep on searching but I really wonder wether the post-clear-latency
> > actions cause the SSH disconnects (and possibly other network cuts) or if
> > it's the firewall that is too busy to receive the ICMP packets.
> >
> > Once I had the same problem with 2 ISPs configured in my pfSense box and
> disabling this option helped me to avoid such disconnection behavior:
>
> System -> Advanced -> Miscellaneous -> State Killing on gateway failure
>
> You can try it.
>
>
> > The firewall runs on a VMWare VM,
> >
> > Intel(R) Xeon(R) CPU E5-2640 0 @ 2.50GHz
> > 3 CPUs: 1 package(s) x 3 core(s)
> > 1 GB RAM
> >
> > The host is not cpu-bound.
> >
> >
> Make sure VMware is not part of the problem. If possible, use a physical
> server to start a basic monitoring using continuous ping to see if packet
> loss also occurs on this host. If it doesn't happen the same loss of
> connectivity then maybe your VMware infrastructure might be part of the
> problem.
>
>
> *Angel Rengifo*
> *CEO*
> (51) 946-521-913
> (511) 6429706
> areng...@sfinetworks.com
> Visitanos en http:// www.sfinetworks.com
> ¿Buscas soporte? http://soporte.sfinetworks.com
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Network interruption on pfSense Firewall

2017-05-19 Thread WebDawg
I mean.  Your net connection is dripping packets...is your gateway going
down?

Your ISP should do something...your WAN connection is going down...unless
you have a bad VM config.

pfSense does do SOMETHING when a gateway goes down...do you have failover
internet setup?  When pfSense marks a connection as down and then back up,
some of the things your are describing, I think, are supposed to happen.

You can adjust latency settings in the advanced settings of the gateway.
You can adjust loss settings too.  Some ISP QoS configs I think are known
to drop ICMP in favor of higher priority things.  In that case it is
usually better to do your own QoS.

For some reason every T1 I have ever used had latent ICMP when loaded.  I
tried so many different QoS configs but I could only get it so good.



On May 19, 2017 7:56 AM, "Ugo Bellavance"  wrote:

Hi,

We sometimes experience what looks like service interruptions on our
pfSense firewall.  The first symptom was that we came in the office in the
morning and found that all the ssh sessions that were opened and going
through the firewall would be disconnected.

I searched the pfsense logs and I found that:

May 19 04:35:48 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2231us stddev
1209us loss 21%
May 19 04:36:01 fw1 dpinger: ISP 206.55.90.97: Clear latency 2253us stddev
1266us loss 15%
May 19 04:54:24 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2021us stddev
1042us loss 22%
May 19 04:54:39 fw1 dpinger: ISP 206.55.90.97: Clear latency 2564us stddev
6028us loss 19%
May 19 05:13:05 fw1 dpinger: ISP 206.55.90.97: Alarm latency 2203us stddev
1345us loss 21%
May 19 05:13:17 fw1 dpinger: ISP 206.55.90.97: Clear latency 2044us stddev
870us loss 17%

I opened a ticket with mi ISP, but I don't think that they'll find
anything. I must say they they're not the most knowledgeable.


According to the logs, everytime that happens, pfSense tries to do a few
things:

- Update dyndns
- Restart VPN tunnels
- Reload filters

I'll keep on searching but I really wonder wether the post-clear-latency
actions cause the SSH disconnects (and possibly other network cuts) or if
it's the firewall that is too busy to receive the ICMP packets.

The firewall runs on a VMWare VM,

Intel(R) Xeon(R) CPU E5-2640 0 @ 2.50GHz
3 CPUs: 1 package(s) x 3 core(s)
1 GB RAM

The host is not cpu-bound.

Any advice would be appreciated.

Thanks,

Ugo

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Found a Bug?

2017-05-18 Thread WebDawg
Ahh.  I missed that part.  Sorry about that.

I wonder why it loses config?  Does it delete and rewrite on shutdown?

On Tue, May 16, 2017 at 4:43 AM, Daniel <dan...@linux-nerd.de> wrote:

> Hi,
>
> as i already wrote – Suricata Logs. The Problem is not that the disc is
> filling up – the problem is that the config disappears
>
>
> --
> Grüsse
>
> Daniel
>
> Am 16.05.17, 01:59 schrieb "List im Auftrag von WebDawg" <
> list-boun...@lists.pfsense.org im Auftrag von webd...@gmail.com>:
>
> On Mon, May 15, 2017 at 3:24 PM, Daniel <dan...@linux-nerd.de> wrote:
>
> > Hi there,
> >
> > it seems i found a bug. 2 times i run in the same Problem.
> > Harddisk in my PfSense went to 100% Disk usages. (suricata logs)
> > After booting in rescue mode and deleted 100GB Logs the pfSense
> loses the
> > whole configuration and I needed to reinstall the whole Server and
> restore
> > a backup.
> >
> > This was happened 2 times with the same behavior. Disk went full –
> > configuration got lost.
> >
> > Cheers
> >
> > Daniel
> >
> > ___
> >
> >
> Did you look at the log to see what is filling up the log space?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How To install MySQL on Pfsense 2.4

2017-05-16 Thread WebDawg
You know.  The way the package system is setup now, we should be able to
get bad packages I to pfsense in a better way.  I wonder if we can have a
chroot environment and a manually installed packages part of pfsense.

On May 16, 2017 6:12 PM, "Steve Yates"  wrote:

Supposedly one can just install FreeBSD packages (https://doc.pfsense.org/
index.php/Installing_FreeBSD_Packages ) along with manually installing any
dependencies, but as the page says it "may break the firewall."

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Sean
Cavanaugh
Sent: Tuesday, May 16, 2017 4:59 PM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4

Best practice is to run as few services as possible on a firewall to reduce
the possible attack footprint. The more services you run on the firewall,
the more vulnerable it becomes to being broken into.

That is why the recommendation to virtualize the box and at least logically
partition the services away from affecting the firewall.



-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
rai...@ultra-secure.de
Sent: Tuesday, May 16, 2017 8:04 AM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] How To install MySQL on Pfsense 2.4


Am 2017-05-16 13:30, schrieb Sean Cavanaugh:
> The only sane way to do this on a single box would be by installing a
> hypervisor on the server ( such as VMware ESXi) and running pfsense as
> a virtual machine within it as well as a second virtual machine to
> host any other non-firewall related applications (MySQL, FreeRADIUS).
>
> There is obviously going to be a performance hit from sharing the
> resources but should be minimal if all you are doing is hosting a user
> database and RADIUS server for pfSense.



While it may not be the most clever idea, technically it should be
possible, right?

I'm not too familiar with the inner workings of pfSense - but I assume
there is a partition or directory in the installation that (provided
pfSense is installed on a HD and not a read-only medium) persists data over
reboots.

One would need to start it with that directory as dbdir.

It's possible to run Snort, haproxy. So, why not MySQL?

OP will have to learn how to create packages, and store the
configuration:
https://doc.pfsense.org/index.php/Developing_Packages
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] speed problems with SG-1000

2017-05-15 Thread WebDawg
Did you do the firmware upgrades?

On Mon, May 15, 2017 at 6:41 PM, John DeSoi  wrote:

> I just purchased a SG-1000 for use with my Google Fiber installation. I
> did minimal configuration of the SG-1000, only changing the LAN address to
> 192.168.200.X (GF is 192.168.100.X). I hooked the WAN port to one of the GF
> ethernet ports and then my laptop to the LAN port on the SG-1000. Using GF
> performance test, the upload/download speed is only about 10% of what I get
> compared to plugging my laptop directly into the GF ethernet port (1000
> Mbps versus 100 Mbps using the SG-1000). The SG-1000 shows both ethernet
> connections are 1000baseT. Shouldn't this device be able to basic routing
> at the full speed of the WAN connection?
>
> I did the same setup with a consumer router (ASUS) and it has no problem
> with upload/download over 900 Mbps.
>
> John DeSoi, Ph.D.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Found a Bug?

2017-05-15 Thread WebDawg
On Mon, May 15, 2017 at 3:24 PM, Daniel  wrote:

> Hi there,
>
> it seems i found a bug. 2 times i run in the same Problem.
> Harddisk in my PfSense went to 100% Disk usages. (suricata logs)
> After booting in rescue mode and deleted 100GB Logs the pfSense loses the
> whole configuration and I needed to reinstall the whole Server and restore
> a backup.
>
> This was happened 2 times with the same behavior. Disk went full –
> configuration got lost.
>
> Cheers
>
> Daniel
>
> ___
>
>
Did you look at the log to see what is filling up the log space?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] smartctl supporting mSATA controller

2017-05-12 Thread WebDawg
On Fri, Apr 28, 2017 at 5:04 PM, Karl Fife  wrote:

> Can anyone recommend a good mSATA drive (i.e. controller chip) that
> supports a full suite of smartctl commands, such as an ATA (hdparm) secure
> erase, and self-test?  Many have partial support, and it's really hard to
> find out what support exists short of bench testing.
>
> ___
>


No one gave you a recommendation?  Most of the SSD type devices support all
this stuff now.  I wish I could help more.  I thought there was a spec now,
at least I know there is a space for SAS devices.

I wonder if you seach for OPAL disks if you will come up with better
results:  https://en.wikipedia.org/wiki/Opal_Storage_Specification

https://wiki.hackspherelabs.com/index.php?title=SED_Hard_Drives
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] About SSL Filtering: Squid and Squidguard.

2017-05-09 Thread WebDawg
On Mon, May 8, 2017 at 6:58 PM, José Gregorio Díaz Unda <
jgdiazu...@asyste.cl> wrote:

> Update:
>
> Before I left the office, decided to test from another laptop.
> Unfortunately, I was able to access YouTube.
>
> Why some machines access YouTube and others apparently are blocked?
>
> What could I be missing?
>
> Thanks in advance.
>
> José G.
>
>
>
Did you look into what I said about chrome? and http over udp?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] About SSL Filtering: Squid and Squidguard.

2017-05-08 Thread WebDawg
There are interception modes.

Peek
Peek and splice
And bump.

So sqid:

I do not have it in front of me right now but it sounds like you do not
have the SSL proxy setup right.  Only one of those methods does not require
a SSL cert to be installed on a client system.

Also you have to deal with pinned certs in web browsersalso you have to
deal with chrome udp protocals like QUIC that bypass the proxy entirely...

It is either you have the proxy setup wrong or did not setup the sqid rules
right.

Web.


On May 8, 2017 11:34 AM, "José Gregorio Díaz Unda" 
wrote:

Dear PFSense crew,

I'm not sure if this is the right place to post my issue. If not, please
let me know.

Has somebody setup well SSL Filtering in PFSense?

I have installed:

PFSense 2.3.3_1
squid 0.4.36_3
squidGuard 1.16.1

Transparent Mode


I just want to block Youtube (ssl) for certain group of users via alias,
but when Squiduard is enabled, any SSL traffic is blocked.

This is a basic task but unfortunately it has been impossible to make it
work.

Thanks in advance.

José G.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Limiter on LAN side not applying to NATted connection

2017-04-19 Thread WebDawg
On Wed, Apr 19, 2017 at 2:46 PM, Steve Yates  wrote:

> I suppose.  From the states/traffic recorded next to each rule, It
> looks like the WAN firewall rule applies and the LAN firewall rule does
> not.  Per the docs WAN side limiters will work (again?) in pfSense 2.4 but
> not 2.2-2.3.
>
> --
>
> Steve Yates
> ITS, Inc.
>
>
> Steve,
>
> Is this an ingress vs egress question?
>
> http://pfsensesetup.com/egress-filtering-with-pfsense/
>
> That is if you are trying to limit something 'in' you would need to put the
> rule on the WAN side?
>
>
> ___
>

I do not know about the docs but since it is a single TCP stream in will
not just the WAN rule apply?

What docs are you talking about?  I would figure limiters would work on any
interface.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Limiter on LAN side not applying to NATted connection

2017-04-19 Thread WebDawg
On Tue, Apr 18, 2017 at 8:02 PM, Steve Yates  wrote:

> I understand it's ideal to have limiters on the sending end.  It's a long
> story but I'm trying to set them on the receiving end of an rsync copy.
>
> I understand in 2.2-2.3 one should have them on the LAN interface.  This
> is on 2.3.3_1.
>
> In this scenario the remote server is x.x.x.x and the LAN computer is
> 10.1.2.12:22, and we have a NAT rule forwarding port  to 22.
>
> Firewall rule:
> IPv4 TCP/UDPx.x.x.x *   10.1.2.12   22 (SSH)
> Two limiters are set on in/out.
> This firewall rule shows zero traffic in or out.  No other firewall rules
> show traffic from * to LAN.
>
> Diagnostics/States shows:
> LAN tcp x.x.x.x:46098 -> 10.1.2.12:22 (and shows traffic)
>
> Is the rule+limiter not being applied because the port  is NATted to
> 22?  Or because the NAT happens on the WAN side and the LAN rule isn't even
> used?
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>


Steve,

Is this an ingress vs egress question?

http://pfsensesetup.com/egress-filtering-with-pfsense/

That is if you are trying to limit something 'in' you would need to put the
rule on the WAN side?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Migration from an old linux firewall

2017-03-30 Thread WebDawg
On Thu, Mar 30, 2017 at 9:39 AM, Claudio M. <pfse...@cmaffio.it> wrote:

> In data mercoledì 29 marzo 2017 10:13:36, WebDawg ha scritto:
> > You can do two different subnets on one network, but it is not the way to
> > do things.  Everyone can imagine the issues but it would also be
> completely
> > insecure.
>
> Unfortunately I can not change the network, I am a consultant who handles
> only
> the firewall. I know that this solution is not safe, but the customer does
> not
> want to change this configuration because another external company that
> manages
> internal servers want so.
> We manage the firewalls so we have to solve this situation.
> Now i'll try to use a internal linux server how a gateway to forwards all
> packets for the 10.7.13.0/24 creating a routing roule so i can use the
> rules
> explained in the pfsense site
>
> ___
>
>
That is crazy man.
http://serverfault.com/questions/25907/what-are-the-implications-of-having-two-subnets-on-the-same-switch


I mean, they midas well just put all the hosts on the same subnet.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Migration from an old linux firewall

2017-03-29 Thread WebDawg
On Wed, Mar 29, 2017 at 8:41 AM, Moshe Katz  wrote:

> I'm not entirely sure how you had this working with your old firewall - I
> would think it would have the same issue.
>
> The best thing for you to do would be to separate the two LANs. You
> probably don't need to change any cabling because most server network cards
> let you set a default VLAN to use. (If you have Windows servers, you either
> need a managed switch or network cards with drivers that support setting a
> VLAN. For Linux servers, this should because doable with any network card.
> Most server-grade network cards have support for setting a VLAN from the
> Properties screen of the adapter in Device Manager.)
>
> Moshe
>
> On Mar 29, 2017 6:55 AM, "Claudio M."  wrote:
>
>
You can do two different subnets on one network, but it is not the way to
do things.  Everyone can imagine the issues but it would also be completely
insecure.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Migration from an old linux firewall

2017-03-29 Thread WebDawg
On Wed, Mar 29, 2017 at 5:55 AM, Claudio M.  wrote:

> Hi
> I've migrated a linux firewall to a 2.3.3-RELEASE-p1 pfsense.
> The old configuration was with 2 interfaces connected to adsl routers and
> an
> interface for the lan. Was configurated also a GRE VPN with an alias IP on
> this
> LAN network so on the same LAN  coexisted two networks
> 192.168.1.0/24
> 10.7.13.0/24
> where the first was for all desktop clients and the seconds for the
> servers. A
> server have a interface on the LAN with Ip 10.7.13.1 and a alias on the
> same
> interface with 192.168.1.6.
> When a client is connect to this server, sends packets to the firewall and
> the
> firewall resends  that to the destination server. The server receive this
> packets and reply using the same interface but contact directly the client
> with IP on the same net. Before with linux this was not a problem but with
> pfsense, a statefull firewall, this is not more possible. Now i've an
> asymmetric routing without a routing so I cannot use the tips present at
> this
> page https://doc.pfsense.org/index.php/Asymmetric_Routing_and_
> Firewall_Rules
>
> How can I to do?
>
> Best regards
> Claudio M.
> ___



You had two different networks on one ethernet lan?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for silent and powerful pfsense hardware

2017-03-28 Thread WebDawg
On Tue, Mar 28, 2017 at 1:59 AM, Eero Volotinen 
wrote:

> Hi List,
>
> Looking for pfsense hardware that can handle 1000M/1000M internet
> connection with NAT.
>
> Any recommendations? It must be silent..
>
> --
> Eero
> ___
>


It seems to me that NAT and general firewalls should be easily handled?  Am
I wrong here?  I mean, how much hardware do you need for pf to function at
1gbps??  Would not offloading help here too?

What else do you want to enable?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Netgate Firmware

2017-03-20 Thread WebDawg
Is there any other list for netgate firmware updates?  I just received a
notification from sales@pfsense about netgate firmware updates but it was
not sent to this list?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] USB question

2017-03-16 Thread WebDawg
Is their a USB module to block?

On Mar 16, 2017 6:39 AM, "Moshe Katz"  wrote:

> For front USB ports (on a traditional case -- small form factor may have
> the front ports directly connected too), the best way is to open the case
> and unplug them from the motherboard.
> For the ports on the motherboard itself, the glue and/or covers that other
> people suggested are likely your best option.
>
> The benefit of just unplugging the front USB ports is that if you need them
> again you can just open the case and plug them in again.
>
>
> Moshe
>
> On Mar 16, 2017 3:22 AM, "user49b"  wrote:
>
> > Hi
> >
> > Is there a way to safely disable usb ports, apart from disabling usb in
> > BIOS, without braking my pfSense install?
> >
> > Regards
> > Chris
> >
> >
> >
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense twitter account making rude comments.

2017-02-22 Thread WebDawg
On Tue, Feb 21, 2017 at 10:49 AM, Travis Hansen 
wrote:

> Regardless of this specific issue, I'd prefer the official twitter feed be
> a bit more...focused.
> In any case, thanks for the great project! Travis Hansen
> travisghan...@yahoo.com
>
> On Tuesday, February 21, 2017 9:45 AM, Ryan Coleman <
> ryan.cole...@cwis.biz> wrote:
>
>
>  > On Feb 21, 2017, at 10:40 AM, Paul Mather 
> wrote:
> >
> > On Feb 21, 2017, at 11:30 AM, Ryan Coleman  > wrote:
> >
> >> Not that we are anyone who would know anything about that…
> >
> >
> > The best thing to come out of this ugly spat, for me, is that I went to
> the pfSense Twitter feed to see what all the fuss was about (I'm not on
> Twitter) and discovered that pfSense 2.3.3 has just been released! :-)
> >
> > I'd like to give a hearty THANKS to the pfSense project for another
> great release.
> >
> > It also reminds me I really should get around to subscribing to the
> announce@ mailing list... :-)
>
> You should. I think he announced it here at 21:33 CT last night, though… :)
> ___
>
>
I feel like one day, we should all find a place to get together and speak
freely and openly about the things we care about.  Like a vast network of
communication systems/hardware, uncensored (pun intended), that can talk to
each other.

Every list, channel, or whatever I go to now a days...within a few posts
there is always that bright and cheery message:  STAY ON TOPIC.  Because
why could a different topic or cause bring like minded people together to
talk about other things?

Arguments aside, making any conclusions from these posts would be
ridiculous.  It could be the greatest list in the world or the worst.  All
these big words in these emails...too hard to understand.

It's pretty crappy that on one side of the world, the threat of death is
held over someones head because of their spiritual beliefs (atheism,
governmentism, whatever) and to talk about the actions of others and
governments will get you killed (past events, real world coverups), but the
best and brightest here spend time bitching about stuff like this.

I could attack a persons character everyday, that video makes me want to
hit someone in the face really hard, but you know what I am going to do?
What the hell does "foreign" or "made in usa" have to do with any of this?
It just sounds like Ben is angry...but considering all the content that
pops up in my news feed...I do not know what to take seriously.

It could be he just likes to talk a lot.

Lets just all admit that most of the best stuff is made on Earth and that
the lines that divide us suck.  I am sure the person hacking away across
the planet on some ancient hardware, with no internet access, is just as
good as all us folks.

Jim seems like he deserves some respect because of all the hard work that
it seems like he puts in.  No offence, but I have never quantified it.  Ben
wants to defend something that he has spent a lot of time on and its a bit
angry over what Jim said.

I know someone Ben knows, and that guy seems pretty cool and I once wrote
and email to Jim that took at least and hour or two to write and he never
responded.

Ben + Video = What the Hell?
Jim + Email = What the Hell?

If I where Ben, and I ran a business, I would want Jim to back up his
claims that I just dupe other lists, and admit to myself that my senseless
attack on his character is meaningless because what the heck really does
Jim know about where I get my links from and what does any of this have to
do with foreign affairs.

That video is like neat and all, but it sounds like your just mad at
someone and blaming a group of people that you do not know anything about.
Is that really what you want people to see when they are thinking about
using your blacklist?

Even if two lists are the same or similar, it could just be the same
collection process so what the heck is Jim talking about?  Did Jim go
through a bunch of different lists and run a statistical analysis?

If I where Jim, I also wouldn't use the phrase "and likely" because it
sounds like a roll of the dice.

And I am sure, that this carefully constructed response will fall on deaf
ears because they are too busy listening to transcripts of twitter posts
and github comments.

Why does everyone top post on this list?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] What am I doing wrong? <10mbit through SG-1000

2017-02-16 Thread WebDawg
On Thu, Feb 9, 2017 at 10:36 AM, Erik Anderson  wrote:

> On Tue, Feb 7, 2017 at 11:59 PM, Øyvind 'bolt' Hvidsten 
> wrote:
> > I have an SG-1000 on which I experience very low throughput.
>
> You're not the only one.
>
> I received my SG-1000 in mid December and have been going back and
> forth with Netgate support since then, trying to troubleshoot the poor
> performance I've been experiencing. To be fair, the Netgate support
> team has been very responsive and engaged in the process, but as of
> the most recent snapshot, I'm still seeing very poor performance vs.
> the SG-2220 (temporarily borrowed from my employer) I'd been using.
>
> I have a 50/5 internet connection, and I can reliably see those speeds
> with the SG-2220. With the SG-1k, I'm lucky if I can hit 15Mbit down
> reliably, and this is with the bare-bones, factory default config.
> Additionally, the SG-1000 seems to remain in a very high-latency state
> for some time following speed tests. I'll have (for instance) ~8ms
> latency to my ISP's default gateway before a speed test, and then
> during the speed test and for some 10 minutes after the test, latency
> will spike into the hundreds of ms.
>
> At this point, I've thrown in the towel, and have requested that I
> return the SG-1k for credit towards the purchase of an SG-2220.
> Support requested that as a last troubleshooting step, that I grant
> them remote access to my SG-1k so they can perform some more thorough
> real-time troubleshooting and testing. I'll be setting this up with
> them this week, and if they're not able to resolve it, I'll be
> returning the SG-1000.
>
> I was very hopeful for this device, but at least at this stage of its
> maturity, there appear to still be significant issues to overcome.
>
> -Erik
> ___
> pfSense mailing list
>
>

Did they find anything?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] What am I doing wrong? <10mbit through SG-1000

2017-02-09 Thread WebDawg
I recommend you run iperf tests between pfsense1 <-> pfsense2, then
pfsense2 to laptop, then laptop to pfsense1 and see where the bottleneck is
next.

iperf can be installed as a package on pfsense.

On Wed, Feb 8, 2017 at 1:23 AM, Øyvind 'bolt' Hvidsten <b...@dhampir.no>
wrote:

> It's from the wan to an internal switch. The switch has VLAN's, but
> there's only one untagged VLAN on this port. The WAN port thus gets a local
> IP in the 192.168.4.0/24 network. I set the SG-1000's LAN to be in the
> 172.16 range so as to not conflict with it. That range isn't used elsewhere
> on my network.
>
> The main router also runs pfSense. It's an SG-2440. The traffic graphs
> show about 5mbit going to that VLAN interface while running the speed test
> currently.
>
> Also watching pfTop while running the test in the background shows a
> similarly low speed and no other traffic to speak of. I'd think a loop
> should show up somewhere on this? And my laptop should be experiencing the
> same thing while on the same network?
>
>
> On 08/02/17 07:41, WebDawg wrote:
>
>> that is from the wan to the modem?
>>
>> The only other thing I can see is that you have some type of routing
>> loop...or network loop?  Any VLANing going on?
>>
>> On Wed, Feb 8, 2017 at 12:40 AM, Øyvind 'bolt' Hvidsten <b...@dhampir.no>
>> wrote:
>>
>> It would seem to be negotiating for gigabit. My switch also thinks so.
>>> Note that the cable to my laptop is not plugged in at the moment, but I'm
>>> currently running the speed tests locally through the console.
>>>
>>> : ifconfig | grep -E "^[a-z0-9]|media:"
>>> cpsw0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
>>> 1500
>>> media: Ethernet autoselect (1000baseT )
>>> cpsw1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
>>> 1500
>>> media: Ethernet autoselect (none)
>>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>> enc0: flags=0<> metric 0 mtu 1536
>>> pflog0: flags=100 metric 0 mtu 33184
>>> pfsync0: flags=0<> metric 0 mtu 1500
>>>
>>>
>>>
>>> On 08/02/17 07:31, WebDawg wrote:
>>>
>>> Check the interface settings, is it negotiating, 10mbit?
>>>>
>>>> status, interfaces?
>>>>
>>>> On Tue, Feb 7, 2017 at 11:59 PM, Øyvind 'bolt' Hvidsten <
>>>> b...@dhampir.no>
>>>> wrote:
>>>>
>>>> I have an SG-1000 on which I experience very low throughput.
>>>>
>>>>>
>>>>> When I plug my laptop to the cable that normally goes into the
>>>>> SG-1000's
>>>>> WAN port, I get a download speed of roughtly 100mbit (ISP limited)
>>>>> when I
>>>>> run "curl http://ipv4.download.thinkbroadband.com/1GB.zip >/dev/null"
>>>>>
>>>>> Plugging that same cable into the SG-1000 and connecting my laptop
>>>>> directly to its LAN port instead, I get less than 10mbit.
>>>>>
>>>>> Running the curl command directly on the console of the SG-1000 gives
>>>>> me
>>>>> the same abysmal result.
>>>>>
>>>>> [2.4.0-BETA][root@my.network.local]/root: curl
>>>>> http://ipv4.download.thinkbroadband.com/1GB.zip >/dev/null
>>>>>   % Total% Received % Xferd  Average Speed   TimeTime Time
>>>>> Current
>>>>>  Dload  Upload   Total   SpentLeft
>>>>> Speed
>>>>>   2 1024M2 29.5M0 0   598k  0  0:29:10  0:00:50 0:28:20
>>>>> 523k
>>>>>
>>>>> This is after I just flashed it with today's image (20170207) and ran
>>>>> through the setup wizard in the browser. No other settings have been
>>>>> altered.
>>>>>
>>>>> What can I do here?
>>>>>
>>>>>
>>>>> Best regards,
>>>>> Øyvind Hvidsten
>>>>> ___
>>>>> pfSense mailing list
>>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>>> Support the project with Gold! https://pfsense.org/gold
>>>>>
>>>>>
>>>>
>>>>
>> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] What am I doing wrong? <10mbit through SG-1000

2017-02-07 Thread WebDawg
Check the interface settings, is it negotiating, 10mbit?

status, interfaces?

On Tue, Feb 7, 2017 at 11:59 PM, Øyvind 'bolt' Hvidsten 
wrote:

> I have an SG-1000 on which I experience very low throughput.
>
> When I plug my laptop to the cable that normally goes into the SG-1000's
> WAN port, I get a download speed of roughtly 100mbit (ISP limited) when I
> run "curl http://ipv4.download.thinkbroadband.com/1GB.zip >/dev/null"
>
> Plugging that same cable into the SG-1000 and connecting my laptop
> directly to its LAN port instead, I get less than 10mbit.
>
> Running the curl command directly on the console of the SG-1000 gives me
> the same abysmal result.
>
> [2.4.0-BETA][root@my.network.local]/root: curl
> http://ipv4.download.thinkbroadband.com/1GB.zip >/dev/null
>   % Total% Received % Xferd  Average Speed   TimeTime Time
> Current
>  Dload  Upload   Total   SpentLeft
> Speed
>   2 1024M2 29.5M0 0   598k  0  0:29:10  0:00:50 0:28:20
> 523k
>
> This is after I just flashed it with today's image (20170207) and ran
> through the setup wizard in the browser. No other settings have been
> altered.
>
> What can I do here?
>
>
> Best regards,
> Øyvind Hvidsten
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFsense 2.3.2-P1 dies

2017-01-25 Thread WebDawg
On Jan 25, 2017 8:21 AM, "Steve Yates"  wrote:

That's interesting, we had a drive that kept dropping out and we couldn't
figure out why as all tests passed.  We replaced the drive and then found
the "Hard disk standby time" setting was set.  Turned that off and it's
been fine.  That setting has been my suspicion...

At the time the console would show a stream of errors that pointed to the
drive, don't recall them now of course.

--

Steve Yates
ITS, Inc.

-Original Message-

I had an issue at one point with hard disks dropping out because of the
idle time set on my Western Digital drives.  You say you just upgraded.
>From what version?  I did not see it until v2.
___


After figuring out what was wrong...That the drive was dropping out I found
numerous posts on this issue and FreeBSD.  I found so much about it I was
surprised I did not hear about it before.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] PFsense 2.3.2-P1 dies

2017-01-25 Thread WebDawg
On Wed, Jan 25, 2017 at 4:09 AM, Roy Hocknull <r...@royandjoanne.co.uk>
wrote:

> Hi,
>
> Its a rackmount PC with 59G of free space. Its been fine up until the
> update to 2.3.2-p1
>
> Xeon dual core with 2Gb RAM.
>
> Thanks,
>
> Roy Hocknull
> r...@royandjoanne.co.uk
>
>
> On 25 January 2017 at 05:33, WebDawg <webd...@gmail.com> wrote:
>
> > On Fri, Jan 13, 2017 at 7:06 AM, Roy Hocknull <r...@royandjoanne.co.uk>
> > wrote:
> >
> > > Hi,
> > >
> > > I recently updated to 2.3.2-P1 and now when the system logs reach 500k,
> > the
> > > firewall dies and everything stops, like OpenVPN. I tried resetting the
> > > values in the log settings, but it still happens. Is this a known
> issue?
> > >
> > > Thanks,
> > >
> > > Roy Hocknull
> > > ___
> > >
> >
> > Did you check for freespace?
> >
> > What kind of hardware?
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
>
>
I had an issue at one point with hard disks dropping out because of the
idle time set on my Western Digital drives.  You say you just upgraded.
>From what version?  I did not see it until v2.

You also say that logs hit 500k, I assume that is an estimate, but did you
console in and check things out.  Are the drives active?  Do you have some
IPMI that you can connect to and see what is really going on.

If the drives are getting dropped, then no logs get logged.  You could also
push your logs to a remote syslog server.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] SG-1000 and VPN

2017-01-24 Thread WebDawg
On Tue, Jan 17, 2017 at 10:16 AM, Steve Yates  wrote:

> We have a client who wants to set up one remote user (in a fixed
> location) with a hardware VPN connection back to the office.  The office
> has about 5 active PCs at any given time.  This would be the only VPN user.
>
> Has anyone used one of the new micro SG-1000 units with a VPN
> yet?  Either as a remote site or as a SOHO router + VPN host?  Just
> wondering how the ARM CPU would stack up.  The specs say 200k active
> (non-VPN) connections...
>
> --
>
> Steve Yates
> ITS, Inc.
>
> ___
>


I would also like to see some real world reports.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Fake OpenVPN / IPSec IP

2017-01-24 Thread WebDawg
On Sun, Jan 15, 2017 at 7:57 AM, Chris  wrote:

> All,
>
> is a client able to change his assigned OpenVPN or IPSec IP?
>
> Are packets still routed to him, if he chooses an arbitrary address?
>
> - Chris
>
> ___
>
>

https://forums.openvpn.net/viewtopic.php?t=22598
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] PFsense 2.3.2-P1 dies

2017-01-24 Thread WebDawg
On Fri, Jan 13, 2017 at 7:06 AM, Roy Hocknull 
wrote:

> Hi,
>
> I recently updated to 2.3.2-P1 and now when the system logs reach 500k, the
> firewall dies and everything stops, like OpenVPN. I tried resetting the
> values in the log settings, but it still happens. Is this a known issue?
>
> Thanks,
>
> Roy Hocknull
> ___
>

Did you check for freespace?

What kind of hardware?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Dedupe email notifications

2016-10-31 Thread WebDawg
On Oct 31, 2016 5:57 AM, "Michael Munger" 
wrote:
>
> I have multiple WAN connections. When downloading large files, the ping
test on the primary WAN hits the limit for "is this connection down," which
is fine.
>
> But, it sends me upwards of 50+ emails each time this happens.  I can
have upwards of 500+ emails over night as remote backups pour data in.
>
> I wouldn't mind one email, since the bandwidth is getting consumed by the
download, which is legit. But the 48 I got the last time I did it are just
not acceptable.
>
> Is there a way to de-dupe these?
>
> Michael Munger, dCAP, MCPS, MCNPS, MBSS
> High Powered Help, Inc.
> Microsoft Certified Professional
> Microsoft Certified Small Business Specialist
> Digium Certified Asterisk Professional
> mich...@highpoweredhelp.com
>
> ___
I am not sure if there is but you could try the advanced settings for your
pinger and adjusting the times there
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] modify XML backup

2016-10-26 Thread WebDawg
Yes most definitely

On Oct 26, 2016 1:12 PM, "Chris"  wrote:
>
> All,
>
> is it possible to manually edit the backup XML file and restore it?
>
> - Chris
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Diagnosing System lag

2016-10-22 Thread WebDawg
did you look at the freebsd system logs?

On Sat, Oct 22, 2016 at 1:32 PM, Ryan Coleman <ryan.cole...@cwis.biz> wrote:
> Because I blamed it on the local phone company. :)
>
> Ping time, as you can see in the quoted text, hits up to 48 seconds. I cannot 
> get it to reply and I am not seeing anything in the logs.
>
> It’s not the switch - rebooting does not resolve. Switching ports is not 
> viable for testing at the time of the issue because of VLANs.
>
> I honestly suspect it’s the firewall hardware failing more than anything else.
>
> —
> Ryan
>
>
>> On Oct 22, 2016, at 1:06 PM, WebDawg <webd...@gmail.com> wrote:
>>
>> Whoa.  2 years?  Why are you just looking at it now?
>>
>> Do you have any other ports you could try your lan cables in?  Is
>> something else using that IP?
>>
>> Why do you say hangs, no web ui access?  No logs?
>>
>> I mean it could be anything.
>>
>> On Sat, Oct 22, 2016 at 12:40 PM, Ryan Coleman <ryan.cole...@cwis.biz> wrote:
>>> My NetGate APU installation hangs, seemingly randomly… and has for most of 
>>> the two years since purchase and installation.
>>>
>>> How might I diagnose these issues?
>>>
>>>> --- 10.20.0.1 ping statistics ---
>>>> 296 packets transmitted, 271 packets received, 8.4% packet loss
>>>> round-trip min/avg/max/stddev = 1.274/9254.705/48807.578/16024.851 ms
>>>
>>> Many of the lost packets easily came in late. 48 seconds for pings? The 
>>> network seems to be fine - rebooting switches does not effect the issue. It 
>>> will resolve itself after 3-4 minutes but our radio in the bar is fed over 
>>> the net so it gets frustrating at times.
>>>
>>> Thanks!
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Diagnosing System lag

2016-10-22 Thread WebDawg
Whoa.  2 years?  Why are you just looking at it now?

Do you have any other ports you could try your lan cables in?  Is
something else using that IP?

Why do you say hangs, no web ui access?  No logs?

I mean it could be anything.

On Sat, Oct 22, 2016 at 12:40 PM, Ryan Coleman  wrote:
> My NetGate APU installation hangs, seemingly randomly… and has for most of 
> the two years since purchase and installation.
>
> How might I diagnose these issues?
>
>> --- 10.20.0.1 ping statistics ---
>> 296 packets transmitted, 271 packets received, 8.4% packet loss
>> round-trip min/avg/max/stddev = 1.274/9254.705/48807.578/16024.851 ms
>
> Many of the lost packets easily came in late. 48 seconds for pings? The 
> network seems to be fine - rebooting switches does not effect the issue. It 
> will resolve itself after 3-4 minutes but our radio in the bar is fed over 
> the net so it gets frustrating at times.
>
> Thanks!
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 3 hard locks this week... any ideas?

2016-10-16 Thread WebDawg
On Thu, Sep 8, 2016 at 2:29 PM, Todd Russell  wrote:
> Final update on this issue. When I took it down, I pulled the drive and
> started a Level 2 SpinRite on it while I took out and reseated the RAM then
> ran memtest. I found no errors in either test, so I also took out the Intel
> 4 port gigabit card and reseated that, then put everything back together.
> It has been running for a week straight now with no hiccups of any kind, so
> either the SpinRite forced the drive to correct some read errors or
> removing and reseating the RAM got around some dust or oxidation on the
> contacts. It wouldn't be the first time reseating the RAM cleared otherwise
> unexplainable issues with a machine for me, so I will assume that was the
> case. I wish I'd had time to run the memtest before and after reseating the
> RAM but... AIN'T NOBODY GOT TIME FOR THAT!
>
> Thanks to all for the feedback last week.
>
>
> Peace,
> Todd Russell
> Director of IT and Webmaster
> Saint Joseph Abbey and Seminary College
> 985-867-2266
> 985-789-4319
>


https://en.wikipedia.org/wiki/SpinRite#Solid_state_drives

I mean, even if that card was not inserted properly, you would have
had an issue.  You should have tested that ram before reseat, because
same thing there.  So many peoples comments here are just hearsay.
Hard-locks are usually bad hardware or incompatibility and in that
case you are usually happy when it is happening to get some kernel
messages/dumps that can help you out.  I am glad that you solved your
problem but is bad to make any conclusions that are not based on the
scientific method.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Export user account/password issue

2016-09-13 Thread WebDawg
On Tue, Sep 13, 2016 at 5:04 PM, Satish Patel  wrote:
> I am create new pfsense box and export backup from old one using
> "system" area and import to new pfsense and i can see all users and
> their group etc but somehow their password doesn't working when i
> manually change my password then it works so how do i export user
> password from old box to new box we have many accounts and it will be
> painful if it doesn't work. we are running latest pfsense software on
> both box older and new.
> ___


What are you trying to use the passwords with?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense really slow

2016-09-02 Thread WebDawg
On Thu, Sep 1, 2016 at 6:26 PM, Robison, Dave
 wrote:
> Hiya,
>
> Recently set up a pfsense box and it works great, very happy with the 
> functionality, though the web interface is incredibly slow. Wondering if this 
> is normal or if there's something wrong with my setup.
>
> Going from the dashboard to Firewall > Rules takes 25-30 seconds.
>
> I know that nginx and pf aren't very cpu or memory intensive, and php isn't 
> perfect but it's fairly quick, so I'm not sure what makes this box so slow to 
> respond.
>
> Here's the first few lines of dmesg:
>
> FreeBSD 10.3-RELEASE-p3 #1 3ef16fb(RELENG_2_3_1): Tue May 17 19:34:13 CDT 2016
> 
> root@ce23-amd64-builder:/builder/pfsense-231/tmp/obj/builder/pfsense-231/tmp/FreeBSD-src/sys/pfSense
>  amd64
> FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
> CPU: Intel(R) Xeon(R) CPU5150  @ 2.66GHz (2660.05-MHz K8-class 
> CPU)
>   Origin="GenuineIntel"  Id=0x6f6  Family=0x6  Model=0xf  Stepping=6
>   
> Features=0xbfebfbff
>   
> Features2=0x4e3bd
>   AMD Features=0x20100800
>   AMD Features2=0x1
>   VT-x: (disabled in BIOS) HLT,PAUSE
>   TSC: P-state invariant, performance statistics
> real memory  = 10737418240 (10240 MB)
> avail memory = 10313097216 (9835 MB)
> Event timer "LAPIC" quality 400
> ACPI APIC Table: 
> FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
> FreeBSD/SMP: 1 package(s) x 2 core(s)
>  cpu0 (BSP): APIC ID:  0
>  cpu1 (AP): APIC ID:  1
>
> Any related thoughts are appreciated.
>
>
> --
> Dave Robison
> Senior Business Systems Analyst
> FIS Banking Solutions
> 510/621-2089 (w)
> 530/518-5194 (c)
> 510/621-2020 (f)
> da...@vicor.com
> david.robi...@fisglobal.com
>
> _
> The information contained in this message is proprietary and/or confidential. 
> If you are not the intended recipient, please: (i) delete the message and all 
> copies; (ii) do not disclose, distribute or use the message in any manner; 
> and (iii) notify the sender immediately. In addition, please be aware that 
> any message addressed to our domain is subject to archiving and review by 
> persons other than the intended recipient. Thank you.
> ___


No, it is not supposed to do that.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 3 hard locks this week... any ideas?

2016-09-01 Thread WebDawg
On Thu, Sep 1, 2016 at 6:43 PM, Walter Parker  wrote:
> On Thu, Sep 1, 2016 at 3:06 PM, compdoc  wrote:
>
>> >>Coming back tonight to do memtest, SpinRite on the SSD, etc...,
>>
>> Spinrite on an ssd is a terrible idea. It's an ancient program thats even a
>> bad idea to use on hard drives.
>>
>> It doesn't even work on drives larger than 1TB, because it was written in a
>> time when drives were not that big. And there was no such thing as an SSD
>> back then. Toss spinrite in the trash.
>>
>> If you want to know if a drive is failing, you just have to ask it. Just
>> read the SMART info recorded in the drive.
>>
>> Memtest86+ on the other hand is a great idea, but you should let it run as
>> many passes as possible. One or two passes is fine for new equipment, but
>> with old ram that might be flakey, its best to run overnight or at least 4
>> or 5 passes.
>>
>> If the motherboard is 4 or 5 years old, you might check for swollen
>> capacitors, and many of the low cost power supplies go bad in a year or
>> two.
>>
>>
> I suggest you update your knowledge base on SpinRite. It has found a new
> life in helping SSD drives to fix themselves. FYI, the SMART info is often
> different depend on if the drive is under load. SpinRite puts the drive
> under load, so you may not errors on the drive unless are running your own
> seek application. The size limit is 2TB and the program will have a free
> update in the near future to support drives >2TB. Most recommendations are
> to use SpinRite in Level 2 mode (read only), but given that modern drives
> have wear leveling, even running it read-write will not kill a drive that
> does caching and basic wear leveling.
>
> I'd suggest that before you slag programs, you not rely on old, outdated,
> biased information. But that is just me...
>
>
> Walter
>
>
>
>
> --

I think I am guilty also, I did not even know it was still developed actively.

I am glad someone is around to reply back and let everyone know that
it still is.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 3 hard locks this week... any ideas?

2016-09-01 Thread WebDawg
On Thu, Sep 1, 2016 at 4:26 PM, Todd Russell  wrote:
> 1 possible clue I didn't mention. Early in the week, I enabled ssh for the
> first time and it started generating ssh keys... but it never finished.
> Hours later I still couldn't ssh in and shrugged my shoulders and forgot
> about it. After the first hard lock reboot, the next time I logged into the
> web console, there were two alerts saying it had started generating ssh
> keys and that it had finished... those were both generated after the
> reboot. The third hard lock happened today while I was working on getting
> ssh in using the key for a user. It happened right at the time when the
> successful ssh should have occurred. Perhaps this suggests something with
> drive access or maybe memory?
>
> Peace,
> Todd Russell
> Director of IT and Webmaster
> Saint Joseph Abbey and Seminary College
> 985-867-2266
> 985-789-4319
>

That sounds like it could be something but you would have to see if
there is something running in the background peaking a cpu or
something like that.

You could also check what happens on a login...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 3 hard locks this week... any ideas?

2016-09-01 Thread WebDawg
On Thu, Sep 1, 2016 at 3:53 PM, Todd Russell  wrote:
> Everything had been fine for ages. Had a hard lock Tuesday before lunch...
> couldn't ping it, no response at physical kb, had to hard reboot it.
>
> Came back late that night to apply 2.3.2 update. Had another hard lock
> today a little after noon. Was looking into it and getting set up to ssh in
> from home so I could plan to reboot every night until after Labor Day trip
> when I would look further into it. Then got another hard lock while trying
> to ssh in around 3:30.
>
> Coming back tonight to do memtest, SpinRite on the SSD, etc..., but I was
> wondering if anyone has any ideas of anything that might cause hard locks
> aside from hardware problems? If this was linux, I would blame it on
> systemd, but I don't know if FreeBSD would ever hard lock outside of
> hardware issues.
>
> The hardware is a SuperMicro Atom board I bought from iXSystems installed
> to a Samsung 850 Pro with 8GB ECC RAM.
>
> I know this isn't much to go on, and I am not expecting help with
> troubleshooting, but there was nothing in system logs or dmesg that looked
> out of place after the first 2. Mostly I am curious if others have ever
> seen hard locks happen in FreeBSD and what caused them in their experience.
> Thanks in advance for any help.
>
> Peace,
> Todd Russell
> Director of IT and Webmaster
> Saint Joseph Abbey and Seminary College
> 985-867-2266
> 985-789-4319
>
> Please consider helping Saint Joseph Abbey and Seminary College recover
> from the devastating flood waters that overtook our campus on March 11,
> 2016.
> http://helptheabbey.com
>
> ---
>
> http://saintjosephabbey.com
>
> For IT Requests, please submit a ticket at:
> https://docs.google.com/forms/d/1e3PCRvnEVNU5-rVFolf9zivA9-m41Nj07eDjjCtFwpI/viewform?usp=send_form#start=invite
> ___


If that supermicro atom board is not ecc then memory could be a
culprit.  I agree though:  Spinrite on an SSD?

How are you rebooting it?  Remotely?  Are your nic cards good?  Is
your networking equipment good?

Never had a hard lockbut I did have drives that would idle out and
crash pfsense. It is a known issue with BSD and I had to disable idle
on the drives with WDIDLE.  I replaced those with an SSD though...just
to get rid of that problem.

If there is nothing in the logs, it could be losing connectivity to
the drives though..I could never catch the logs with the idle out
issue because the drives would just drop out of the system.

Did you have access to the main console when this happened?  Does it
have a VGA monitor?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] USB3 to ethernet adaptor

2016-08-31 Thread WebDawg
On Fri, Jun 10, 2016 at 1:41 AM, Espen Johansen  wrote:
> If you want to go cheap look for a Cisco 3524xl. They can be had for
> 15-20$. They support vlan in 1-1024 range (not extended). They are built
> like thanks and will vitually last forever if you give them clean power.
> They are 100mbit only but will do the job well.
>
> Just my 2 cents.
>

I know this is old but during this conversation I forgot about a good option:

New 39.95

https://www.roc-noc.com/mikrotik/routerboard/RB260GS.html

It even has an SFP port too but it is only gbit.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Any side effects or negative impact to reassigning ports?

2016-08-30 Thread WebDawg
On Tue, Aug 30, 2016 at 3:06 AM, Dave Warren  wrote:
> Howdy!
>
> I'm building out a new pfSense box, but the NICs have not yet arrived
> and I'm wondering how much configuration I can do in advance. My
> configuration will be a quad port Intel NIC, two ports will be WAN ports
> directly connected to a pair of modems, and the other two will be a LACP
> LAGG group carrying multiple tagged VLANs, routing some traffic
> internally and some externally.
>
> Can I create the VLANs now and associate them with one of the onboard
> NICs so that I can proceed with all the other configuration details,
> DHCP servers, firewall rules custom NAT, and everything else, such that
> when the real NIC is installed, I create the LAGG and re-assign the
> interfaces? Or are there any "things" in pfSense that are associated
> with the physical NIC rather than the interface?
>
>
> ___


You can.  You can create VLANS, setup everything, and then after
replace the interface assignments in the config file that you export.

Since you are unfamiliar with the contents of the config:

I would go ahead, set it all up w/ VLANs and export that config.

When the nics come in, it would be easy to do a basic reinstall or
whatever and let pfsense setup those interfaces.

You could then export that config file and see how it names them and
change the values in the VLAN setup config with a txt editor.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Pfsense lan config

2016-08-29 Thread WebDawg
On Mon, Aug 29, 2016 at 10:39 AM, Alfredo Tapia Sabogal
<alfred.ta...@gmail.com> wrote:
> I virtualize a pfsense  on my laptop i want to access to internet i believe
> that i have to create some rules firewall or nats rules to access from my
> lan ip address to my wan ip address how can i aproach that?
>
> Alfredo Tapia Sabogal
>
> El ago. 29, 2016 10:34 AM, "WebDawg" <webd...@gmail.com> escribió:
>
>> On Mon, Aug 29, 2016 at 9:31 AM, Alfredo Tapia Sabogal
>> <alfred.ta...@gmail.com> wrote:
>> > So if my laptop will be on my lan site 172.16.30.10 /24 and my wan is
>> > 192.168.0.x
>> > How i create a rule on the firewall or nat to access internet?
>> >
>> > Regards
>> >
>> > Alfredo Tapia Sabogal
>> >
>>
>>
>> So you have a virtualized instance of pfSense on your laptop and you
>> are trying to connect through it?
>>
>> Is this a separate laptop or is this the system you are currently
>> using as a desktop?
>>
>> Or are you turning a laptop into a router?
>> ___

You are not giving very many details and it is going to be hard to
help you if you do not take the time to explain your setup more.

If you want to run a virtualized instance of pfsense locally on a
system you have some work to do.

Your best bet for the wan connection is to create a bridge for the
interface that connects to the internet/wan and add one of the
virtualized interfaces to it.  You would then configure pfSense to
pull the address or what ever you want it to do.

I do not know how to configure virtualbox to create another interface
on your system so your local system can connect through it.  I think
you are going to need another bridge interface that you pass through
though your virtualization system and set it as the LAN interface
inside your virtualized pfSense.

You would then tell your system to pull a DHCP address from an
interface attached to that bridge.

I do not know why you would choose to do this except for lack of
resources or experimentation.  I have done things like this and while
all this is possible sometimes it is not worth it.

If you want, explain your main purpose and why you chose to locally
virtualize a pfSense system on your desktop and possibly we can see
clearer why and possibly give you some better advice.

I know little about virtualbox and I do not know about the limitations
of its bridging (layer 2) and routing (layer 3) system.  Also unless
you choose paravirtualized drivers for your pfSense virtualized
instance you are creating bottle necks that you may not want.

The HVM nic drivers use the CPU of the system to do translation on
packets and such.  You may also run into a FreeBSD where you need to
enable the full packet.

Depending on what you already have setup, this may not be an easy task
and you may be better off grabbing ANY system and setting up pfSense
on it.  Also it seems that you do not have experience using pfsense or
your chosen virtualization networking stack.  You are creating some
steep hills which you need to climb, but hills can be fun too and I am
just letting you know what you have to deal with.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Pfsense lan config

2016-08-29 Thread WebDawg
On Mon, Aug 29, 2016 at 9:31 AM, Alfredo Tapia Sabogal
 wrote:
> So if my laptop will be on my lan site 172.16.30.10 /24 and my wan is
> 192.168.0.x
> How i create a rule on the firewall or nat to access internet?
>
> Regards
>
> Alfredo Tapia Sabogal
>


So you have a virtualized instance of pfSense on your laptop and you
are trying to connect through it?

Is this a separate laptop or is this the system you are currently
using as a desktop?

Or are you turning a laptop into a router?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Pfsense lan config

2016-08-29 Thread WebDawg
How many nic cards are in your laptop?  Why are you using virtualbox?

On Aug 28, 2016 8:11 PM, "Alfredo Tapia Sabogal" 
wrote:

> Hello everyone
> Im using virtual box on my laptop which is connected directly to my WAN
> router when i installed the pfsense i choose my wan ip address 192.168.0.33
> and my lan 176.16.30.10 the problem is that everytime i type on my internet
> explorer 176.16.30.10 i can login to pfsense but only for 10 seconds coz
> took me off so i change my lan ip address to the same wan ip range with no
> problem and is not supposed to be like that or is because my laptop have
> only one nic card ...i also configured two nic cards on my virtual box the
> first for my wan as a gateway adapter the lan adapter as internal network
> and that one doesnt work to configured my pfsense coz cant access with my
> lan ip from my laptop should i buy another router or how should i resolve
> this issue?
> Please i need help or i should change my laptop ip address
>
> Regards
>
> Alfredo Tapia Sabogal
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Open Vpn

2016-08-23 Thread WebDawg
https://openvpn.net/index.php/open-source/downloads.html

Also install the openvpn export plugin, it will let you download
installers with settings already.

On Tue, Aug 23, 2016 at 5:16 PM, Alfredo Tapia Sabogal
 wrote:
> Hello
> Is anyone knows where i can downloaded the openvpn client for windows
> client please
>
> Thanks!!!
>
> Alfredo Tapia Sabogal
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for perfect pfsense box for home?

2016-08-21 Thread WebDawg
On Sun, Aug 21, 2016 at 12:56 AM, Dave Warren  wrote:
> On 2016-08-20 04:02, Jim Thompson wrote:
>>>
>>> On Aug 20, 2016, at 3:10 AM, Dave Warren  wrote:
>>>
 On 2016-08-03 08:43, Steve Yates wrote:
 I'm being serious but what is your rationale for not using
 pfSense's/NetGate's?

 https://www.pfsense.org/products/

 The "cheap" part (< $299)?  We tried a "build our own" approach and it's
 tough to get a small package.  Any old PC will do just fine if one adds an
 SSD but as someone pointed out that may use far more power in the long run.
>>>
>>> For me, it's the fact that I want to rackmount my gear, but $1,799.00 is
>>> the cheapest option offered on pfSense.org that can rackmount.
>>
>> You seem to have added $1000 without justification:
>>
>> https://store.pfsense.org/SG-4860-1U/
>
>
> Perhaps someone should put that on the https://pfsense.org/ website?
>
> I started at https://pfsense.org/, then clicked on Products, which took me
> to https://pfsense.org/products/ which only offers
> https://store.pfsense.org/XG-2758/ when I was looking for a new product a
> couple weeks ago. It didn't occur to me you would have multiple incomplete
> lists of products, so I ordered hardware elsewhere already. Shame, I'd
> rather have supported pfSense, but it's too late now.
>
> --
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
>
>

I noticed that too last time I went to purchase hardware from the
pfSense store.  I like this link better:

https://store.pfsense.org/

If you click into the menu on the left it lets you sort and such.

I think the first page right off the main site is designed to help
people who know little about the offerings to get an overview.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Unicast Flood

2016-08-17 Thread WebDawg
On Tue, Aug 16, 2016 at 11:08 PM, Karl Fife  wrote:
> Answering my own question:
>
> Unicast flooding is fundamental.  Unicast flooding in response to a null
> switching table is the only way for a frame to reach the intended host, say,
> if the switching table had an entry which expired before it could be
> re-populated with the host's arp reply.
>
>
>
> On 8/16/2016 2:19 PM, Karl Fife wrote:
>>
>> Hey all.  I'm trying to get to the bottom of an Ethernet concept:
>>
>> If an Ethernet switch has no switching/forwarding table entry for a given
>> MAC, does it flood/broadcast BY DESIGN (e.g. to behave like a good
>> old-fashioned Ethenet HUB) or is unicast flooding an accidental
>> characteristic of the way Ethernet switches work (i.e. down on the metal)?
>>
>> For example, I could imagine an Ethernet switch design which the switch
>> always returns null in the switching table for FF:FF:FF:FF:FF:FF, triggering
>> a broadcast/flood, thus other bona-fide null (expired) lookups also happen
>> to flood, BUT that this behavior is not strictly required to function.
>>
>> Clarification on this detail would be much appreciated.
>>
>>
>>
>>
>>
>
> ___


Thanks for answering this question.  So many things go unanswered anymore!
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Mini-USB console on new pfSense certified hardware

2016-08-02 Thread WebDawg
On Mon, Aug 1, 2016 at 7:03 PM, Jeremy Porter  wrote:

> There is an on-board UART to USB converter on the
> RCC-VE/DFFv2/4860/8880/2440/2220.   This is wired directly to the
> chipset uart on the Rangely, at system voltage levels, not at RS232
> levels.  (The USB convert chip is cost comparable to a RS-232 voltage
> driver chip in cost, and has a smaller board footprint.)  Additionally
> the connect takes up less back-panel space.
>
> There are no test points brought out, if there were you would need a
> level shifter, and an isolator to protect the SOC.
>
> Most modern systems have USB Host ports, which is all that is required
> for the USB serial interface to work.  Any small system, can manage
> quite a few hosts with a powered usb hub.  (We actually use Beaglebone
> black as terminal servers).  We actually switched all our remaining
> terminal server systems over to these types, by getting a rack-mount 32
> port USB to RS-232 converter.
>
>
Can you explain to me the last statement?  You now use a Beaglebone as the
server, and manage the rest of your RS-232 terminal types with the
Beaglebone too.  With the 32 port USB to RS-232 converter?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Cloning pfSense Repo

2016-07-28 Thread WebDawg
Should I be able to clone the pfSense repo and host it locally?  Should I
be able to set the repo url in pfSense to point to this?

Also,  I have no experience making package but sometimes I have to hack an
init.d script in, can I do that with a package?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Lightning strike

2016-07-26 Thread WebDawg
On Mon, Jul 25, 2016 at 9:10 PM, Moshe Katz  wrote:

> From the picture, those are definitely surface-mount. I don't think I'd
> recommend trying it yourself unless you have experience and comfort working
> with SMD components.
>
> That said, if you do have the experience, it looks like the parts don't
> cost more than a few dollars.
>
> Moshe
>
>
You could outsource the repair.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Wifi

2016-07-17 Thread WebDawg
On Sun, Jul 17, 2016 at 4:24 PM, Paul Galati  wrote:

> Find a decent router ($20 Netwgear WNR3500u with gigabit ports) or similar
> that supports Tomato or DD-WRT.  Routers that support these OSes are good
> routers, just have not so good factory software on them.
>
> Paul
>

If you go with Paul's suggestion and want wireless AC make sure to do the
research.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Wifi

2016-07-17 Thread WebDawg
On Sun, Jul 17, 2016 at 4:09 PM, Volker Kuhlmann 
wrote:

> On Fri 15 Jul 2016 16:58:34 NZST +1200, Alexandre Paradis wrote:
>
> > You could put a regular nic, then plug a regular home wifi router (with
> > dhcp disabled) on one of the lan port.
>
> This is probably the best bet. It makes the location of the AP (antenna
> position) independent of the location of the pfsense hardware. Putting a
> wifi card into a pfsense box has all sorts of problems, missing/useless
> Freebsd wifi drivers being a big one.
>
> It doesn't seem soeasy to find a reliably good AP though, at least for a
> resonable budget. Vodafone New Zealand gave out Netcomm NP805N do-it-all
> home rubbish^H^H^Hrouters. Yes you can disable dhcp on the wifi side,
> but the thing is too dumb to forward wifi dhcp requests to pfsense so
> Net-no-comm's only use is as a dust-collector.
>
> I have a USB wifi AP running (Tenda W322U), well sort of.
> pfsense/freebsd's driver isn't very good and doesn't run the hardware at
> full speed (54M only). Then make sure the USB thingie is always plugged
> in and doesn't fail, because if it isn't present, pfsense doesn't even
> boot any more... so you can't even fix the rules or plug a new one in.
>
> Volker
>
> --
> Volker Kuhlmann is list0570 with the domain in header.
> http://volker.top.geek.nz/  Please do not CC list postings to me.
> ___
>

UniFi AP-AC-Pro is a great AP.  Though to control it you have to run the
controller software on a server, does not need to stay active all the time
unless you need to use some of the active features.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] add Blocking in suricata just for some IPs

2016-06-20 Thread WebDawg
On Mon, Jun 20, 2016 at 1:27 PM, Daniel Eschner 
wrote:

> Hi to everyone,
>
> is it possible to add blocking mode just to some IPs from a /24 Network?
> I want to run that in test mode to see who much false positiv i will see ;)
>
> Cheers
>
> Daniel
>
>
> __
>


What?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Question about OpenVPN Point-to-Multi-Point Setup

2016-06-08 Thread WebDawg
On Jun 8, 2016 1:31 PM, "Vick Khera"  wrote:
>
> On Wed, Jun 8, 2016 at 2:41 PM, Jeremy Bennett <
jbenn...@hikitechnology.com>
> wrote:
>
> > If you won't have mobile users, IPSec could be a viable option.
> >
>
> iPhone mobile VPN works great with IPSec, no additional software needed.
It
> is all built in. Do not know about Android.
> ___

I think this is the additional software part but they have open VPN connect
for Android and iOS. The additional software works great and it even has
settings to keep the connection alive or resume the connection after device
wake it is more integrated into iOS at least then it was before
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] unbound DNS and pfSense failover

2016-06-06 Thread WebDawg
I am trying to figure out how to make unbound stop using my DNS server that
is on my backup internet.  I never want it to hit it ever unless the main
WAN goes down.

So the DNS forwarder can do this:

Query DNS servers sequentially If this option is set, pfSense DNS Forwarder
(dnsmasq) will query the DNS servers sequentially in the order
specified (*System
- General Setup - DNS Servers*), rather than all at once in parallel.

If I used the forwarder instead of the resolver, this might help, it should
get results from my two WAN DNS servers first.

Could I have the forwarder ask the resolver first and just configure the
resolver to query the WAN interface? Then branch from there?  Virtual
Interfaces?

I would like to stick with the resolver...any ideas?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] USB3 to ethernet adaptor

2016-06-06 Thread WebDawg
On Mon, Jun 6, 2016 at 9:00 AM, RB  wrote:
>
> On Sun, Jun 5, 2016 at 7:02 PM, Volker Kuhlmann
>  > This is a laughable argument!
>
> I'm not here to argue, you are.  More specifically, you're here to
> press your personal point for open switch firmware.  Your paranoia,
> it's showing.
> ___



All of this arguing aside and all of these points made I still cannot wait
until there is nothing stopping me from examining the code that runs on my
switches.  I know some of these is off topic but I am going to post this
anyways:


j...@netgate.com wrote:

"Open Source is more about sharing than security."

Open source is way more then both of these topics but even in the sentence
that you wrote, you even agree that it could be a little bit of both.  It
seems like groups are moving towards openness in general and it is going to
be really cool when I can cheaply take something like Open vSwitch, some
hardware, and an open vSwitch accelerator (
http://www.6wind.com/products/6wind-virtual-accelerator/) and forget about
Cisco, Juniper and the lot.

It sucks, it really does.  I would think Open Source is more about lowering
the entry level for any topic.  It is easier to audit if you need it
secure, it is easier to work with when you need to share or bits and pieces
of it, etc.

When I was a child I wanted something like the raspberry pi so very bad, or
an Arduino.  The closest thing I could find in my environment at the time
was about $400+ and the programming software was very proprietary, the
device was limited in its capabilities, it was closer to SCADA.

I do not think anyone here wants to argue Some Company vs OpenSource, when
you look at the fabric switches that Cisco any other companies offer it is
obvious how money can motivate a company/organization to build new tech.
But then take a look at something like the Raspberry Pi and see where it is
and what it is doing.  Part of OpenSource is removing the grip the
companies have on these technologies and giving it away, this especially
helps when you live in an environment when the bar for getting things that
are not OpenSource is high for whatever reasons.

On Sun, Jun 5, 2016 at 7:02 PM, Volker Kuhlmann wrote:

Your paranoia, it's showing.

"Paranoia is a thought process believed to be heavily influenced by anxiety
or fear, often to the point of delusion and irrationality."

If you believe there are not malicious actors trying to influence and hack
technologies for there own benefit, I do not know what to say, but someone
not trusting some software does not sound all that crazy.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfSense store router positioning

2016-06-05 Thread WebDawg
On Sun, Jun 5, 2016 at 11:25 AM, Walter Parker  wrote:

> Hi,
>
> I've be doing a bit of remodeling in the household and I noticed an
> interesting issue with the temperature of the the router (an SG-2220). If I
> put the router flat, it heated up to 53 Celsius (9AM mid 70's Fahrenheit
> room temp). WHen I turned the router in the side, it dropped from 53 to 46
> in 20 minutes and if the last experiment holds it should level out at 41).
>
> Have other people send the temp on the router higher when it is flat then
> when it is on the side?
>
>
> Walter
>
> --
> The greatest dangers to liberty lurk in insidious encroachment by men of
> zeal, well-meaning but without understanding.   -- Justice Louis D.
> Brandeis
> ___

ooo

That is interesting, I want some decompression testing done next.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] How to manually update 2.3 onwards?

2016-05-30 Thread WebDawg
On Wed, May 25, 2016 at 2:00 PM, Chris Buechler  wrote:

> On Tue, May 24, 2016 at 8:08 AM, Pete Boyd 
> wrote:
> > I have a pfSense 2.3.0_1 which has had an issue connecting to
> > pfsense.com to check for updates for years. That's not the issue, as far
> > as I believe. Perhaps its LAN and WAN are mistakenly the wrong way
> > around. It routes between two LANs. Anyway I always update it manually
> > by downloading a tgz file.
> >
> > With 2.3.0_1 it appears to offer no means of manually updating, giving
> > these error messages on the System > Update screen [1].
> > I see the release notes say "Removed "full update" or "full slice"
> > upgrade for systems on 2.3 to later versions" - is this what I am seeing?
> >
> > How do I manually update pfSense now please?
> >
>
> There currently is no means of doing so, the system must be online.
>
> The errors from pkg you posted make it seem like the box is behind a
> captive portal maybe, so it's fetching a portal page rather than the
> pkg files.
> ___
>
>
Is there anyway to clone the pfSense pkg repo?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] USB3 to ethernet adaptor

2016-05-25 Thread WebDawg
On Mon, May 2, 2016 at 1:56 AM, Frans Meulenbroeks <
fransmeulenbro...@gmail.com> wrote:

> Hi,
>
> Has anyone experience using USB3 to ethernet adapters ? I need an extra
> interface but my HW (Intel NUC) does not have room for another card).
> Anything recommendable?
>
> Best regards, Frans.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>


https://redmine.pfsense.org/issues/4494

Might work better now.  Someone needs to test.  Every time I test I am let
down :/
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Update 2.3_1 to 2.3.1 failed

2016-05-24 Thread WebDawg
On Tue, May 24, 2016 at 2:18 PM, Chris Buechler <c...@pfsense.com> wrote:

> On Tue, May 24, 2016 at 1:28 PM, WebDawg <webd...@gmail.com> wrote:
> > On Tue, May 24, 2016 at 11:34 AM, Chris Buechler <c...@pfsense.com>
> wrote:
> >
> >> On Tue, May 24, 2016 at 5:33 AM, OSN | Marian Fischer <m...@osn.de>
> wrote:
> >> > Hi list,
> >> >
> >> > when i try to update one carp member from 2.3_1 to the latest update
> >> (2.3.1) it fails after
> >> >
> >> > # snip
> >> > Updating pfSense-core repository catalogue...
> >> > Unable to update repository pfSense-core
> >> > Updating pfSense repository catalogue...
> >> > # snip
> >> >
> >> > the other member did the update well. Both are running on 4GB  CF nano
> >> install.
> >> >
> >> > any solution out there?
> >>
> >> Diag>NanoBSD, set to permanent rw, and reboot for good measure. It work
> >> then?
> >> ___
> >>
> >
> >
> > I have a few pfSense devices that I purchased, do I need to set permanent
> > rw on them for 2.3.1?
>
> If you have problems with them, yes. Once upgraded to 2.3.1, they'll
> be set permanent rw with no option to go ro.
>


So if I already have them up to 2.3.1, I am fine.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Update 2.3_1 to 2.3.1 failed

2016-05-24 Thread WebDawg
On Tue, May 24, 2016 at 11:34 AM, Chris Buechler  wrote:

> On Tue, May 24, 2016 at 5:33 AM, OSN | Marian Fischer  wrote:
> > Hi list,
> >
> > when i try to update one carp member from 2.3_1 to the latest update
> (2.3.1) it fails after
> >
> > # snip
> > Updating pfSense-core repository catalogue...
> > Unable to update repository pfSense-core
> > Updating pfSense repository catalogue...
> > # snip
> >
> > the other member did the update well. Both are running on 4GB  CF nano
> install.
> >
> > any solution out there?
>
> Diag>NanoBSD, set to permanent rw, and reboot for good measure. It work
> then?
> ___
>


I have a few pfSense devices that I purchased, do I need to set permanent
rw on them for 2.3.1?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-20 Thread WebDawg
On Fri, May 20, 2016 at 1:31 PM, Moshe Katz <mo...@ymkatz.net> wrote:

> On Fri, May 20, 2016 at 12:19 PM, WebDawg <webd...@gmail.com> wrote:
>
> > On Fri, May 20, 2016 at 11:06 AM, Moshe Katz <kohenk...@gmail.com>
> wrote:
>
> They will not let you bring your own modem if you have a static IP.
>
> I wrote the last message on my tablet, so I had to keep it short, but I can
> explain further now.
>
> Basically, when you get static IPs from Comcast, they do not want to set up
> the routing for them upstream in the central office (like most other ISPs
> would do).
> Instead, they assign your "Business IP Gateway" device (which is a
> modem/router/firewall combination) a dynamic IP that is in the same block
> of IPs that the entire rest of your neighborhood has.  After the Business
> IP Gateway has received its dynamic address, it advertises itself (I
> believe using RIP) as the next hop to the IP addresses that have been
> allocated to you.
>
> Additionally, the Gateway runs a DHCP server in the 10.x.x.x range. Any
> computer on your network that requests an address on DHCP will receive a
> private address from the Gateway and the Gateway will perform NAT.
>
> In effect, this allows you to have your public addresses and private
> addresses on a single connection to the Internet, with the public addresses
> routed and the private addresses NAT'ed.
>
> To make a long story short, not only will Comcast not allow you to use a
> simple Arris Surfboard modem for static IPs, the way their system is set up
> would not even work if you tried to use a plain modem, because your modem
> wouldn't be able to claim the addresses.
> In theory, Comcast could just allow you to set up your own RIP
> advertisements from your own hardware. I'm guessing that the reason they
> don't want to do that is because they'd rather have full control.
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
>
Hmm,

That would be the solution then?  Setup RIP.  Has anyone asked?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-20 Thread WebDawg
On Fri, May 20, 2016 at 11:06 AM, Moshe Katz  wrote:

> If you have static IPs from Comcast, you cannot put the device in bridge
> mode. The way that Comcast static IPs work is that your Comcast device
> advertises itself to the rest of Comcast's network as the route to your
> static addresses. In effect, just pretend that this Comcast device is in
> Comcast's central office and that you can't change anything about it.
>
> Moshe
>

Wow.

No wonder there are issues.  I have only seen a few good modems as of late
from any cable provider.

Are there people having the same issues with the newer Arris Cable Modem?
I see the responses in the thread, will they issue static ip addresses with
just modems/Arris?

Really, they will not let you bring your own device with a compatable Arris
modem?

I hate the all in one devices that they give out.  I had issues with one
until I put it into bridge mode.  It would not NAT correctly.

At another location, I demanded a modem.  I was paying for their fastest
internet 100M down at the time and there was no way I was going to add all
that overhead to the connection and depend on garbage firmware.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

2016-05-20 Thread WebDawg
On Wed, May 18, 2016 at 6:14 PM, Steve Yates  wrote:

> We have an application with a Comcast-provided SMC router and two pfSense
> routers (Comcast <- building <- tenant).  The building router (v2.3.0) gets
> an IPv6 address and can ping out.  However in its DHCP logs I see:
>
> dhcp6c  invalid prefix length 64 + 4 + 64
> dhcp6c  XID mismatch (several of these)
>
> Am I correct that "invalid prefix length" means the Comcast router isn't
> delegating a /60 properly?  I have it set:
>
> DHCPv6 Prefix Delegation size   60
> Send IPv6 prefix hint   checked
>
> If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
>
> My second question was going to be about getting IPv6 to the PCs inside
> the tenant router but unless I'm mistaken I need a couple more /64 networks
> for that (what a waste of IPs...I know there's a lot but still...).
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
> ___
>
>
Am I correct to assume that you are putting this device in bridge mode?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


  1   2   >