subject:"\[pfSense\] States Issue with Asterisk behind pfSense"

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-28 Thread PiBa


Hi Guy's,

Anyone care to test if this fixes the issue?

I dont have a pppoe myself , but do think everyone with a changing wan 
ip is affected by old udp states that stay alive long after a outbound 
natted ip has changed..
I think there is no danger in dropping all states that use that specific 
old ip, as it nolonger is used by pfSense and you wouldnt know where 
might exist now..


Place the code below in the file /etc/rc.newwanip at the bottom of the 
file just before the ?>

--
if (is_ipaddr($oldip) && $curwanip != $oldip) {
/*  Reset states that are using the wan-ip, for example outbound natted
udp traffic would otherwise stay natted using the old wan-ip */
mwexec_bg("/sbin/pfctl -k $oldip");
}
--
Please report back if this fixes the issue, or if any unwanted 
side-effects occur..
Ive send a pull-request for pfSense 2.2 containing this change: 
https://github.com/pfsense/pfsense/pull/1299/files


p.s. im not a 'pfSense dev' , just a user and contributer.. use it at 
your own risk ;)..

Greets PiBa-NL

Espen Johansen schreef op 28-9-2014 19:26:


If this is to be implemented it should be a tick box on each 
interfance. Dropping all states if you want to move a cable/reroute it 
is not a good idea.
This needs to be user controllable or only affect interface if 
is_interface_type=pppoe.


Just my 2 cents.

-lsf

28. sep. 2014 19:19 skrev "Hannes Werner" > følgende:


I would like to repeat Vassilis questions:

Has this been implemented? Could this be implemented? Do the pfsense
dev's need some more info? Can we help with testing?

On Sat, Sep 27, 2014 at 1:02 PM, Vassilis V. mailto:bigracc...@gmx.net>> wrote:
> ADSL over PPPoE with constant changing IPs is the standard in some
> countries, we do not have such connections because we chose them
and we
> like the challenge..
>
> Reading again the whole bug report, there seems to be alot of people
> affected by this and Tom De Coninck has made alot of effort to
figure
> out what might be the issue.
>
> In the last post of Tom, he comes to a very exact conclusion:
> "I think this proves that pfsense not only needs to kill states
on 'WAN
> DOWN' , but also on 'WAN UP'. I can't see how it could work
otherwise"
>
> Has this been implemented? Could this be implemented? Do the pfsense
> dev's need some more info? Can we help with testing?
>
> Vassilis
>
>
> Hannes Werner wrote on 26.09.2014 22 :53:
>> Thanks Vassilis,
>>
>> I've these settings already - without any success.
>>
>> On Fri, Sep 26, 2014 at 9:03 PM, Vassilis V.
mailto:bigracc...@gmx.net>> wrote:
>>>
>>>
>>> Hannes Werner wrote on 26.09.2014 16 :51:
 thank you very much Giles, but unfortunately it doesn't help.

 anyone here who is using asterisk behind pfSense on a dynamic
IP WAN
 successfully?

>>>
>>> Hello Hannes!
>>>
>>> I have also used asterisk behind a dynamic PPPoE WAN. I had
the exact
>>> same issues that the bug report is describing.
>>>
>>> I tried different ways to get it to work and I found that some
solutions
>>> work with some providers, but fail at others. There seems to
be alot of
>>> black magic involved when configuring SIP to work in such a
configuration :)
>>>
>>> What worked best was to set nat=no and externip=.
>>> I had also not done any port forwards whatsoever on pfsense, 
outgoing

>>> NAT was set to automatic.
>>>
>>> I certainly cannot explain why it was working that way!
>>>
>>>
>>> Hope it helps!
>>> Vassilis
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org 
>>> https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org 
>> https://lists.pfsense.org/mailman/listinfo/list
>>
> ___
> List mailing list
> List@lists.pfsense.org 
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-28 Thread Espen Johansen

If this is to be implemented it should be a tick box on each interfance.
Dropping all states if you want to move a cable/reroute it is not a good
idea.
This needs to be user controllable or only affect interface if
is_interface_type=pppoe.

Just my 2 cents.

-lsf
28. sep. 2014 19:19 skrev "Hannes Werner"  følgende:

> I would like to repeat Vassilis questions:
>
> Has this been implemented? Could this be implemented? Do the pfsense
> dev's need some more info? Can we help with testing?
>
> On Sat, Sep 27, 2014 at 1:02 PM, Vassilis V.  wrote:
> > ADSL over PPPoE with constant changing IPs is the standard in some
> > countries, we do not have such connections because we chose them and we
> > like the challenge..
> >
> > Reading again the whole bug report, there seems to be alot of people
> > affected by this and Tom De Coninck has made alot of effort to figure
> > out what might be the issue.
> >
> > In the last post of Tom, he comes to a very exact conclusion:
> > "I think this proves that pfsense not only needs to kill states on 'WAN
> > DOWN' , but also on 'WAN UP'. I can't see how it could work otherwise"
> >
> > Has this been implemented? Could this be implemented? Do the pfsense
> > dev's need some more info? Can we help with testing?
> >
> > Vassilis
> >
> >
> > Hannes Werner wrote on 26.09.2014 22:53:
> >> Thanks Vassilis,
> >>
> >> I've these settings already - without any success.
> >>
> >> On Fri, Sep 26, 2014 at 9:03 PM, Vassilis V. 
> wrote:
> >>>
> >>>
> >>> Hannes Werner wrote on 26.09.2014 16:51:
>  thank you very much Giles, but unfortunately it doesn't help.
> 
>  anyone here who is using asterisk behind pfSense on a dynamic IP WAN
>  successfully?
> 
> >>>
> >>> Hello Hannes!
> >>>
> >>> I have also used asterisk behind a dynamic PPPoE WAN. I had the exact
> >>> same issues that the bug report is describing.
> >>>
> >>> I tried different ways to get it to work and I found that some
> solutions
> >>> work with some providers, but fail at others. There seems to be alot of
> >>> black magic involved when configuring SIP to work in such a
> configuration :)
> >>>
> >>> What worked best was to set nat=no and externip= IP>.
> >>> I had also not done any port forwards whatsoever on pfsense,  outgoing
> >>> NAT was set to automatic.
> >>>
> >>> I certainly cannot explain why it was working that way!
> >>>
> >>>
> >>> Hope it helps!
> >>> Vassilis
> >>> ___
> >>> List mailing list
> >>> List@lists.pfsense.org
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >> ___
> >> List mailing list
> >> List@lists.pfsense.org
> >> https://lists.pfsense.org/mailman/listinfo/list
> >>
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-28 Thread Hannes Werner

I would like to repeat Vassilis questions:

Has this been implemented? Could this be implemented? Do the pfsense
dev's need some more info? Can we help with testing?

On Sat, Sep 27, 2014 at 1:02 PM, Vassilis V.  wrote:
> ADSL over PPPoE with constant changing IPs is the standard in some
> countries, we do not have such connections because we chose them and we
> like the challenge..
>
> Reading again the whole bug report, there seems to be alot of people
> affected by this and Tom De Coninck has made alot of effort to figure
> out what might be the issue.
>
> In the last post of Tom, he comes to a very exact conclusion:
> "I think this proves that pfsense not only needs to kill states on 'WAN
> DOWN' , but also on 'WAN UP'. I can't see how it could work otherwise"
>
> Has this been implemented? Could this be implemented? Do the pfsense
> dev's need some more info? Can we help with testing?
>
> Vassilis
>
>
> Hannes Werner wrote on 26.09.2014 22:53:
>> Thanks Vassilis,
>>
>> I've these settings already - without any success.
>>
>> On Fri, Sep 26, 2014 at 9:03 PM, Vassilis V.  wrote:
>>>
>>>
>>> Hannes Werner wrote on 26.09.2014 16:51:
 thank you very much Giles, but unfortunately it doesn't help.

 anyone here who is using asterisk behind pfSense on a dynamic IP WAN
 successfully?

>>>
>>> Hello Hannes!
>>>
>>> I have also used asterisk behind a dynamic PPPoE WAN. I had the exact
>>> same issues that the bug report is describing.
>>>
>>> I tried different ways to get it to work and I found that some solutions
>>> work with some providers, but fail at others. There seems to be alot of
>>> black magic involved when configuring SIP to work in such a configuration :)
>>>
>>> What worked best was to set nat=no and externip=.
>>> I had also not done any port forwards whatsoever on pfsense,  outgoing
>>> NAT was set to automatic.
>>>
>>> I certainly cannot explain why it was working that way!
>>>
>>>
>>> Hope it helps!
>>> Vassilis
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-27 Thread Vassilis V.

ADSL over PPPoE with constant changing IPs is the standard in some
countries, we do not have such connections because we chose them and we
like the challenge..

Reading again the whole bug report, there seems to be alot of people
affected by this and Tom De Coninck has made alot of effort to figure
out what might be the issue.

In the last post of Tom, he comes to a very exact conclusion:
"I think this proves that pfsense not only needs to kill states on 'WAN
DOWN' , but also on 'WAN UP'. I can't see how it could work otherwise"

Has this been implemented? Could this be implemented? Do the pfsense
dev's need some more info? Can we help with testing?

Vassilis

Hannes Werner wrote on 26.09.2014 22:53:
> Thanks Vassilis,
> 
> I've these settings already - without any success.
> 
> On Fri, Sep 26, 2014 at 9:03 PM, Vassilis V.  wrote:
>>
>>
>> Hannes Werner wrote on 26.09.2014 16:51:
>>> thank you very much Giles, but unfortunately it doesn't help.
>>>
>>> anyone here who is using asterisk behind pfSense on a dynamic IP WAN
>>> successfully?
>>>
>>
>> Hello Hannes!
>>
>> I have also used asterisk behind a dynamic PPPoE WAN. I had the exact
>> same issues that the bug report is describing.
>>
>> I tried different ways to get it to work and I found that some solutions
>> work with some providers, but fail at others. There seems to be alot of
>> black magic involved when configuring SIP to work in such a configuration :)
>>
>> What worked best was to set nat=no and externip=.
>> I had also not done any port forwards whatsoever on pfsense,  outgoing
>> NAT was set to automatic.
>>
>> I certainly cannot explain why it was working that way!
>>
>>
>> Hope it helps!
>> Vassilis
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
> 
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-27 Thread Drew Lehman

First off, let me point out that I am a user, not a developer. Secondly 
you may want to tone down the attitude.  Since many of the developers 
volunteer, they won't bother taking on a bug that is a) limited in scope 
b) having someone pester them about.  that being said, the bug is NOT 
exclusive to pfsense.  While pfsense may be able to implement some 
workarounds, this is ultimately an asterisks issue.  You may have more 
luck asking the asterisks community to fix it.
Yes, it works on some routers, but from what I was able to find the bug 
is very narrow in scope, such as what someone already replied :

The triggers for this issue seem to be, specifically:
 - PPPoE WAN interface
 - dynamic WAN IP
 - SIP service provider
Not having a PPoE WAN would fix this too.  As for the idea of asterisks 
on a dynamic address; the idea of having many services hosted on a 
dynamic address is generally discouraged because of the extra complexity 
and lack of reliability that comes with it.  This is not specifically 
about asterisks.


Now, back to the bug.  From what I have read, this seems to be an issue 
with the states table, which probably means that the WAN address is 
changing and the states are not being update.  I'm not sure why your ISP 
would be changing your IP all the time.  Most simply give you one when 
you connect and you keep it until you are no longer connected.  Without 
knowing the exact problem, it would probably involve clearing the state 
table every time the address changes and that may have other considerations.



On 9/26/2014 7:42 AM, Hannes Werner wrote:

are you saying that people with dynamic IP shouldn't use pfSense
behind an Asterisk service? I've had asterisk running behind Fritz-Box
for years without any trouble. I've seen the cheapest router being
able to handle this like the speedports. I can't believe pfSense is
unable to do this, but it doesn't matter a clear word would solve the
problem for all the time and you do not have to worry again about this
issue.

maybe you guys do better telling those users to change there router?

On Fri, Sep 26, 2014 at 1:33 PM, Chris Bagnall
 wrote:

On 26/9/14 12:06 pm, Giles Coochey wrote:

I can think of many reasons, why running a service such as Asterisk, on
an IP address  that you have a temporary lease for (thus only have a
passing relationship with, before it is passed to someone else), would
be pretty bad practice.


I think Giles has put it far better than I did :-)

In short, Asterisk is temperamental with dynamic IPs _in general_, it's not
necessarily specific to pfSense (though I appreciate this bug report relates
specifically to pfSense).

I've seen the same symptoms with Asterisk servers behind Draytek routers,
for example - as with pfSense, it's usually solved with a state table reset.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Hannes Werner

Thanks Vassilis,

I've these settings already - without any success.

On Fri, Sep 26, 2014 at 9:03 PM, Vassilis V.  wrote:
>
>
> Hannes Werner wrote on 26.09.2014 16:51:
>> thank you very much Giles, but unfortunately it doesn't help.
>>
>> anyone here who is using asterisk behind pfSense on a dynamic IP WAN
>> successfully?
>>
>
> Hello Hannes!
>
> I have also used asterisk behind a dynamic PPPoE WAN. I had the exact
> same issues that the bug report is describing.
>
> I tried different ways to get it to work and I found that some solutions
> work with some providers, but fail at others. There seems to be alot of
> black magic involved when configuring SIP to work in such a configuration :)
>
> What worked best was to set nat=no and externip=.
> I had also not done any port forwards whatsoever on pfsense,  outgoing
> NAT was set to automatic.
>
> I certainly cannot explain why it was working that way!
>
>
> Hope it helps!
> Vassilis
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Odette Nsaka

In the different environments where I use PF I'm using different appliances 
acting as modem/routers.
In most cases I use those supplied by the ISP.
In other cases I use some other low-medium level modem/routers.
As an example some are Tp-link TD-W8968.
All these modem/routers connect:
- to the ISP on the phone line over ADSL and PPPoE/PPPoA
- to the pfSense WAN port via Ethernet port

They are just enough to act as
- ADSL2+ modem on the 20 mbit/sec ADSL lines
- inbound NATP towards the PF WAN IP.

pfSense act as routing firewalls, sometimes as VPN endpoints, never as 
ADSL modem.

O.
-- 

In data venerdì 26 settembre 2014 20:00:59, Hannes Werner ha scritto:
> Thank you very much Odette,
> 
> what type of router do you use? Those who are doing the PPPoA? So you
> use  pfSense as a strict Firewall?
> 
> On Fri, Sep 26, 2014 at 4:35 PM, Odette Nsaka 
 wrote:
> > Not too much related, but I am.
> > 
> > I'm using a multi-wan connection to different ISP who give me dynamic 
IP
> > address. I set up the Internet connection via a couple of different
> > routers, one for each ISP.
> > 
> > The difference in my configuration is that the routers connect to the 
ISP
> > via PPPoA and PF is connected to the routers via regular IP local 
subnet
> > connection (no PPPoE/PPPoA on PF).
> > 
> > This way everything works fine, asterisk on the LAN side of PF too, 
even
> > when one or both of the public IPs are changed.
> > 
> > In case of failure of one (or the other) of the ISP connections, asterisk
> > connects with no problem to the VoIP provider, no matter on which is 
the
> > active or preferred gateway.
> > 
> > O.
> > 
> > --
> > 
> > On Sept. 26th 2014 15:51:37, Hannes Werner wrote:
> >> thank you very much Giles, but unfortunately it doesn't help.
> >> 
> >> anyone here who is using asterisk behind pfSense on a dynamic IP 
WAN
> >> successfully?
> >> 
> >> On Fri, Sep 26, 2014 at 2:44 PM, Giles Coochey  
wrote:
> >> > On 26/09/2014 12:42, Hannes Werner wrote:
> >> >> are you saying that people with dynamic IP shouldn't use 
pfSense
> >> >> behind an Asterisk service? I've had asterisk running behind Fritz-
Box
> >> >> for years without any trouble. I've seen the cheapest router 
being
> >> >> able to handle this like the speedports. I can't believe pfSense is
> >> >> unable to do this, but it doesn't matter a clear word would solve 
the
> >> >> problem for all the time and you do not have to worry again 
about this
> >> >> issue.
> >> >> 
> >> >> maybe you guys do better telling those users to change there 
router?
> >> > 
> >> > It's not my place, either, to pass comment on what free software 
you
> >> > should
> >> > decide to use, I am also none other than a happy end user (with a 
PPPoE
> >> > service on at least one of my pfsense boxes, but with a static IP).
> >> > 
> >> > Doesn't ensuring that you have Gateway monitoring enabled, and 
then
> >> > ensuring that you have, under System --> Advanced --> 
Miscelleaneous
> >> > -->
> >> > "State Killing on Gateway Failure" enabled provide a workaround
> >> > resolution for you? I'm referring to
> >> > https://redmine.pfsense.org/issues/3181 which is referenced from 
#1629.
> >> > 
> >> > Also it's clear that bug #1629 is pushed out to 2.2, although the
> >> > latest
> >> > comment is for it to be addressed, or to push it out to 2.3. It's
> >> > probably
> >> > not good news for you, but it looks like there is a schedule for it to
> >> > be
> >> > fixed just not very quickly.
> >> > 
> >> > Do bear in mind that the original PPP software was designed for
> >> > opportunistic on-demand dial-up connections, and isn't perfectly 
suited
> >> > for
> >> > running server side applications on the client end. PPPoE & PPPoA 
built
> >> > on
> >> > this, I guess, to allow ISPs to continue to use their RADIUS
> >> > infrastructure
> >> > for customers authentication as they moved to broadband / cable 
based
> >> > connections.
> >> > 
> >> > 
> >> > --
> >> > Regards,
> >> > 
> >> > Giles Coochey, CCNP, CCNA, CCNAS
> >> > NetSecSpec Ltd
> >> > +44 (0) 8444 780677
> >> > +44 (0) 7584 634135
> >> > http://www.coochey.net
> >> > http://www.netsecspec.co.uk
> >> > gi...@coochey.net
> >> > 
> >> > 
> >> > 
> >> > ___
> >> > List mailing list
> >> > List@lists.pfsense.org___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Vassilis V.



Hannes Werner wrote on 26.09.2014 16:51:
> thank you very much Giles, but unfortunately it doesn't help.
> 
> anyone here who is using asterisk behind pfSense on a dynamic IP WAN
> successfully?
> 

Hello Hannes!

I have also used asterisk behind a dynamic PPPoE WAN. I had the exact
same issues that the bug report is describing.

I tried different ways to get it to work and I found that some solutions
work with some providers, but fail at others. There seems to be alot of
black magic involved when configuring SIP to work in such a configuration :)

What worked best was to set nat=no and externip=.
I had also not done any port forwards whatsoever on pfsense,  outgoing
NAT was set to automatic.

I certainly cannot explain why it was working that way!


Hope it helps!
Vassilis
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Hannes Werner

Thank you very much Odette,

what type of router do you use? Those who are doing the PPPoA? So you
use  pfSense as a strict Firewall?

On Fri, Sep 26, 2014 at 4:35 PM, Odette Nsaka  wrote:
> Not too much related, but I am.
>
> I'm using a multi-wan connection to different ISP who give me dynamic IP
> address. I set up the Internet connection via a couple of different routers,
> one for each ISP.
>
> The difference in my configuration is that the routers connect to the ISP via
> PPPoA and PF is connected to the routers via regular IP local subnet
> connection (no PPPoE/PPPoA on PF).
>
> This way everything works fine, asterisk on the LAN side of PF too, even when
> one or both of the public IPs are changed.
>
> In case of failure of one (or the other) of the ISP connections, asterisk
> connects with no problem to the VoIP provider, no matter on which is the
> active or preferred gateway.
>
> O.
>
> --
>
> On Sept. 26th 2014 15:51:37, Hannes Werner wrote:
>> thank you very much Giles, but unfortunately it doesn't help.
>>
>> anyone here who is using asterisk behind pfSense on a dynamic IP WAN
>> successfully?
>>
>> On Fri, Sep 26, 2014 at 2:44 PM, Giles Coochey  wrote:
>> > On 26/09/2014 12:42, Hannes Werner wrote:
>> >> are you saying that people with dynamic IP shouldn't use pfSense
>> >> behind an Asterisk service? I've had asterisk running behind Fritz-Box
>> >> for years without any trouble. I've seen the cheapest router being
>> >> able to handle this like the speedports. I can't believe pfSense is
>> >> unable to do this, but it doesn't matter a clear word would solve the
>> >> problem for all the time and you do not have to worry again about this
>> >> issue.
>> >>
>> >> maybe you guys do better telling those users to change there router?
>> >
>> > It's not my place, either, to pass comment on what free software you
>> > should
>> > decide to use, I am also none other than a happy end user (with a PPPoE
>> > service on at least one of my pfsense boxes, but with a static IP).
>> >
>> > Doesn't ensuring that you have Gateway monitoring enabled, and then
>> > ensuring that you have, under System --> Advanced --> Miscelleaneous -->
>> > "State Killing on Gateway Failure" enabled provide a workaround
>> > resolution for you? I'm referring to
>> > https://redmine.pfsense.org/issues/3181 which is referenced from #1629.
>> >
>> > Also it's clear that bug #1629 is pushed out to 2.2, although the latest
>> > comment is for it to be addressed, or to push it out to 2.3. It's probably
>> > not good news for you, but it looks like there is a schedule for it to be
>> > fixed just not very quickly.
>> >
>> > Do bear in mind that the original PPP software was designed for
>> > opportunistic on-demand dial-up connections, and isn't perfectly suited
>> > for
>> > running server side applications on the client end. PPPoE & PPPoA built on
>> > this, I guess, to allow ISPs to continue to use their RADIUS
>> > infrastructure
>> > for customers authentication as they moved to broadband / cable based
>> > connections.
>> >
>> >
>> > --
>> > Regards,
>> >
>> > Giles Coochey, CCNP, CCNA, CCNAS
>> > NetSecSpec Ltd
>> > +44 (0) 8444 780677
>> > +44 (0) 7584 634135
>> > http://www.coochey.net
>> > http://www.netsecspec.co.uk
>> > gi...@coochey.net
>> >
>> >
>> >
>> > ___
>> > List mailing list
>> > List@lists.pfsense.org
>> > https://lists.pfsense.org/mailman/listinfo/list
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Odette Nsaka

Not too much related, but I am.

I'm using a multi-wan connection to different ISP who give me dynamic IP 
address. I set up the Internet connection via a couple of different routers, 
one for each ISP.

The difference in my configuration is that the routers connect to the ISP via 
PPPoA and PF is connected to the routers via regular IP local subnet 
connection (no PPPoE/PPPoA on PF).

This way everything works fine, asterisk on the LAN side of PF too, even when 
one or both of the public IPs are changed.

In case of failure of one (or the other) of the ISP connections, asterisk 
connects with no problem to the VoIP provider, no matter on which is the 
active or preferred gateway.

O.

-- 

On Sept. 26th 2014 15:51:37, Hannes Werner wrote:
> thank you very much Giles, but unfortunately it doesn't help.
> 
> anyone here who is using asterisk behind pfSense on a dynamic IP WAN
> successfully?
> 
> On Fri, Sep 26, 2014 at 2:44 PM, Giles Coochey  wrote:
> > On 26/09/2014 12:42, Hannes Werner wrote:
> >> are you saying that people with dynamic IP shouldn't use pfSense
> >> behind an Asterisk service? I've had asterisk running behind Fritz-Box
> >> for years without any trouble. I've seen the cheapest router being
> >> able to handle this like the speedports. I can't believe pfSense is
> >> unable to do this, but it doesn't matter a clear word would solve the
> >> problem for all the time and you do not have to worry again about this
> >> issue.
> >> 
> >> maybe you guys do better telling those users to change there router?
> > 
> > It's not my place, either, to pass comment on what free software you
> > should
> > decide to use, I am also none other than a happy end user (with a PPPoE
> > service on at least one of my pfsense boxes, but with a static IP).
> > 
> > Doesn't ensuring that you have Gateway monitoring enabled, and then
> > ensuring that you have, under System --> Advanced --> Miscelleaneous -->
> > "State Killing on Gateway Failure" enabled provide a workaround
> > resolution for you? I'm referring to
> > https://redmine.pfsense.org/issues/3181 which is referenced from #1629.
> > 
> > Also it's clear that bug #1629 is pushed out to 2.2, although the latest
> > comment is for it to be addressed, or to push it out to 2.3. It's probably
> > not good news for you, but it looks like there is a schedule for it to be
> > fixed just not very quickly.
> > 
> > Do bear in mind that the original PPP software was designed for
> > opportunistic on-demand dial-up connections, and isn't perfectly suited
> > for
> > running server side applications on the client end. PPPoE & PPPoA built on
> > this, I guess, to allow ISPs to continue to use their RADIUS
> > infrastructure
> > for customers authentication as they moved to broadband / cable based
> > connections.
> > 
> > 
> > --
> > Regards,
> > 
> > Giles Coochey, CCNP, CCNA, CCNAS
> > NetSecSpec Ltd
> > +44 (0) 8444 780677
> > +44 (0) 7584 634135
> > http://www.coochey.net
> > http://www.netsecspec.co.uk
> > gi...@coochey.net
> > 
> > 
> > 
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
> 
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Hannes Werner

thank you very much Giles, but unfortunately it doesn't help.

anyone here who is using asterisk behind pfSense on a dynamic IP WAN
successfully?

On Fri, Sep 26, 2014 at 2:44 PM, Giles Coochey  wrote:
> On 26/09/2014 12:42, Hannes Werner wrote:
>>
>> are you saying that people with dynamic IP shouldn't use pfSense
>> behind an Asterisk service? I've had asterisk running behind Fritz-Box
>> for years without any trouble. I've seen the cheapest router being
>> able to handle this like the speedports. I can't believe pfSense is
>> unable to do this, but it doesn't matter a clear word would solve the
>> problem for all the time and you do not have to worry again about this
>> issue.
>>
>> maybe you guys do better telling those users to change there router?
>>
>>
> It's not my place, either, to pass comment on what free software you should
> decide to use, I am also none other than a happy end user (with a PPPoE
> service on at least one of my pfsense boxes, but with a static IP).
>
> Doesn't ensuring that you have Gateway monitoring enabled, and then ensuring
> that you have, under System --> Advanced --> Miscelleaneous --> "State
> Killing on Gateway Failure" enabled provide a workaround resolution for you?
> I'm referring to https://redmine.pfsense.org/issues/3181 which is referenced
> from #1629.
>
> Also it's clear that bug #1629 is pushed out to 2.2, although the latest
> comment is for it to be addressed, or to push it out to 2.3. It's probably
> not good news for you, but it looks like there is a schedule for it to be
> fixed just not very quickly.
>
> Do bear in mind that the original PPP software was designed for
> opportunistic on-demand dial-up connections, and isn't perfectly suited for
> running server side applications on the client end. PPPoE & PPPoA built on
> this, I guess, to allow ISPs to continue to use their RADIUS infrastructure
> for customers authentication as they moved to broadband / cable based
> connections.
>
>
> --
> Regards,
>
> Giles Coochey, CCNP, CCNA, CCNAS
> NetSecSpec Ltd
> +44 (0) 8444 780677
> +44 (0) 7584 634135
> http://www.coochey.net
> http://www.netsecspec.co.uk
> gi...@coochey.net
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Giles Coochey


On 26/09/2014 12:42, Hannes Werner wrote:

are you saying that people with dynamic IP shouldn't use pfSense
behind an Asterisk service? I've had asterisk running behind Fritz-Box
for years without any trouble. I've seen the cheapest router being
able to handle this like the speedports. I can't believe pfSense is
unable to do this, but it doesn't matter a clear word would solve the
problem for all the time and you do not have to worry again about this
issue.

maybe you guys do better telling those users to change there router?


It's not my place, either, to pass comment on what free software you 
should decide to use, I am also none other than a happy end user (with a 
PPPoE service on at least one of my pfsense boxes, but with a static IP).


Doesn't ensuring that you have Gateway monitoring enabled, and then 
ensuring that you have, under System --> Advanced --> Miscelleaneous --> 
"State Killing on Gateway Failure" enabled provide a workaround 
resolution for you? I'm referring to 
https://redmine.pfsense.org/issues/3181 which is referenced from #1629.


Also it's clear that bug #1629 is pushed out to 2.2, although the latest 
comment is for it to be addressed, or to push it out to 2.3. It's 
probably not good news for you, but it looks like there is a schedule 
for it to be fixed just not very quickly.


Do bear in mind that the original PPP software was designed for 
opportunistic on-demand dial-up connections, and isn't perfectly suited 
for running server side applications on the client end. PPPoE & PPPoA 
built on this, I guess, to allow ISPs to continue to use their RADIUS 
infrastructure for customers authentication as they moved to broadband / 
cable based connections.


--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7584 634135
http://www.coochey.net
http://www.netsecspec.co.uk
gi...@coochey.net




smime.p7s
Description: S/MIME Cryptographic Signature
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Chris Bagnall


On 26/9/14 12:42 pm, Hannes Werner wrote:

are you saying that people with dynamic IP shouldn't use pfSense
behind an Asterisk service?


Firstly - it's not my place to say anything of the sort - I have no 
connection to the pfSense team (apart from as a satisfied user). I 
suspect one of the pfSense devs will reply to this thread at an 
appropriate time.


The point I was trying to make is that this is not exclusively a pfSense 
problem. Asterisk (and SIP in general) is far from perfect when behind a 
frequently changing dynamic IP.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Hannes Werner

are you saying that people with dynamic IP shouldn't use pfSense
behind an Asterisk service? I've had asterisk running behind Fritz-Box
for years without any trouble. I've seen the cheapest router being
able to handle this like the speedports. I can't believe pfSense is
unable to do this, but it doesn't matter a clear word would solve the
problem for all the time and you do not have to worry again about this
issue.

maybe you guys do better telling those users to change there router?

On Fri, Sep 26, 2014 at 1:33 PM, Chris Bagnall
 wrote:
> On 26/9/14 12:06 pm, Giles Coochey wrote:
>>
>> I can think of many reasons, why running a service such as Asterisk, on
>> an IP address  that you have a temporary lease for (thus only have a
>> passing relationship with, before it is passed to someone else), would
>> be pretty bad practice.
>
>
> I think Giles has put it far better than I did :-)
>
> In short, Asterisk is temperamental with dynamic IPs _in general_, it's not
> necessarily specific to pfSense (though I appreciate this bug report relates
> specifically to pfSense).
>
> I've seen the same symptoms with Asterisk servers behind Draytek routers,
> for example - as with pfSense, it's usually solved with a state table reset.
>
>
> Kind regards,
>
> Chris
> --
> This email is made from 100% recycled electrons
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Chris Bagnall


On 26/9/14 12:06 pm, Giles Coochey wrote:

I can think of many reasons, why running a service such as Asterisk, on
an IP address  that you have a temporary lease for (thus only have a
passing relationship with, before it is passed to someone else), would
be pretty bad practice.


I think Giles has put it far better than I did :-)

In short, Asterisk is temperamental with dynamic IPs _in general_, it's 
not necessarily specific to pfSense (though I appreciate this bug report 
relates specifically to pfSense).


I've seen the same symptoms with Asterisk servers behind Draytek 
routers, for example - as with pfSense, it's usually solved with a state 
table reset.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Giles Coochey


On 26/09/2014 11:58, Chris Bagnall wrote:


Worth mentioning here that many of us are using Asterisk behind
pfSense without any issue at all.

The triggers for this issue seem to be, specifically:
 - PPPoE WAN interface
 - dynamic WAN IP
 - SIP service provider

We (one of my $dayjobs is a VoIP service provider) have dozens of
clients using Asterisk with PPPoE WAN without any problem, but they're
all using static WAN IPs provided by the ISP(s) in question.

I can think of many reasons, why running a service such as Asterisk, on 
an IP address  that you have a temporary lease for (thus only have a 
passing relationship with, before it is passed to someone else), would 
be pretty bad practice.


The bug itself seems to be a genuine problem, the way the bug is put 
forward doesn't do much for motivating its resolution.


--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7584 634135
http://www.netsecspec.co.uk
giles.cooc...@netsecspec.co.uk



--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7584 634135
http://www.coochey.net
http://www.netsecspec.co.uk
gi...@coochey.net



smime.p7s
Description: S/MIME Cryptographic Signature
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Hannes Werner

I'm sure more people are with dynamic WAN IPs and facing this problem.
The issue #1629 is showing this clearly. If at least there would be a
report saying "we are not going to fix it" than all of those could
decide to use or not to use pfsense.

On Fri, Sep 26, 2014 at 12:58 PM, Chris Bagnall
 wrote:
> On 26/9/14 11:43 am, Hannes Werner wrote:
>>
>> I wonder what the reason for not getting
>> https://redmine.pfsense.org/issues/1629 fixed?
>> Many gave up waiting for this, but it seems there must be a proper
>> reason for it. May I ask what the problem is not being able to use
>> pfSense with Asterisk?
>
>
> Worth mentioning here that many of us are using Asterisk behind pfSense
> without any issue at all.
>
> The triggers for this issue seem to be, specifically:
>  - PPPoE WAN interface
>  - dynamic WAN IP
>  - SIP service provider
>
> We (one of my $dayjobs is a VoIP service provider) have dozens of clients
> using Asterisk with PPPoE WAN without any problem, but they're all using
> static WAN IPs provided by the ISP(s) in question.
>
> Kind regards,
>
> Chris
> --
> This email is made from 100% recycled electrons
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Chris Bagnall


On 26/9/14 11:43 am, Hannes Werner wrote:

I wonder what the reason for not getting
https://redmine.pfsense.org/issues/1629 fixed?
Many gave up waiting for this, but it seems there must be a proper
reason for it. May I ask what the problem is not being able to use
pfSense with Asterisk?


Worth mentioning here that many of us are using Asterisk behind pfSense 
without any issue at all.


The triggers for this issue seem to be, specifically:
 - PPPoE WAN interface
 - dynamic WAN IP
 - SIP service provider

We (one of my $dayjobs is a VoIP service provider) have dozens of 
clients using Asterisk with PPPoE WAN without any problem, but they're 
all using static WAN IPs provided by the ISP(s) in question.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] States Issue with Asterisk behind pfSense

2014-09-26 Thread Hannes Werner

Hello,

I wonder what the reason for not getting
https://redmine.pfsense.org/issues/1629 fixed?

Many gave up waiting for this, but it seems there must be a proper
reason for it. May I ask what the problem is not being able to use
pfSense with Asterisk?

Regards
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

Re: [pfSense] States Issue with Asterisk behind pfSense

[pfSense] States Issue with Asterisk behind pfSense

19 matches

Site Navigation

Mail list logo

Footer information