Re: [pfSense Support] openvpn: client side uses address pool ip rather than subnet ip
On Thu, Jan 20, 2011 at 4:09 PM, mayak-cq ma...@australsat.com wrote: My Lord, You're a genius! Nuking the the interface declaration solves it!! Intermediate solution yes, but a solution nonetheless! Amen! Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: HA: Re: HA: Re: [pfSense Support] 2.0 - don't work Ipsec!
On Wed, Dec 15, 2010 at 12:11 PM, Moshe Katz mo...@ymkatz.net wrote: And the other side of the coin: http://bsd.slashdot.org/story/10/12/15/1524202/BSD-Coder-Denies-Adding-FBI-Backdoor Moshe Here is more information on this situation. http://maycontaintracesofbolts.blogspot.com/2010/12/openbsd-ipsec-backdoor-allegations.html pfSense will match DES's offer for anyone that can prove that this backdoor exists. Otherwise our official stance on the issue is that it's a bit preposterous at best. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Snapshot Build Logs
On Wed, Dec 15, 2010 at 2:33 PM, Yehuda Katz yeh...@ymkatz.net wrote: Is there a reason the i386 build log uses EST and the AMD64 log uses UTC? - Yehuda Is there a reason? No. I just fixed it, however. In this day and age a lot of us have gotten used to GMT and didn't even think twice about it. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] SSD partition alignment in 2.0
On Sat, Aug 7, 2010 at 1:07 PM, David Burgess apt@gmail.com wrote: Is the 2.0 installer aware of 4k sector discs, and does it align its partitions accordingly? I realize better SSD controllers have minimized the effects of partition boundary misalignment, but I still prefer to introduce as little entropy as possible. Call me teutonic. That is a good question. The 2.0 installer uses pc-sysinstaller which I am not entirely sure if it takes into account this or not. However I am looking at adding this utility to the pc-sysinstaller which might help out here: http://lulf.geeknest.org/blog/freebsd/Using_4k_sector_drives/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] SSD partition alignment in 2.0
On Mon, Aug 16, 2010 at 2:03 PM, Scott Ullrich sullr...@gmail.com wrote: That is a good question. The 2.0 installer uses pc-sysinstaller which I am not entirely sure if it takes into account this or not. Sorry, I meant 2.1 here, not 2.0. However I am looking at adding this utility to the pc-sysinstaller which might help out here: http://lulf.geeknest.org/blog/freebsd/Using_4k_sector_drives/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] no packages for 2.0
On Mon, Apr 19, 2010 at 3:31 PM, David Burgess apt@gmail.com wrote: On Mon, Apr 19, 2010 at 1:29 PM, Jim Pingle li...@pingle.org wrote: It's probably looking for a package file that doesn't exist. Did this ever work before? It's the first time I've tried PFS on 64-bit. I'm not sure if there are any 64-bit packages setup in the repo yet. That's possible, and unfortunate. That is correct, I have not finished adding all of the 64 bit packages and there are still a few math bugs in the base pfSense system when using amd64 versions of pfSense. Scott
Re: [pfSense Support] 1.2.3: dnsmasq and mac os x 10.6 snow leopard
On Mon, Mar 1, 2010 at 2:38 AM, Aarno Aukia aarnoau...@gmail.com wrote: Hello, I just found out my new mac os x 10.6 snow leopard machine seems to have problems with DNS TTL 0, dnsmasqs default TTL for local entries (http://www.mac-forums.com/forums/os-x-operating-system/164649-snow-leopard-keeps-dropping-dns.html#post912124). Adding --local-ttl 1 to the dnsmasq $args in /etc/inc/services.inc (around line 634 on this 1.2.3-rc3 nanobsd) seems to work out the issues, although I'll keep testing it for some more time... That does not make any sense to me. I have quite a number of Macs and do not see this issue. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2 to 1.2.3 upgrade
On Fri, Feb 19, 2010 at 10:01 AM, lloyd.aloys...@sunteltech.ca wrote: Please call me 416 479 0606 Pardon us but who is supposed to call you? Scott
Re: [pfSense Support] How to forward protocol 41
On Thu, Feb 11, 2010 at 8:37 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: I'd argue that it is the role of the user to advocate for desired features, regardless of what price was paid for the software. The fact that IPv6 support doesn't seem to be finished yet is an issue that gains significance every day. While it could probably have been phrased in more polite way, and possibly with more research behind it, With these requirements a majority of the open source projects would never have releases. Almost everyone that contributes to the project are volunteers. There is no way we can dictate how a volunteer spends their time. This goes for pfSense and a lot of open source projects. Heck even a recent study showed that a majority of Linux kernrel commits are now sponsored in some fashion by companies. I am not arguing that open source is commercialized I am trying to emphasize that it is a scratch your itch type of deal. Either you get paid for XYZ company to do their work or you are scratching an itch somewhere that you feel the need. There are very few people that just come along and say your user base demands are my priority. Most of the cutting edge features in pfSense have come from a developer scratching an itch or a commercial support customer sponsoring the development time. I do understand the sentiment, though. I too would like to see more resources go towards completing IPv6 support in PFSense. I am relieved to see and hear that efforts are being made to address real IPv6 support, but the day when it is done cannot come soon enough. See above. I have native IPv6 transport today to all of my facilities. The time of 'IPv6 is coming' has passed; we have moved into 'IPv6 to the last mile provider and consumer is coming', and with Comcast starting last mile IPv6 betas, it's looking like we're talking about sooner, rather than later. That's pretty cutting edge in terms of American internet and you are lightyears ahead of us. Last I heard Youtube just came online and a huge spike of traffic was seen on the IPV6 backbone in America. That goes to show how little IPV6 is used overall in the USA still. It's unfortunate but it's the truth in the USA. I would love to have native IPV6 connectivity from my local carrier and I applaud comcast for taking that important first step in terms of cable modem subscribers. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPd package on 1.2.3-release
On Fri, Jan 29, 2010 at 11:03 AM, Aarno Aukia aarnoau...@gmail.com wrote: Thanks for committing, Committed. Thanks for submitting. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPd package on 1.2.3-release
On Thu, Jan 28, 2010 at 10:57 AM, Aarno Aukia aarnoau...@gmail.com wrote: Hello, bgpd is started twice when booting on 1.2.3-release with the newest package. I suspect once from /usr/local/pkg/openbgpd.inc and once from /usr/local/etc/rc.d/bgpd.sh ? When commenting out the exec(bgpd) in /usr/local/pkg/openbgpd.inc it is only started once. Should the check is_openbgpd_running() also be added to /usr/local/etc/rc.d/bgpd.sh or is there a more favorable way ? Sounds reasonable. In addition I discovered support for tcp-md5sig, which only works for openbgpd-configurations made with the assisstant. I'll try to hack something up for parsing the raw config and generating a bgpdsetkey.conf. Any suggestions there ? No suggestions at the moment but I would appreciate anything you can send over in form of patches. Have been super busy lately and not enough time to go around unfortunately. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
On Sat, Jan 9, 2010 at 5:39 PM, Chris Buechler cbuech...@gmail.com wrote: Yes but: http://forum.pfsense.org/index.php/topic,21606.0.html That and the fact that our snapshot server is up and down (currently DOWN) due to bad hardware. It will be swapped out in the next coming days. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] which image?
On Tue, Jan 5, 2010 at 11:02 AM, David Newman dnew...@networktest.com wrote: Greetings. I'd welcome recommendations for which pfSense image to install on this system, which currently runs OpenBSD: Nexcom 1563 VIA 667-MHz CPU 512 Mbytes RAM 512-Mbyte disk-on-chip (not CF) storage 3 x 100Base-T Ethernet OpenBSD sees the DOC storage as a regular IDE drive. For pfSense, I *think* I want the 512-Mbyte embedded image, but am unsure about what changes, if any, the installation requires. (The docs for installing/upgrading the embedded images seem oriented toward CF cards and I don't know if installing to them differs from disks.) It depends on if you have VGA or not. If you have VGA you will want the Full Installation ISO. If not then you will want the NanoBSD image. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Watch Chris and myself on FLOSS Weekly Live at 4:30 PM EDT
http://live.twit.tv Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Virtual IP ProxyARP vs. CARP
On Wed, Dec 16, 2009 at 7:14 PM, Trevor Benson tben...@a-1networks.com wrote: I noticed that when creating a CARP virtual that it requires it to be attached to an interface with the same network. However when creating a proxy arp, it does not have this requirement. Wouldn't it be logical to allow them to have the same validation check? I am currently using proxy arp virtuals on a pair of failover pfSense 1.2.3 systems, so if firewall A fails I will need to manually create the Proxy ARP's on B. I know i can download the config.xml and modify the entries to perform as expected, and will once i get a chance to test it outside of business hours, however if Proxy ARP is allowed, I do not see the reason to deny this from CARP. It is more of a kernel limitation than anything. CARP will panic (or at least used to prior to FreeBSD 7.2) under many circumstances so we have to have more input validation. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NanoBSD on WRAP
On Sun, Dec 13, 2009 at 7:49 PM, Ugo Bellavance u...@lubik.ca wrote: Hi, http://doc.pfsense.org/index.php/NanoBSD_on_WRAP Has someone done the first step what would be kind enough to put the resulting image available for download? I worked a few hours on this before discovering that article, and I don't have much time to setup a separate freebsd/pfsense box to do the changes. If we where to do this then nobody would read the page and they would then complain later down the road when they finally learn the limitations of the image. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Disable plugin via ssh
On Mon, Dec 14, 2009 at 4:07 PM, Glenn Kelley gl...@typo3usa.com wrote: We have a plugin that is acting up quite a bit suddenly (snort) on reboot the system works for a few minutes - but then nothing We cannot gain access to the web interface @ all. Does anyone know how to disable a plugin via ssh ? We get ssh access for about 4 minutes on a reboot - then it appears memory is gone :-( box has 3GB of ram SSH into the box. Option #8 for shell, then run: rm /usr/local/etc/rc.d/snort* shutdown -r now Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPD status page
On Fri, Dec 11, 2009 at 7:26 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: I know it is cosmetic but it is easy to fix, please do it. 1) Status has two OpenBGPD Routing sections, one of them should be renamed to Forwarding as it shows fib not rib. 2) OpenBGPD IP section returns error missing argument: valid commands/args: bgp it happens because not there is not bgpctl show ip command, we have to use bgpctl show ip bgp Fix for both issues: --- openbgpd_status.php.20091211.bak 2009-12-10 11:26:10.0 -0500 +++ openbgpd_status.php 2009-12-11 19:20:28.83700 -0500 @@ -140,10 +140,10 @@ defCmdT(OpenBGPD Summary,bgpctl show summary); defCmdT(OpenBGPD Interfaces,bgpctl show interfaces); defCmdT(OpenBGPD Routing,bgpctl show rib); -defCmdT(OpenBGPD Routing,bgpctl show fib); +defCmdT(OpenBGPD Forwarding,bgpctl show fib); defCmdT(OpenBGPD Network,bgpctl show network); defCmdT(OpenBGPD Nexthops,bgpctl show nexthop); -defCmdT(OpenBGPD IP,bgpctl show ip); +defCmdT(OpenBGPD IP,bgpctl show ip bgp); defCmdT(OpenBGPD Neighbors,bgpctl show neighbor); ? Thanks, all of the submissions have been committed. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 1.2.3 release now available!
On Fri, Dec 11, 2009 at 1:22 PM, Oliver Hansen oliver.han...@gmail.com wrote: Sorry if I'm missing it somewhere but is there a changelog between 1.2.3-RC3 and 1.2.3-RELEASE? The notes in the blog post seem to reference anything that changed since 1.2.2. Complete list of changes is here: https://rcs.pfsense.org/projects/pfsense/repos/mainline/logs/RELENG_1_2 Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On Thu, Dec 10, 2009 at 1:21 PM, RB aoz@gmail.com wrote: On Thu, Dec 10, 2009 at 10:29, Tim Dressel tjdres...@gmail.com wrote: For me the issue was exactly like you are describing. Can connect and everything appears OK, but just zero traffic flow. Nothing useful in logs. Then all of a sudden it would start passing traffic, but then get sketchy and eventually stop again. Something like a simple ping from LAN to WAN would fail 20% of the time,,, but ping of the interfaces was always fine. I moved to the GT giganics and all my pfsense boxen are bullet proof. Tom's explanation is plausible, even probable - thanks Tom! For me there is no traffic flow at all, return traffic is just being silently dropped between fxp3 and ng0. Unfortunately, I can't change to GbE NICs, or I would; this particular system is embedded in the sense that it's a repurposed appliance with no external PCI slots, so it has what it has. I'll try turning off ToE in a few hours and report the results. If all goes well, I'd hope the 1.2.3 final version picks up the noted stable/7 change. Sorry, but we have missed the boat on that. Release announcement is forthcoming. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC3 PPPoE
On Thu, Dec 10, 2009 at 6:54 PM, RB aoz@gmail.com wrote: Well, for posterity's sake then: if you have trouble in pfSense/FreeBSD with traffic not passing through an Intel 10/100 NIC (fxp), particularly when return/inbound packets aren't showing up in mpd or another user-level program, turn off TCP Offload. For that matter, any troubleshooting wierd with inexplicably lost traffic should involve explicitly turning off ToE. We will make note of it in the release notes, thanks Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Issue upgrading from 1.2.3-RC3 to RELEASE
On Thu, Dec 10, 2009 at 7:04 PM, mitch mitche...@gmail.com wrote: Same error I'm afraid, status at top says something went wrong updating the fstab entry, Log still reports same error message. Please see my response here: http://forum.pfsense.org/index.php/topic,20347.msg108712.html#msg108712 In a nutshell, NanoBSD had many many changes up until a month or two ago. You will need to reflash. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Issue upgrading from 1.2.3-RC3 to RELEASE
On Thu, Dec 10, 2009 at 7:12 PM, Chris Buechler cbuech...@gmail.com wrote: I don't believe there were any changes between RC3 and release though? It's been a while since the image size changed. Yes, there where a couple NanoBSD fixes. One in particular was on Thu Sep 10 18:50:55 2009 -0400 Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: PFsense + Load Balance + Squid
On Fri, Dec 4, 2009 at 3:58 PM, Rafael Cristian rcristia...@gmail.com wrote: Thank you. But is version 2.0 now is available Yes, but it is alpha-alpha (soon to be alpha): http://snapshots.pfsense.org/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSense advocacy
On Wed, Dec 2, 2009 at 4:26 PM, Ron García-Vidal r...@millburncorp.com wrote: I realize this is a support forum, so if there is a better place to post this, I will take it there. So, I'm trying to get a pfsense box in the shop because I've enjoyed working with it on my own setup. The boss is fairly open-minded and open to a healthy discussion on the topic, but in the end, he wants to know why this would be preferable to a Cisco solution. Since I've never worked extensively with Cisco, can someone give me a few salient points to throw at him. I already used the cost argument, he wants more. Commercial support should help put Boss's worries at bay: https://portal.pfsense.org/ Between this, the mailing list and forum you are covered. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Migrate from Embedded
On Tue, Nov 24, 2009 at 6:59 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: I have a machine that was setup as embedded but now we need packages functional so I need to migrate it to install based. Given it's the very same server, can I simply restore the xml config from the embedded install w/o issue? Extremely short answer: Yep. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Sat, Nov 21, 2009 at 6:12 AM, Lenny five2one.le...@gmail.com wrote: Scott, Does it have to be 1.2.3? Because I have 1.2.2 installed right now. Should I upgrade before that? yes, we are moving on to 1.2.3 shortly and 1.2.2 is fading into the sunset. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Thu, Nov 19, 2009 at 2:27 AM, Lenny five2one.le...@gmail.com wrote: # iperf -c 2.2.2.11 -t 1200 -i 10 -w 75000 Client connecting to 2.2.2.11, TCP port 5001 TCP window size: 73.5 KByte (WARNING: requested 73.2 KByte) [ 3] local 1.1.1.1 port 14852 connected with 2.2.2.11 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec746 MBytes626 Mbits/sec [ ID] Interval Transfer Bandwidth [ 3] 10.0-20.0 sec762 MBytes639 Mbits/sec [ ID] Interval Transfer Bandwidth [ 3] 20.0-30.0 sec765 MBytes642 Mbits/sec [ ID] Interval Transfer Bandwidth [ 3] 30.0-40.0 sec776 MBytes651 Mbits/sec [ ID] Interval Transfer Bandwidth [ 3] 40.0-50.0 sec772 MBytes648 Mbits/sec [ ID] Interval Transfer Bandwidth [ 3] 50.0-60.0 sec776 MBytes651 Mbits/sec [ ID] Interval Transfer Bandwidth [ 3] 60.0-70.0 sec768 MBytes644 Mbits/sec I found my old results of iperf and this was the command I executed: iperf -c server-ip -t 60 -M 500 I always got 300-400Mb/s, even with firewall off. And I could never get more than 85kpps. Unfortunately, I can't run these tests now, as the server is in production. Thanks, Lenny. Would you like to test a kernel with the Yandex driver? 1.2.3-* does not have the yandex driver included. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Thu, Nov 19, 2009 at 12:07 PM, Lenny five2one.le...@gmail.com wrote: I sure would. Thanks. OK, give me a bit to get it ready. Should be back to you in a couple hours. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Thu, Nov 19, 2009 at 12:35 PM, Scott Ullrich sullr...@gmail.com wrote: OK, give me a bit to get it ready. Should be back to you in a couple hours. Lenny, First of all make sure you backup your configuration and have installation media handy (just in case). Run this from a shell (option 8): fetch -o /boot/kernel/ http://cvs.pfsense.org/~sullrich/7-yandex/kernel.gz Then reboot the firewall and let me know how it goes. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] where is the support? is bank holiday in usa?
On Thu, Nov 12, 2009 at 6:08 PM, luismi asturlui...@gmail.com wrote: As far as I see right now in the web: live support is offline Looks online here: https://portal.pfsense.org/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFI w/ floppy
On Thu, Nov 12, 2009 at 7:34 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: Does the PFI work with a floppy? I tried it, but saw a read error for the floppy but I am sure there is nothing wrong with the floppy, is it just not supported? It should work if it is formatted as MS-DOS. Or at least it did previously. Flash drive is a better solution if you can swing it. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] varnish proxy in pfsense?
On Wed, Nov 11, 2009 at 9:57 AM, Paul Mansfield it-admin-pfse...@taptu.com wrote: I'd be very interested if there was a project to add varnish reverse proxy to pfsense. It claims to be both linux and freebsd compatible. http://varnish.projects.linpro.no/ One could of course hack it in manually but having it as even the simplest package would be nice. Two problems with that (I am a varnish user @ work). 1. It requires a 64 bit OS (pfSense is 32 bit currently) 2. It requires a compiler (CC, Make, etc). The compiler bit could be handled with FreeBSD ports but the 64 bit part is a sticking point ATM. But I agree, varnish is the goods and it would be nice to see it in packages one day. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] varnish proxy in pfsense?
On Wed, Nov 11, 2009 at 10:21 AM, Rainer Duffner rai...@ultra-secure.de wrote: varnish also works in 32bit FreeBSD. At least for test-purposes, it did for me. You have to limit the amount of RAM it grabs, though, or it will crash immediately. Even with enough memory it can cause a deadlock on FreeBSD... been there, done that.. Not fun. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Tue, Nov 10, 2009 at 1:50 AM, Lenny five2one.le...@gmail.com wrote: At second thought, to get rid of the errors I told you about, I did 2 things: added this to /boot/loader.conf: hw.em.rxd=4096 hw.em.txd=4096 and added to /etc/sysctl.conf: dev.em.0.rx_processing_limit=1000 dev.em.1.rx_processing_limit=1000 plus, I changed net.inet.ip.intr_queue_maxlen=4096 and added kern.ipc.somaxconn=1024 These were the changes I did outside of the WebGUI. So should I still increase the dev.em.X.rx_processing_limit value? Yes, give that a try. My kernel that I have here increased em.txd and em.txr but I was unaware they where able to be set since they are hard coded in the driver? Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Tue, Nov 10, 2009 at 1:50 AM, Lenny five2one.le...@gmail.com wrote: Lenny wrote: Scott Ullrich wrote: On Mon, Nov 9, 2009 at 3:45 PM, Scott Ullrich sullr...@gmail.com wrote: Contact me off list. I have a kernel I need you to test. In the meantime, please try increasing these sysctl's: pfSense:~# sysctl -a | grep rx_processing_limit dev.em.0.rx_processing_limit: 100 dev.em.1.rx_processing_limit: 100 dev.em.2.rx_processing_limit: 100 dev.em.3.rx_processing_limit: 100 Try increasing each to 256, then 512, 1024, 2048, etc. If these do not help contact me for a new kernel. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Hi Scott, Actually, I have them set on a 1000 for quite a while now. Before I did that I had errors on interfaces. Do you still want me to increase to 2048 and more? Thanks, Lenny. At second thought, to get rid of the errors I told you about, I did 2 things: added this to /boot/loader.conf: hw.em.rxd=4096 hw.em.txd=4096 and added to /etc/sysctl.conf: dev.em.0.rx_processing_limit=1000 dev.em.1.rx_processing_limit=1000 plus, I changed net.inet.ip.intr_queue_maxlen=4096 and added kern.ipc.somaxconn=1024 These were the changes I did outside of the WebGUI. So should I still increase the dev.em.X.rx_processing_limit value? Also let me know what this sysctl is showing: net.inet.ip.intr_queue_drops If it shows 0 then you might want to increase net.inet.ip.intr_queue_maxlen Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Mon, Nov 9, 2009 at 12:41 AM, Lenny five2one.le...@gmail.com wrote: Now I'm totally lost:( I had this long thread this year on this issue here and eventually the only thing the guys could advise me is to buy a newer server. I did. And while I do see an improvement in performance (it's about twice it was before) I'm still nowhere near what you have. I realize that your traffic is lab UDP and mine is production TCP, so let's say you'd get half of that in production, but then still - you're only on 54% CPU. By the way, how come your second NIC is only loading the CPU 4%? Shouldn't it be pretty much like the first one? It's what I have. I'm ready to show you my config/diagrams/whatever, but I need this issue resolved. Please? Contact me off list. I have a kernel I need you to test. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
On Mon, Nov 9, 2009 at 3:45 PM, Scott Ullrich sullr...@gmail.com wrote: Contact me off list. I have a kernel I need you to test. In the meantime, please try increasing these sysctl's: pfSense:~# sysctl -a | grep rx_processing_limit dev.em.0.rx_processing_limit: 100 dev.em.1.rx_processing_limit: 100 dev.em.2.rx_processing_limit: 100 dev.em.3.rx_processing_limit: 100 Try increasing each to 256, then 512, 1024, 2048, etc. If these do not help contact me for a new kernel. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] snort issue w/ memory
On Sat, Nov 7, 2009 at 9:53 PM, Glenn Kelley gl...@typo3usa.com wrote: No such luck Scott - if it helps - you guys had us (via paid support) upgrade to the rc version due to BGP implementation Thanks, I will forward this to the snort maintainer. Maybe he can help. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] snort issue w/ memory
On Sat, Nov 7, 2009 at 9:53 PM, Glenn Kelley gl...@typo3usa.com wrote: No such luck Scott - if it helps - you guys had us (via paid support) upgrade to the rc version due to BGP implementation BTW: did the error message change after reinstalling the package with my changes? Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] snort issue w/ memory
On Sun, Nov 8, 2009 at 5:39 PM, Glenn Kelley gl...@typo3usa.com wrote: Any clue how to remove an ip that is blocked w/o having the gui ? We uninstalled but still have some IP's blocked - Reinstalled - same thing Try /usr/local/sbin/expiretable -v -t 1 virusprot Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] snort issue w/ memory
On Fri, Nov 6, 2009 at 10:57 PM, Glenn Kelley gl...@typo3usa.com wrote: Grace and Peace Friends: In Snort we are seeing the following: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 74957108 bytes) in /usr/local/pkg/snort.inc on line 1488 When we attempt to see if there are any ip addresses being blocked. This is a bit annoying - any suggestions? This should be resolved. Reinstall your package 15 minutes after this message (1:05PM EDT Saturday). Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] why delete captive portal accts on expiry?
On Fri, Oct 9, 2009 at 1:23 PM, Pete Boyd petes-li...@thegoldenear.org wrote: Why are captive portal accounts automatically deleted when they expire? To my mind, it would be more useful if they were left in place, but expired, so that to re-enable them for the admin person was an easy task of just choosing a new expiry date. As it is, when we have a subscriber pay again for their Internet access, rather than just paying remotely and telephoning in that they've done so, the whole captive portal account has to be re-created which can potentially be time consuming communicating username and password effectively. Inherited from m0n0wall, I suspect. Start a bounty on the Forum if you would like to see it changed in a future version or submit patches. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Static routes
On Thu, Oct 8, 2009 at 11:13 AM, Aarno Aukia aarnoau...@gmail.com wrote:
Replying to myself, sorry.
On Thu, Oct 8, 2009 at 16:21, Aarno Aukia aarnoau...@gmail.com wrote:
I would propose to compare the old {$g['vardb_path']}/routes.db to
the current set of configured static routes and route delete the
superfluous routes. Any comments/objections ?
On a closer look, all previous static routes are removed if they are
found in the current routing table. Altough I could rewrite that to
use route get, why not try to remove all previous routes and
ignoring failure to do so to achieve the same effect ?
-Aarno
--
Aarno Aukia
Atrila GmbH
Switzerland
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
You are probably the first person to run into this, that is why.We
will happily accept patches for this considering its a bug for 1.2.3.
However we also need to fix it in 2.0.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 11:24 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. Evgeny. I would lean toward hardware. We regularly push 20 megabit out one of my CARP clusters and I do not see this behavior. If something is preempting the network stack (CARP) from sending its Heartbeats than it's doing what it is designed to do. Probably not what you want to hear but I would look at the hardware closer, interrupts, etc. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 11:42 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Thanks I will. 20 Mbit/s is nothing though... I agree but you failed to mention how much traffic you are pushing. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Thu, Oct 8, 2009 at 12:51 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Yes, sorry. It was about 100Mb/s During heavy load what does this sysctl show? sysctl net.inet.ip.intr_queue_drops Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Block rule creates syntax error
On Thu, Oct 8, 2009 at 6:58 PM, Joseph L. Casale jcas...@activenetwerx.com wrote: I all of a sudden am getting syntax errors in the logs which I don't recall seeing before with respect to a few generic block rules I have on an opt interface. Action: Reject Interface: OPT2 Protocol: Any Source: Any Destination: LAN Subnet I use this to block anything destined to the LAN interface? Is this not the right way to do this? Please switch to raw logs and show us the entry text and syntax error from the alert. Sanitize before-hand if you want. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Strange DNS problem
On Thu, Oct 8, 2009 at 9:00 PM, Philippe LeCavalier supp...@plecavalier.com wrote: Hi Everyone, As of late, pfsense somehow maps dns entries intended for remote hosts to my local samba server. When I try to SSH to a clients network I'm logged into my office file server. I'm not sure what else to write here so if you think you can help me just ask questions. Please supply more details. This is not really a lot of information to start from. Scott
Re: [pfSense Support] Problem with apinger
On Tue, Oct 6, 2009 at 9:41 AM, Matthias Niggemeier m...@thias.de wrote: Any news on this topic? It takes 2-12 hours for my load balancer pools to go offline; unfortunately I cannot go back to 1.2.2 since some VoIP connections do not work with 1.2.2. Is there a URL that can be geted regularly to restart apinger? Try a recent snapshot where this should be fixed. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense and SpamD
On Tue, Oct 6, 2009 at 1:32 PM, Fabian Abplanalp fabian.abplan...@bug.ch wrote: Is this in any way changeable? If it's a configfile or so... Unfortunately it is not. I will look into what is required to change once I catch up on a few other outstanding projects. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense and SpamD
On Mon, Oct 5, 2009 at 7:16 AM, Fabian Abplanalp fabian.abplan...@bug.ch wrote: Hi I'm trying to setup pfSense with SpamD (Greylisting and tarpit). In the first setup with the real Mailserver behind the NAT it works perfectly, but if I setup the forwarding to a server with a public IP no mails are forwarded. Are there any limitations? Yeah, I don't think that will work. It's designed to forward to mail exchangers behind the firewall. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Pfsense 1.2.3 alix 2d13 IDE disk installation problem
On Mon, Oct 5, 2009 at 11:19 AM, ozan ucar m...@ozanucar.com wrote: to abandon. Install pfsense embedded image on 4 GB CF disk, how to i resize image. I search script for 4 GB resize image , can you send me CF disk resize ( 4 GB ) script ? http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/nanobsd/pfSense-1.2.3-4g-20091005-1043-nanobsd.img.gz Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] One check-box is missing in Rules-Edit-Advanced of 1.2.3-RC3 snapshot
On Wed, Sep 30, 2009 at 5:21 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: May I send you screenshot? It will not do any good. I just downloaded 1.2.2 from: ftp://reflection.ncsa.uiuc.edu/pub/pfSense/updates/pfSense-Full-Update-1.2.2.tgz [su:~/Desktop/pfSense-Full-Update-1.2.2] sullrich% cd usr/local/www/ [su:usr/local/www] sullrich% cat firewall_rules_edit.php | grep allowopts [su:usr/local/www] sullrich% That option is not in there. You must have mixed and matched code from 2.0 when you where testing something. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] One check-box is missing in Rules-Edit-Advanced of 1.2.3-RC3 snapshot
On Wed, Sep 30, 2009 at 5:27 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote:
Well, I am sorry for confusion... but could you please confirm that this is
from 2.0 filter.inc, starting at line 1961:
if ($type == pass) {
if (isset($rule['allowopts']))
$aline['allowopts'] = allow-opts ;
if( isset($rule['source-track']) or
isset($rule['max-src-nodes']) or isset($rule['max-src-states']) )
if($rule['protocol'] == tcp)
$aline['flags'] = flags S/SA
;
No, I see:
$cron_item = array();
PS: I must stop playing with pfSense -(((
Why do you say that?
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC2 IPSec SPD is not updated if you disable IPSec tunnel
On Fri, Sep 25, 2009 at 10:39 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote:
Hi all!
probably it is fixed in the latest snapshots but in 1.2.3-RC2 built on Mon
Aug 31 06:09:28 UTC 2009 it is a problem.
If you disable IPSec tunnel SPD entries for this tunnel are not removed.
I was struck by this problem because I use IPSec tunnels automatically
brought up when primary dedicated links between sites fail/come back up. So
when primary link comes up and the tunnel is disabled by my script SPD
entries are still in place, so no traffic goes over primary link.
I fixed this by
# diff -ru vpn.inc.20090925.bak vpn.inc
--- vpn.inc.20090925.bak 2009-09-25 10:30:24.0 -0400
+++ vpn.inc 2009-09-25 10:31:49.0 -0400
@@ -1258,7 +1258,7 @@
$spdconf = ;
/* Delete old SPD policies if there are changes between the old and
new */
- if(($tunnel != $oldtunnel) (is_ipaddr($oldgw))) {
+ if(($tunnel != $oldtunnel) (is_ipaddr($oldgw)) ||
$tunnel['disabled']) {
$spdconf .= spddelete {$oldsa}/{$oldsn} .
{$oldtunnel['remote-subnet']} any -P out ipsec .
{$oldtunnel['p2']['protocol']}/tunnel/{$oldep}- .
@@ -1278,7 +1278,7 @@
}
}
}
-
+if (!$tunnel['disabled']){
/* Create new SPD entries for the new configuration */
/* zap any existing SA entries beforehand */
foreach($sad_arr as $sad) {
@@ -1298,7 +1298,7 @@
{$sa}/{$sn} any -P in ipsec .
{$tunnel['p2']['protocol']}/tunnel/{$rgip}- .
{$ep}/unique;\n;
-
+}
log_error(Reloading IPsec tunnel '{$tunnel['descr']}'. Previous IP
'{$oldgw}', current IP '{$rgip}'. Reloading policy);
$now = time();
It is not a problem in 1.2-RELEASE
Thanks, Commited!
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] interesting traffic is not encapsulated
On Tue, Sep 22, 2009 at 12:32 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: I know it looks stupid, but... 1.2.3-RC1 LAN=10.29.1.19/24 WAN(PPPoE)=x.x.x.106 remote LAN=10.29.11.1/24 remote WAN=x.x.x.225 Tunnel is up. When I do from pfSense itself ping -S 10.29.1.19 10.29.11.1 everything goes well, ESP packets and ping reply. When I do ping 10.29.11.1 from 10.29.1.34 connected to LAN traffic goes NATed out of WAN: 18:51:33.862273 IP x.x.x.106 10.29.11.1: ICMP echo request, id 22499, seq 57389, length 40 10.29.1.0/24[any] 10.29.1.19[any] any in none spid=45 seq=3 pid=4536 refcnt=1 10.29.11.0/24[any] 10.29.1.0/24[any] any in ipsec esp/tunnel/x.x.x.225-x.x.x.106/unique#16418 spid=48 seq=2 pid=4536 refcnt=1 10.29.1.19[any] 10.29.1.0/24[any] any out none spid=46 seq=1 pid=4536 refcnt=1 10.29.1.0/24[any] 10.29.11.0/24[any] any out ipsec esp/tunnel/x.x.x.106-x.x.x.225/unique#16417 spid=47 seq=0 pid=4536 refcnt=1 Pleeease any hint -( - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org That is normal. Traffic on the firewall itself prefers the system routing table. Clients behind the firewall will prefer the IPSEC tunnel. Pretty sure that is documented somewhere on the doc site. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] interesting traffic is not encapsulated
On Tue, Sep 22, 2009 at 12:39 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: So, it is impossible to use IPSec with PPPoE on WAN? Eugene That would be news to me. It should work fine. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] interesting traffic is not encapsulated
On Tue, Sep 22, 2009 at 12:46 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Then sorry Scott, I do not understand your statement: Traffic on the firewall itself prefers the system routing table. Clients behind the firewall will prefer the IPSEC tunnel. In my case traffic initiated on the firewall itself goes over the tunnel, client behind firewall goes over normal routing table/nat while it must go over the tunnel. And I've almost broken my head trying to understand why. Sorry, I meant when you are pinging from the firewall itself. Double check your subnet information. This should work and I know folks running IPSEC on PPPoE hosts. If you continue to have problems we need more information such as the IPSEC SPD/SAD entries. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Quad NIC's?
On Tue, Sep 22, 2009 at 8:26 PM, Luke Jaeger ad...@pvpa.org wrote: Hello, Are there any known issues with quad NIC cards on a pfSense box? I'm looking at a Proliant DL360 G3 with an Intel Pro 1000 GT Quad Port adapter http://www.intel.com/products/server/adapters/pro1000gt-quadport/pro1000gt-quadport-overview.htm Should work well. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Is pfsense.org down?
On Sat, Sep 19, 2009 at 2:58 PM, Jostein Elvaker Haande jehaa...@gmail.com wrote: http://downforeveryoneorjustme.com/pfsense.org Sorry folks. Our datacenter had a power blip and our UPS battery has died. One of our switches did not reset correctly after the blip. We have moved one of our firewalls and all the switches to Liebert battery backed power so hopefully will not be an issue again. However we still need a UPS battery (replacement) if anyone has a spare email me sullr...@gmail.com Thanks Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Crazy Session State requirement
On Fri, Sep 18, 2009 at 1:26 PM, Ermal Luçi ermal.l...@gmail.com wrote: Activate sticky option on 1.2.3-RC* installations. http://snapshots.pfsense.org has the RC3 file. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: SV: [pfSense Support] Running out of memory
On Wed, Sep 16, 2009 at 11:42 AM, Oliver Hansen oliver.han...@gmail.com wrote: a_subscribti...@fiberby.dk wrote: That immediately reduced the memory use from 50% -22% But as you state, it doesn't solve the underlying problem. Thanks, I just committed a change to prevent this from being a problem. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Help with physdiskwrite
On Wed, Sep 2, 2009 at 2:46 PM, Victor Padrovpa...@gmail.com wrote: Hello everyone! I wonder if someone could send me the physdiskwrite EXE, because I can't access to the m0n0.ch website, I don't know if it's down or what is wrong with it, and I am in the middle of a embeded Pfsense install here! ;) TIA http://cvs.pfsense.org/~sullrich/physdiskwrite-0.5.2.zip http://cvs.pfsense.org/~sullrich/physdiskwrite-0.5.2-PhysGUI-bundle.zip Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problems with installation Developers-2.0
On Wed, Sep 2, 2009 at 4:38 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: Trying to install from pfSense-Developers-2.0-ALPHA-ALPHA-20090901-1924.iso on HP DL380 G4. MD5 is correct. Tried to burn another CD. Tried to install it in VMWare - result is the same. I see lots of errors like: ... /usr/sbin/clog: ERROR: could not write /var/log/ntpd.log (No space left on device) /usr/sbin/clog: ERROR: could not write /var/log/relayd.log (No space left on device) ..done. .: Can't open /etc/rc.php_ini_setup: No such file or directory Enter full pathname of shell or RETURN for /bin/sh: After I hit ENTER and get shell prompt I see that /var has 31M allocated and used at 102% /etc has 9.4M and 102% used. Install the default layout with only / ... No need for separate /var/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMPproxy and Router Alert option
On Tue, Sep 1, 2009 at 1:05 AM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: This is again about igmpproxy. As I mentioned earlier to be RFC compliant (RFC 2236 IGMP V2 and 3376 IGMP V3) we must send IGMP packets with Router Alert in IP header (RFC 2113). It is very easy to code but a problem with pf arises. To be able to send these packets we have to add allow-opts in pass out quick on 'Upstream Interface'. I tried to modify \let out anything from firewall host itself\ rule in /etc/inc/filter.inc and it worked. Please answer these questions: 1) I can't see a way to insert allow-opts only for upstream interface at the igmpproxy package configuration web-interface. Is there a way? Not currently. 2) Is it wise to add this functionality via another option in System-Advanced options (or where)? Yeah, that might be the best place for it. We need to do it for 2.0 first and take a look at if this is something that can make it into 1.2.3 or not. 3) Do we need at all this functionality (Router Alert in IP header)? I have no idea. Only IGMP users can make that call. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMPproxy and Router Alert option
On Tue, Sep 1, 2009 at 12:13 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: If I were to work on it should I install http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_HEAD/livecd_installer/pfSense-Developers-2.0-ALPHA-ALPHA-20090831-1029.iso.gz ? As I understand changes would be done in pfSense, pfSense packages and pfSense tools. Yep, you got it. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancing on vlans
On Thu, Aug 27, 2009 at 11:05 AM, Jesse Vollmarvollm...@gmail.com wrote: I tried again this morning to change the allow rule on a vlan interface to send traffic out on a gateway other than default and after about five minutes of working like it should, all traffic stopped. Hosts on that vlan could no longer ping the gateway of that vlan or anything on another network. This is only happening on my vlan interfaces (parent interface is LAN). Sounds like a NIC driver issue. Make sure you are using Intel NICS. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ticket #1931: NAT reflection bug
On Thu, Aug 27, 2009 at 2:15 PM, David Reesdree...@gmail.com wrote: I've recently run into the issue described on ticket #1931 and on the forum thread below: http://cvstrac.pfsense.org/tktview?tn=1931 http://forum.pfsense.org/index.php/topic,16314.0.html Even though we only have about 200 port forwards, we have 6 local interfaces so we've quickly run into this limitation. So a couple questions before I go and tackle this issue: 1. Why the limitation of 1000? Is that more or less arbitrary to keep from too many local ports from being used by the inetd nc rules, or could it be increased some? Because of some of the issues you outlined in #2. 2. If I write a patch to limit the number of inetd entries below the above limit, will it be accepted upstream? We should be able to stop the inetd nc port multiplication issue so we will be able to reflect up to 1000 ports, but there will still be $num_interfaces * $num_portforwards NAT redirect rules generated. If the patch is likely to be accepted upstream, I'm more likely to spend time to write a 'proper' solution instead of just hacking it. :-) We will gladly accept changes for this. Thanks! Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC1-embedded dhcp relay windows XP broadcast flag
On Wed, Aug 26, 2009 at 11:28 AM, Chris Kleeschultechris.kleeschu...@it.libertydistribution.com wrote: I can dhcp relay all my hosts except for Windows-based hosts. I narrowed the problem down to the Windows machine setting the broadcast flag on the dhcp initial request. I also know that Microsoft claims this is a problem in Vista, but all my hosts are XP and the flag seems to be set there too. Tcpdump on the pfsense machine confirms the broadcast flag set. The dhcp server (a dnsmasq server) can handle the request, but the pfsense will not forward the packet from one subnet to the other, I think. I know broadcast is really destined for the local network only and that is the proper way to handle it, so it is a hack to force the pfsense to send the request anyway? So is the proper way to fix this to hack the registry on all the windows machines to nuke out the broadcast flag OR take the easy route and make the pfsense/dhcrelay forward the packet anyway? Fix the problem on the SP3 box(s). But if you know C and can force pfSense to forward the broadcast flag then go for that by modifying isc-dhcp-relay. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Routing Between VLANs
On Wed, Aug 26, 2009 at 9:29 PM, Jesse Vollmarvollm...@gmail.com wrote: Okay I deleted that vlan and now there is a system error and the web gui doesn't work. I'm on my phone now (no internet from pfsense). The error is xml error: opt cannot occur more than once. I opened a shell and then opened config.xml and it has a opt entry... I don't know how to edit this in bsd since my user has read only I just fixed this bug a few days ago. Run /etc/rc.conf_mount_rw vi /conf/config.xml Find the optxxx interfaces and rename it to something like opt200909261213 where as the numbers are basically MMDDHHSS Might have to sweep the config.xml file and locate any references to that old opt rule and delete them out of the config file. Then run rm /tmp/config.cache Then you should be in good shape. Finally run shutdown -r now Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Sun, Aug 23, 2009 at 9:23 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: Gentlemen, Please take a look at http://forum.pfsense.org/index.php/topic,16943.15.html last post from the6thday. It seems after reinstalling igmpproxy package he still has old version (which does not have this commit https://rcs.pfsense.org/projects/pfsense-tools/repos/mainline/commits/e9921d5342ffa6d15d88a36789c5b03d2249fb3e) This guy's log: Note: RECV V2 member report from 192.168.0.1 to 239.255.255.250 (ip_hl 24, data 8) Debu: Should insert group 239.255.255.250 (from: 192.168.0.1) to route table. Vif Ix : 0 Debu: No existing route for 239.255.255.250. Create new. Debu: No routes in table. Insert at beginning. Info: Inserted route table entry for 239.255.255.250 on VIF #0 Debu: Joining group 239.255.255.250 upstream on IF address 79.238.123.48 Note: joinMcGroup: 239.255.255.250 on ng0 Debu: Current routing table (Insert Route); And with this patch it should and like this: Note: joinMcGroup: 239.255.255.250 on ng0 Debu: SENT V2 member report from ... to 239.255.255.250 Debu: Current routing table (Insert Route); Could somebody please clarify how to get this new version of igmpproxy for pfSense-1.2.3-RC1? Thanks, Eugene. Upgrade to a recent snapshot. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] tcsh problem
On Sat, Aug 22, 2009 at 3:02 PM, Zhu Sha Zangzhushaz...@yahoo.com.br wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, what this problem? Enter an option: 8 tcsh: Cannot open /etc/termcap. tcsh: using dumb terminal settings. # I don't change nothing, and this message appear in my two hosts. Thanks for now. This has been resolved with the latest snapshots. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Fri, Aug 21, 2009 at 3:41 AM, Ermal Luçiermal.l...@gmail.com wrote: Send a merge request to mainline. If you do not succeed i will merge it manually. Item has been merged. Thanks! Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Triple CARP setup
On Tue, Aug 18, 2009 at 10:28 AM, Veiko Kukkveiko.k...@krediidipank.ee wrote: How should I configure pfsync if I want to use three machines? ## Synchronize to IP Enter the IP address of the firewall you are synchronizing with. ## Should I list there all IP-s I want to sync to? Separated by commas or No. Put the next cluster member in this box (only one host). On the next host put the next members IP in creating a chain. Cluster Primary - Backup - Tertiary Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPD package: impossible to edit group in use but it can easily be deleted
On Sat, Aug 15, 2009 at 7:32 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote:
1) When a BGP group is in use it is impossible to modify group's parameters.
Click 'Save' gives you Sorry this group is in use... and can not be
deleted
Probably it is intended behavior but then we have to change the error
message to ... can not be edited which is not very logical as the idea
behind using groups is to have some parameters common for all peers
belonging to this group. If you agree with me please delete this check:
# diff -rub openbgpd_groups.xml.20090815.bak openbgpd_groups.xml
--- openbgpd_groups.xml.20090815.bak 2009-08-15 22:07:13.0 +
+++ openbgpd_groups.xml 2009-08-15 22:41:28.0 +
@@ -111,9 +111,4 @@
custom_php_resync_config_command
openbgpd_install_conf();
/custom_php_resync_config_command
- custom_php_validation_command
- $status = check_group_usage($_POST['groupname']);
- if($status != )
- $input_errors[] = Sorry this group is in use by
{$status} and cannot be deleted.;
- /custom_php_validation_command
/packagegui
2) The group can be easily deleted even if it is in use without any impact
on /usr/local/etc/bgpd.conf which leads to little mess. After that if you
will edit your neighbor then this neighbor will be excluded from this group
and thus probably will loose AS number. I could not find a way how to
prevent this.
Probably we could create some tag in openbgpd_groups.xml like:
custom_php_del_validation_command
$status = check_group_usage($_POST['groupname']);
if($status != )
$input_errors[] = Sorry this group is in use by
{$status} and cannot be deleted.;
/custom_php_del_validation_command
... and use it in /usr/local/www/pkg.php before it actually deletes
parameter:
line 66 if ($a_pkg[$_GET['id']]) {
+ if($pkg['custom_php_del_validation'] ) {
+ $status =
eval($pkg['custom_php_del_validation'] );
+ if ($status != ){
+ header(Location: pkg.php?xml= .
$xml);
+ exit;
+ }
+ }
unset($a_pkg[$_GET['id']]);
write_config();
... and it works (it's not deleted) but I can't find a way to tell user
about the error.
Thanks,
Eugene
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Please sign up for a rcs.pfsense.org account and email me the info
off-list. It is time for you to have a commit bit to be able to push
these changes since you are showing an interest in the BGPD package.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OpenBGPD package: excessive } if if neighbor does not belong to a group
On Sun, Aug 16, 2009 at 1:18 AM, Evgeny Yurchenkoevg.yu...@rogers.com wrote:
Again me -(((
found one more bug in OpenBGPD. When you add/modify neighbor which does not
belong to any group you get excessive } in bgpd.conf after neighbor{} block.
# diff -rub openbgpd.inc.20090816.bak openbgpd.inc
--- openbgpd.inc.20090816.bak 2009-08-16 05:09:38.0 +
+++ openbgpd.inc 2009-08-16 05:10:33.0 +
@@ -113,8 +113,6 @@
$conffile .= }\n;
}
}
- if($used_this_item)
- $conffile .= }\n;
}
// OpenBGPD filters
Thanks, this one is commited.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Small remarks about OpenBGPD packaget
On Sat, Aug 15, 2009 at 11:15 AM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: I do not know why but your commit put my piece of code in slightly wrong place (1 line higher than needed). Please correct this. Thanks. [snip] Fixed, thanks! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Tue, Aug 11, 2009 at 8:02 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: cd /usr/ports/devel/git make install -- Ends with === Configuring for git-1.6.4 === Building for git-1.6.4 GIT_VERSION = 1.6.4 * new build flags or prefix ... many compilations here ... http-push.c:14:19: error: expat.h: No such file or directory http-push.c:852: error: expected ';', ',' or ')' before '*' token http-push.c: In function 'lock_remote': http-push.c:936: error: 'XML_Parser' undeclared (first use in this function) http-push.c:936: error: (Each undeclared identifier is reported only once http-push.c:936: error: for each function it appears in.) http-push.c:936: error: expected ';' before 'parser' http-push.c:943: error: 'parser' undeclared (first use in this function) http-push.c:946: error: 'xml_cdata' undeclared (first use in this function) http-push.c: In function 'remote_ls': http-push.c:1179: error: 'XML_Parser' undeclared (first use in this function) http-push.c:1179: error: expected ';' before 'parser' http-push.c:1186: error: 'parser' undeclared (first use in this function) http-push.c:1189: error: 'xml_cdata' undeclared (first use in this function) http-push.c: In function 'locking_available': http-push.c:1262: error: 'XML_Parser' undeclared (first use in this function) http-push.c:1262: error: expected ';' before 'parser' http-push.c:1269: error: 'parser' undeclared (first use in this function) gmake: *** [http-push.o] Error 1 *** Error code 1 Stop in /usr/ports/devel/git. *** Error code 1 Stop in /usr/ports/devel/git. ***sigh*** -((( Try this: rm -rf /usr/ports portsnap extract cd /usr/ports/devel/git make install BATCH=yes Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Wed, Aug 12, 2009 at 10:57 AM, Scott Ullrichsullr...@gmail.com wrote: On Tue, Aug 11, 2009 at 8:02 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: cd /usr/ports/devel/git make install -- Ends with === Configuring for git-1.6.4 === Building for git-1.6.4 GIT_VERSION = 1.6.4 * new build flags or prefix ... many compilations here ... http-push.c:14:19: error: expat.h: No such file or directory http-push.c:852: error: expected ';', ',' or ')' before '*' token http-push.c: In function 'lock_remote': http-push.c:936: error: 'XML_Parser' undeclared (first use in this function) http-push.c:936: error: (Each undeclared identifier is reported only once http-push.c:936: error: for each function it appears in.) http-push.c:936: error: expected ';' before 'parser' http-push.c:943: error: 'parser' undeclared (first use in this function) http-push.c:946: error: 'xml_cdata' undeclared (first use in this function) http-push.c: In function 'remote_ls': http-push.c:1179: error: 'XML_Parser' undeclared (first use in this function) http-push.c:1179: error: expected ';' before 'parser' http-push.c:1186: error: 'parser' undeclared (first use in this function) http-push.c:1189: error: 'xml_cdata' undeclared (first use in this function) http-push.c: In function 'locking_available': http-push.c:1262: error: 'XML_Parser' undeclared (first use in this function) http-push.c:1262: error: expected ';' before 'parser' http-push.c:1269: error: 'parser' undeclared (first use in this function) gmake: *** [http-push.o] Error 1 *** Error code 1 Stop in /usr/ports/devel/git. *** Error code 1 Stop in /usr/ports/devel/git. ***sigh*** -((( Try this: rm -rf /usr/ports portsnap extract cd /usr/ports/devel/git make install BATCH=yes OK -- I figured out what was the problem here. Do this and you should be OK: cd /usr/ports/textproc/expat2 make depends install cd /usr/ports/devel/git make depends install Ignore what I sent earlier. I have updated the DevWiki page to reflect these changes. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.3-RC1 Web gui logout
On Wed, Aug 12, 2009 at 1:10 PM, David Burgessapt@gmail.com wrote: You could use a different browser for pfsense. It's an inconvenience, but probably more convenient than closing all your tabs. Install the Web Developer Toolbar for firefox and then select Miscellaneous - Clear Private Data - HTTP Authentication http://chrispederick.com/work/web-developer/ Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Tue, Aug 11, 2009 at 8:16 AM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: All my production boxes are 1.2-release so FreeBSD 6.2. But I am planning to move to the latest 1.2.3 and I will do it as soon as I find out why my HPs hung during high load with 1.2.3-RC1. To answer your question - I'd like to make igmpproxy to work on 1.2.3. I wish I could build everything by myself but last time I tried to use git it errored on me (I posted the errors here). If you could help me to figure out how to start using this development environment it would be greatly appreciated. Getting started with our dev environment has become a lot easier in the last couple weeks. Check out the updated document here: http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Kernelbug on Triple Core Processor
On Sat, Aug 8, 2009 at 2:56 PM, Walter Kuglere9126...@student.tuwien.ac.at wrote: Hello! About myself: I have no great knowledge about FreeBSD. I use mostly the WebGUI of pfSense, but i have some years experience on Debian GNU/Linux, including building a custom kernel. My Problem: I have bought a new machine with an AMD Phenom II X3 Processor that has 3 Cores. I want to use pfSense on it and until now i tried version 1.2.3-RC1. When booting the default system the kernel hangs after 'SMP: AP CPU#2 Launched!' I have already found the exact reason, it's a bug with sched_ule + SMP, take a look at: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/120138 My questions now are: Is there a version of pfSense (at least in RC-Stage) that includes already the patch for this bug? If not, i have to compile a patched custom kernel: What do i have to do to just recompile the kernel and its modules (not the whole world)? As far as i understand i need the exact kernel-version and the configuration-file that is used for pfSense 1.2.3-RC1. Where do i find these things? Is the developer-installation the complete environment i need to build a kernel? If i know these things i hope that i am able to build a kernel with the documentation at http://www.freebsd.org/docs.html. I hope that you can help me :) Try a 1.2.3-RC2 snapshot. http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/livecd_installer/pfSense-1.2.3-20090807-2005.iso.gz Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Small remarks about OpenBGPD packaget
On Thu, Aug 6, 2009 at 10:48 AM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: I'll ask very trivial question but please bear with me as I am new here. What does 'commited this' mean? Does it mean that it is in http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/livecd_installer/pfSense-1.2.3-20090805-0554.iso.gz It generally takes 4-5 hours for a commit to reach the snapshots. It might or might not be in there but will be in future snapshots. My general question is how these snapshots are related to the content I can find on mirrors to download (for example http://files.pfsense.org/mirror/downloads/pfSense-1.2.3-RC1-LiveCD-Installer.iso) ? Trying to understand production cycle... You are on the right track... You will want a snapshot to test. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Small remarks about OpenBGPD packaget
On Wed, Aug 5, 2009 at 12:35 AM, Evgeny
Yurchenkoevgeny.yurche...@frontline.ca wrote:
Hi!
1) I find it a little bit inconvenient that you can not add a neighbor
when you do not have any group configured. Suppose I want to add just
two neighbors without messing with groups set up.
This small thing solves it:
# diff -rub openbgpd_neighbors.xml.bak openbgpd_neighbors.xml
--- openbgpd_neighbors.xml.bak 2009-07-22 21:31:13.0 +
+++ openbgpd_neighbors.xml 2009-08-05 04:11:06.0 +
@@ -171,6 +171,11 @@
$counter++;
}
}
+ else{
+ $newoptions['option'][0]['name'] = ;
+ $newoptions['option'][0]['value'] = ;
+ $pkg['fields']['field'][2]['options'] =
$newoptions;
+ }
/custom_php_command_before_form
custom_php_deinstall_command
/custom_php_deinstall_command
2) Cosmetic but may be you would wish to implement it. Neighbors not
belonging to any group not aligned properly:
group G1 {
remote-as 11
neighbor 1.1.1.1 {
descr N1
announce all
remote-as 1
}
}
neighbor 2.2.2.2 {
descr N2
announce all
holdtime 300
remote-as 2
}
This small patch
# diff -rub openbgpd.inc.bak openbgpd.inc
--- openbgpd.inc.bak 2009-07-22 21:31:13.0 +
+++ openbgpd.inc 2009-08-05 03:31:14.0 +
@@ -103,14 +103,14 @@
foreach($openbgpd_neighbors as $neighbor) {
$used_this_item = false;
if($neighbor['groupname'] == ) {
- $conffile .= neighbor {$neighbor['neighbor']} {\n;
+ $conffile .= neighbor {$neighbor['neighbor']} {\n;
$conffile .= descr
\{$neighbor['descr']}\\n;
$used_this_item = true;
foreach($neighbor['row'] as $row) {
$conffile .= {$row['paramaters']}
{$row['parmvalue']} \n;
}
if($used_this_item)
- $conffile .= }\n;
+ $conffile .= }\n;
}
}
if($used_this_item)
makes it more intuitive (at least for me)
group G1 {
remote-as 11
neighbor 1.1.1.1 {
descr N1
announce all
remote-as 1
}
}
neighbor 2.2.2.2 {
descr N2
announce all
holdtime 300
remote-as 2
}
Eugene
Thanks, I commited this.
Scott
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Problem with apinger
On Tue, Aug 4, 2009 at 10:56 AM, Matthias Niggemeierm...@thias.de wrote: Von: Matthias Niggemeier [mailto:m...@thias.de] Gesendet: Dienstag, 4. August 2009 08:47 An: support@pfsense.com Betreff: [pfSense Support] Problem with apinger Hi there, since the upgrade to 1.2.3-RC2 (July 23) parts of my failoverpools go offline once a day. The system log shows entries like this: apinger: ALARM: 208.67.220.220(208.67.220.220) *** down ***. Loss 0.0%, Delay 75.436ms In this situation, I have to go to load_balancer_pool.php, edit one pool and hit save. After that, everything is fine and online. Is there a workaround for this? Update: The sequence before failing is as follows: Aug 4 15:38:33 apinger: Target 208.67.220.220: Lost packet count mismatch (-7(recently_lost) != 0(really_lost))! Aug 4 15:38:33 apinger: Target 208.67.220.220: Received packets buffer: ## #... Aug 4 15:38:40 apinger: ALARM: 208.67.220.220(208.67.220.220) *** down ***. Loss 12.0%, Delay 72.620ms After that apinger does not recover until I go to the pool configuration and hit save. This is a known issue that we are working on. No workarounds exist at present. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Thu, Jul 30, 2009 at 8:21 AM, Eugen Leitleu...@leitl.org wrote: On Thu, Jul 30, 2009 at 02:08:38PM +0300, Veiko Kukk wrote: This is a good example, why bottom-posting sucks... God gracious help us. What's wrong with interleaved posting? Why do i need to scroll past all previous teks i read just few seconds ago, following that thread? Because they're Doing It Wrong(tm). If i need to read it, then i could scroll down, but rarely there is need for that. Thinking does help, at times. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ I agree with Eugen. Folks, this is the lists rules. If you do not like it I kindly ask you to go to the forum and participate there. It's either that or I will stop reading these lists altogether. Bottom post or do not post at all. Thanks. Scott PS: my kill bit is armed and folks that continue to do so will be removed from the list. Sorry to be harsh but I have had enough with this subject. Thanks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BGP status
On Thu, Jul 30, 2009 at 2:19 PM, Chris Flugstadch...@cascadelink.com wrote: Any word on BGP status. or a simple alternative, until pfsense has BGP function? BGP has existed in system - packages for 2+ years. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
http://www.caliburn.nl/topposting.html http://idallen.com/topposting.html Thank you Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 1:25 PM, Curtis LaMasterscurtislamast...@gmail.com wrote: Thanks Scott. I know what top posting is...I just don't know why you think I did. I hit reply, type my message and go forth. Didn't think it needed to be any harder than that. I did not think anything -- This is my 1st message to this list in days and days Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 1:31 PM, iggd...@gmail.com wrote: Unfortunately Gmail top posts by default. So expecting bottom posting to be and to remain the default behavior may be an exercise in futility. proper ettiquite or not, some people just bang off replies and figure everything is a-ok. This being a reason, not an excuse. I use gmail daily. It's really not that hard and took me less than 2 seconds to trim and bottom post this message. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 1:42 PM, Curtis LaMasterscurtislamast...@gmail.com wrote: On Wed, Jul 29, 2009 at 12:41 PM, David Burgessapt@gmail.com wrote: On Wed, Jul 29, 2009 at 11:38 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: And this is bottom posting. Correct? Well, I don't think it's top-posting or bottom-posting if you delete all prior content. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org How about now? Bottom posting? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org No. This is bottom posting. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 1:45 PM, Curtis LaMasterscurtislamast...@gmail.com wrote: Gotta tell you guys...this is out right frustrating. Is it the fact that I'm using Gmail or that by definition, threading in email is broken by design. I would have imagined that the Spamassassin mailing list would have eaten all Gmail users alive if Gmail were the issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:42 PM, David Burgessapt@gmail.com wrote: The current is an example of top-posting, in response to your top-post. I don't think you've bottom-posted in this thread yet. db On Wed, Jul 29, 2009 at 11:41 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: To which one? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:40 PM, David Burgessapt@gmail.com wrote: Yes. On Wed, Jul 29, 2009 at 11:38 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: This is top posting apparently. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:34 PM, iggd...@gmail.com wrote: On Wed, Jul 29, 2009 at 1:33 PM, Curtis LaMasters curtislamast...@gmail.com wrote: And I think the point is being missed. WHY WAS MY MESSAGE VIEWED AS TOP POSTED. Ok, I committed my internet crime of YELLING in caps for the day. In Gmail, is there a proper way to not top post? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:28 PM, David Burgessapt@gmail.com wrote: On Wed, Jul 29, 2009 at 11:25 AM, Curtis LaMasterscurtislamast...@gmail.com wrote: Thanks Scott. I know what top posting is...I just don't know why you think I did. I hit reply, type my message and go forth. Didn't think it needed to be any harder than that. It can be a lot harder than that. It's effectively illustrated in the links that Scott provided. A little effort in replying can save a lot of wasted effort in trying to bring oneself up to speed or refresh one's memory on a long thread. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org flick the scroll wheel to get to the bottom of the post basically. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org HItting reply resulted in the above A proper bottom post then looks like this: On Wed, Jul 29, 2009 at 1:45 PM, Curtis LaMasterscurtislamast...@gmail.com wrote: Gotta tell you guys...this is out right frustrating. Is it the fact that I'm using Gmail or that by definition, threading in email is broken by design. I would have imagined that the Spamassassin mailing list would have eaten all Gmail users alive if Gmail were the issue. This is a bottom post. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 1:54 PM, Curtis LaMasterscurtislamast...@gmail.com wrote: I actually find that to be annoying to read. However, in the spirit of good internetship, I'll oblige. Sorry any problems I may have caused. Let me know if I did that correctly. That looks correct. Unfortunately this is the way mailing lists have operated for as long as I have remembered. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: web based performance testing
On Sat, Jul 25, 2009 at 4:26 PM, Chris Buechlerc...@pfsense.org wrote: Looking for something, preferably open source but commercial is an option, sort of like a host your own private speed test site. The idea is when someone connects in via VPN they can easily hit a URL on a server across the VPN and click a button to test throughput, latency, and loss. The average end user is not highly technical, so something like download this 50 MB test file and ping x.x.x.x isn't viable. I figure someone out there has done something similar in the past. Granted there isn't anything you can do about poor connectivity other than find a different Internet connection, but at least it's a way to tell. Any ideas much appreciated. http://www.speedtest.net/mini.php Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] OT: web based performance testing
On Sat, Jul 25, 2009 at 4:31 PM, Chris Buechlerc...@pfsense.org wrote: Saw that, doesn't have latency or loss though. That's the piece that's missing from all the options I've seen. Maybe this will fit the bill. Kinda expensive. http://www.ookla.com/linequality.php Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Sun, Jul 26, 2009 at 12:42 AM, Evgeny Yurchenkoevgeny.yurche...@frontline.ca wrote: Can somebody please say whether pfSense's kernel was compiled with MROUTING option or not? [pfsense-org:tools/builder_scripts/conf] sullrich% pwd /Users/sullrich/pfSense_GIT/tools/builder_scripts/conf [pfsense-org:tools/builder_scripts/conf] sullrich% cat pfSense.7 | grep MROUT options MROUTING Yes, it includes it. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Patch: Realtek 8102EL support for Dell Mini 10v (1010)
On Fri, Jul 24, 2009 at 2:37 PM, Ingmar Huppingmar.h...@semperian.co.uk wrote: pfSense 1.2.3-RC1. FreeBSD RELENG_7_2 doesn't have support for this as far as I can tell (but FreeBSD HEAD [8.0] does as I've just noticed). Thanks, I have committed this and snapshots should start building them soon. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] tcsetpgrpfailed ?
On Thu, Jul 23, 2009 at 9:10 PM, Chris Buechlerc...@pfsense.org wrote: On Thu, Jul 23, 2009 at 9:09 PM, Lyle Giesel...@lcrcomputer.net wrote: I setup a pfSense embedded using 1.2.3 rc1. When I connect to the console port, I get tcsetpgrpfailed, errno=25 It's normal and cosmetic only (and I believe fixed in nanobsd embedded). That is correct (and future embedded releases which are being discontinued in favor of nano builds). Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] seperate gui and console password
On Mon, Jul 20, 2009 at 10:29 AM, Nick Smithnick.smit...@gmail.com wrote: Ive read on this list that you cant add another user to pfsense 1.2 and its single user only. but is there a way to seperate the gui password from the root console password? i know that freebsd has a toor account, does pfsense have the same? is it possible to change the password on that account? thanks for any help, id like to keep the console password to something other than the gui password if at all possible. thanks for the help. Sorry but it is not possible currently. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
