Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - parsalog

Pages: [1] 2
1
Not sure where to post this, but I think I found the source issue and a work around.   

Symptom : random reboot / reset of firewall , sometimes with error, sometimes not. time between reboot anywhere from 10 minutes to 2 day. When I did get a crash report, always the same error.

Fatal trap 12: page fault while in kernel mode .......

Tried everything, better cooling, different chipset NIC, disabling on board SATA , (bios :turning off hyper threading, turing off vt-d , turning off above 4g decoding ) , I did system tunables too, mbuf , some storm threshold, and I forget what else......

My firewall was a custom made one (supermicro) , so I eventually gave up and ordered a brand new firewall from pfSense . Got the same exact problem , but I noticed it didn't pop up till after I noticed AES-NI was disabled and turned it on.   I put my old firewall back in, and turned off crypto acceleration , and I am now on day three without a reset !

Can any one else confirm this experience with 2.4.x  ?    Incidentally all 8 of my other pfSense firewalls , had no issues on 2.3.x , and the new one is too new to install the 2.3.x .

not sure if it is part of it, but I have VLANs and virtual IPs, and a lot of IPsec tunnels all configured for AES128-GCM and AES-XCBC

Hardware is a Supermicro 5019S-ML  , Intel Xeon E3-1275  , 64GB ECC ram

2
I am fighting this same issue, any updates on this issue.  I am running a super micro server as well. it seems a lot of people are seeing the trap 12 when using the intel igb driver specifically?

3
IPsec / Re: IPsec dropping VLAN traffic to only one site
« on: November 17, 2017, 04:14:31 pm »
Solved  , I had a typo on the phase two on one side, for the VLAN subnet......

4
IPsec / IPsec dropping VLAN traffic to only one site
« on: November 17, 2017, 01:40:06 pm »
This problem has me baffled . I just upgraded my firewall , I am on the newest version of pfsense, clean install. I recreated all my IPsec tunnels, to 8 different sites. For only one site, my VLAN traffic fails in one direction. The VLAN is a Voice VLAN , so the symptom with only 1 of 8 locations is I can hear them on the phone, but they cannot hear me, voice traffic is UDP. If I try pinging from that VLAN interface , the pings fail. Pinging does fail in the opposite direction as well. 

the other three non VLAN subnets all can connect thru the same tunnel without issue.

5
Routing and Multi WAN / BGP local-AS missing from Neighbor Parameters
« on: December 02, 2016, 10:33:54 am »
I have found myself in a scenario where I need more than one AS assigned to the same box. One is a public AS the other is a private AS. Doing a little research it appears the command that I am looking for is "local-AS" , but it is not in the pull down options for "Neighbor Parameters" . Does any one know if openBGPD supports it, is there an easy way to edit the list?

6
In doing more testing, I have discovered that it only appears to be android devices failing, I have only tested Samsung devices so far. I tested a apple iPad on the 10.1.3.0/24 and a laptop as well, both were able to access everything on the 10.1.1.0/24 . so this appears to be an android issue ????

7
Originally my network had just one subnet the 10.1.1.0 /24 , but I ran out of IPs

As such I added the 10.1.2.0/24 to accommodate more device.

I guess I could have done a /22 , but I was under the impression the router could connect the two subnets, and giving me the option to apply firewall rules to the traffic between each.

just recently I have run out of IPs again, so I have added the 10.1.3.0/24

also what I find interesting is I am only having issues with mobile devices. this IP scheme has been working with out issues on my PC's and printers.

8
which part has you confused?

under interfaces the LAN is set with a static IP of 10.1.1.1 and the subnet is a /16

under firewall  and Virtual IPs , I have added two virtual IPs 10.1.2.1 and 10.1.3.1  but have a subnet of /24

the idea is that any device on the 10.1.2.0/24 will have 10.1.2.1 for its gateway,  and any device on the 10.1.3.0/24 will have 10.1.3.1 for its gateway

9
I have three LAN subnets 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24  , well more actually, but they fall outside the scope of this issue.

all wireless devices(tablets, phones...) get assigned to the 10.1.3.0/24 via reservations from a DHCP superscope

all server equipment (web, email...)fall in the 10.1.1.0 /24

any phone or tablet using the 10.1.3.0/24 can access the outside internet without issue.

my problem is they cannot reach the internal 10.1.1.0/24 .

That said they do "appear" to have the ability to ping, but tcp traffic fails, port 80, 443  . Cant send email, or pull up internal websites .

I have pfsense configured with a LAN of 10.1.1.1 /16 and I have an Virtual IP type "IF Alias" of 10.1.2.1/24 and 10.1.3.1/24 on the same interface .

10
IPsec / Re: Cron Ipsec auto restart on fail , and email notify
« on: April 29, 2013, 10:29:29 am »
thank you for taking the time to follow up, DPD is disabled for the IPsec, as I found that same conclusion, but my "GRE" tunnels are what's failing.

11
IPsec / Cron Ipsec auto restart on fail , and email notify
« on: April 17, 2013, 11:37:33 am »
I had seen this topic previously, but not an answer fitting exactly what I needed. From what I can tell GRE is part of the IPsec service (racoon). My GRE tunnels tend to fail about once a week (connecting to Cisco equipment), and I have to restart the service. Using elements from others I wrote this PHP script which runs as a cron, that sends a restart command ( rather than off and on ), only when it can't ping the other side, and then email notifies me. my code is horrible, and someone with more talent can probably clean it up quite a bit, but it does work. I figure it might help someone else any how. I run it with this cron command " */4     *     *     *     *     root     /usr/local/bin/php -q /root/pingresetvpn.php  "

<?php
require_once("util.inc");
require_once("functions.inc");
require_once("pkg-utils.inc");
require_once("globals.inc");
require_once("ipsec.inc");
require_once("vpn.inc");
require_once("service-utils.inc");
require_once("vslb.inc");
include('phpmailer/class.phpmailer.php');

$ipsec=$config['ipsec'];
$value = 0 ;
$outside = 0 ;
exec("/sbin/ping -c 1 -t 1 IpOfOtherSide",$ret1,$exit1);//first GRE tunnel, should work the same for IPsec tunnel
exec("/sbin/ping -c 1 -t 1 IpOfOtherSide",$ret2,$exit2);// second GRE tunnel, should work the same for IPsec tunnel
exec("/sbin/ping -c 1 -t 1 8.8.8.8",$ret4,$exit4); //googles DNS server but any external pingable site will do
print  $exit1."\n";
print  $exit2."\n";
print  $exit4."\n";
if ($exit1 == null){
Print "ping1 Success \n";
$value += 1;
}
Else{
Print "ping1 Fail \n";}
if ($exit2 == null){
Print "ping2 Success \n";
$value += 1;
}
Else{
Print "ping2 Fail \n";}
if ($exit4 == null){
Print "ping4 Success \n";
$outside += 1;}
Else{
Print "ping4 Fail \n";}
print "Value is ".$value."\n";
if ($value == 2){
print "All is Well in Asthland \n";
}
Else {
   if ($outside == 1){
      print "All is Well outside the relm , but not at home \n";
      vpn_ipsec_force_reload();
      print "IPsec restarted accrodngly \n";
      $mail = new PHPMailer();
      $mail->IsSMTP();
      $mail->Host = "youropenrelaymailserver";
      $mail->From = "you@yourdomain.com";
      $mail->FromName  =  "Firewall Report";
      $mail->AddAddress("you@yourdomain.com");
      $mail->Port  =  "25";
      $mail->Subject = "GRE is down restarting VPN ";
      $mail->Body = "IPsec has been restarted check for problems";
      if(!$mail->Send())
         {
         echo 'Message was not sent.';
         echo 'Mailer error: ' . $mail->ErrorInfo;
         }
   }
   if ($outside == 0){
      print "Not the VPN fault wait for internet \n";
      $mail = new PHPMailer();
      $mail->IsSMTP();
      $mail->Host = "youropenrelaymailserver";
      $mail->From = "you@yourdomain.com";
      $mail->FromName  =  "Firewall Report";
      $mail->AddAddress("you@yourdomain.com");
      $mail->Port  =  "25";
      $mail->Subject = "Internet is down";
      $mail->Body = "could not ping outside";
      if(!$mail->Send())
         {
         echo 'Message was not sent.';
         echo 'Mailer error: ' . $mail->ErrorInfo;
         }
   }
}
exit(1);
?>

12
IPsec / Re: GRE keep alive, connection drops once a week.
« on: February 21, 2013, 03:21:24 pm »
Under diagnostics, and PFinfo  I noticed some packets are getting blocked, not sure what to do with that info, or if it is relevant.

gre0
   Cleared:     Mon Nov 12 16:28:37 2012
   References:  [ States:  0                  Rules: 10                 ]
   In4/Pass:    [ Packets: 0                  Bytes: 0                  ]
   In4/Block:   [ Packets: 0                  Bytes: 0                  ]
   Out4/Pass:   [ Packets: 43039508           Bytes: 34927813259        ]
   Out4/Block:  [ Packets: 5993               Bytes: 5565603            ]
   In6/Pass:    [ Packets: 0                  Bytes: 0                  ]
   In6/Block:   [ Packets: 0                  Bytes: 0                  ]
   Out6/Pass:   [ Packets: 22                 Bytes: 1692               ]
   Out6/Block:  [ Packets: 0                  Bytes: 0                  ]
gre1
   Cleared:     Mon Nov 12 16:28:37 2012
   References:  [ States:  0                  Rules: 8                  ]
   In4/Pass:    [ Packets: 0                  Bytes: 0                  ]
   In4/Block:   [ Packets: 0                  Bytes: 0                  ]
   Out4/Pass:   [ Packets: 10901950           Bytes: 1862315434         ]
   Out4/Block:  [ Packets: 8                  Bytes: 320                ]
   In6/Pass:    [ Packets: 0                  Bytes: 0                  ]
   In6/Block:   [ Packets: 0                  Bytes: 0                  ]
   Out6/Pass:   [ Packets: 56                 Bytes: 4292               ]
   Out6/Block:  [ Packets: 0                  Bytes: 0                  ]

13
IPsec / GRE keep alive, connection drops once a week.
« on: February 20, 2013, 05:58:57 pm »
Does anybody know of a way to enable keep alive on GRE. My GRE connections turn off about once a week for unknown reasons, and I have to restart the IPsec service to get them to turn back on.

I am connecting to Verizon, thru a IPsec transport , they have Cisco equipment on the other side. they say I am showing carrier transition errors. On that note I unaware of any GRE diagnostic tools.

I did have to increase net.link.gre.max_nesting in the system tunables to make the connection work in the first place.

any ideas would be appreciated.

thank you.

14
Solved !

so fortunately I stumbled across this post http://forum.pfsense.org/index.php?topic=54243.0

I had enabled RIP when I was transitioning from Watchguard to pfSense. So I turned it off as it is needed no more, and BGP routes now appear , YAY ! ;D     

15
Good to know someone is out there, thank you acherman.

For what it is worth looking back on this project BGP is fairly easy, as things go, once you understand all the terms used... Working with Verizon , translated Cisco network, not much of the language they used lined up... so once I figured out what they were saying it was not too difficult to get connected to their network. If you end up having to use GRE over Ipsec  transport, like I did, be aware you will have to patch the interface, as pfSense is missing some cisco compatibility options.

Also, having been thru every turtorial I could find on bgp for pfSense, I am of the oppinion that many of the guys who write them don't know what they are doing .

Good Luck on your effort.

Pages: [1] 2