Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - dotdash

Pages: [1] 2 3
CARP/VIPs / Can't sync between 2.3.2-p1 and 2.3.3 ??
« on: March 02, 2017, 05:47:56 pm »
Trying to upgrade a HA pair to the latest, bumped the secondary to 2.3.3
Now I see the primary isn't syncing -
/rc.filter_synchronize: The other member is on a different configuration version of pfSense. Sync will not be done to prevent problems!
Has CARP changed that much in 2.3.3?
Kind of a PITA- Now when I update the primary, my config is going to be stale until the primary is back.
I thought the sync was only disabled between major versions.

Getting the system is on a later version than offical message on 2.3.3 boxes today.
Update shows latest base is 0.18_1
Something broken?

webGUI / CARP password confirmation
« on: July 01, 2016, 03:48:20 pm »
I noticed that on 2.3.x you have to confirm CARP passwords when adding a CARP VIP. This complicates my SOP of typing random garbage. On a stand alone firewall, the password is meaningless, and on a cluster, it's automatically sync'd to the secondary. Seems to be unneeded, and the CARP password is confusing to new users. Is there actually a scenario where you couldn't get by with generating a secure password behind the scenes and hiding it from the user?

Installation and Upgrades / 2.3 Missing many restore options
« on: April 14, 2016, 09:45:22 am »
Loaded up a box with a fresh copy of 2.3, went to restore an alias list saved from a 2.2.x box and the restore options are pared way down. Is this just a thing going forward where you can't restore more selective portions of the config? I do full restores most of the time, but liked the ability to pull out and restore sections selectively. Especially the Aliases. I can dump the list, reformat it, and import it, but that's a bit more involved than clicking restore.

Was playing with 2.2 on an APU, using a usb stick to install to a sata drive.
For brevity, booted, picked installer, used quick install.
At kernel choice, standard works, but if I pick embedded, I get this:
Execution of the command
tar xzpf /kernels/kernel_*wrap*.gz -C /mnt/boot/
FAILED with a return code of 1.

2.1 Snapshot Feedback and Problems - RETIRED / Possible fxp regression
« on: April 12, 2013, 05:27:22 pm »
2.1-BETA1 (i386)
built on Fri Apr 12 04:55:08 EDT 2013
FreeBSD 8.3-RELEASE-p7
Setting up a couple of identical servers, both have fxp and bge onboard with a second bge on a riser card.
Configured the fxp interfaces for the CARP sync and connected with a crossover. Boxes would not sync.
Noticed the interfaces were constantly going up and down. Replaced the crossover cable, ran them into a switch, another switch...
I could see the lights go off and on ever thirty seconds or so... Put the crossover back in, hard set the interfaces for 100/full and bingo- everything syncs.
Solid link, everything seems fine.

Packages / LCDproc-dev and tyan lcd bug
« on: April 10, 2013, 02:19:07 pm »
Trying to re-use an old Tyan GS14 server. Server has an LCD panel which was used on a handful of Tyan servers. It's based on the hd44780 and connected to com2 on the box. Couldn't get it to work via any fiddling with the config page. Tried hd44780 and tyan drivers, service never started. Eventually realized that if I selected the 'tyan' driver, the system deleted any existing /usr/local/etc/LCDd.conf and didn't create a new one. Tested on fresh installs of 2.0.3-pre and 2.1beta.
Workaround is to select hd44780 and edit the config manually:
Code: [Select]
Hello=" D.T.K - L.A.M.F"
GoodBye=" System Halting "
GoodBye=" or LCDd stopped"

It seems changing the LAN address is harder in 2/0 than it was in 1.2.3.
Possibly the procedure has changed from 1.2.3 to 2.0 and I'm doing it wrong.
Previously, if I changed the LAN address to a different subnet, I would get a warning to change the dhcp scope before applying. This allowed a fairly smooth change from a LAN connected machine- you could change the dhcp scope, apply changes, then get a new IP on the correct subnet from dhcp.
In 2.0, it reminds me to change the DHCP scope after applying. If I don't apply, and go to the DHCP server, it does not allow me to change the range to the new subnet.
The result is that if you're doing this from the LAN, you need to static the machine on the new subnet, then adjust the DHCP scope.

Hardware / WG Firebox x500 notes
« on: August 26, 2010, 12:55:00 pm »
I recently got one of these to play with. As the other thread(s) are a bit long, I thought I would start a new one.
The keyboard connector is documented in another thread, but I found that a PS/2 connector I had in an old box of junk (might be from an old Asus mb) worked fine. I hooked mine up to a VGA card and keyboard so I could get into the BIOS.
The crazy optional drive tray uses a standard 80-pin SCA connector. The other side is a fairly typical laptop style IDE connector with integrated power. I've never seen a male SCA to IDE converter, but apparently watchguard had them.
The jumpers next to the ethernet ports appear to disable the ports when un-jumpered.
The system will boot 2.0BETA4 nano fine from the CF card slot, but the serial output ceases right before the menu is displayed. One can connect via the webgui normally.
As others have noted, the box will reboot, but does not power-down on halt. I briefly played with the BIOS settings, but had no luck.
The crypto card (safe) is recognized by 2.0BETA4, and shows up in the dashboard. I have not tested to see if it actually works.

The nano snaps are looking really nice, there are a few rough edges though.
When duplicating a slice, the message reads "Duplicaating slice"
The red progress spinner looks cool, but it keeps spinning after the process has completed.
When I try to switch bootup to slice2, It tells me "The boot slice has been set to 1"
When I try to switch bootup to slice1, It tells me "The boot slice has been set to 2"
In either case, the bootup slice dropdown always shows ad0s1

Packages / Dashboard 0.8.3_1 IPsec strangeness
« on: June 25, 2009, 02:49:35 pm »
This is on a recent 1.2.3(RC2)snapshot.
I've disabled a tunnel and replaced it with a mobile client.
I setup one mobile client with email address type identifier.
Status IPsec shows only my two static-static tunnels up. When the mobile (shrewsoft) client connects, I see the SAD and SPD entries. The overview on the dashboard shows 5 active /1 inactive.
Two are the active tunnels, the inactive seems to be the tunnel that is disabled, the remaining three are the mobile client. Some of that is due to testing it with and without NAT-T, I still have a lingering ESP-UDP SAD from the NAT-T test. I can kill the SAD for that one and bring it down to 4/1. The odd thing is that the mobile client shows down even when it's connected.
None of this is a big deal, it's just a bit confusing.

This happened on a production system, so there was no extensive testing. As a result this is a subjective report, I'm just mentioning it in case anyone has similar issues.
I have a CARP cluster running on boxes that each have four em interfaces. Two WANs, multiple VLANs (two em cards are used for VLAN trunking). The system was working fine on 1.2 and 1.2.2. I upgraded to 1.2.3 RC1 and the CPU usage went crazy. Seemed to be the em taskqueues spiking the box. Performance seemed OK, but the webgui was awful. Updating to a recent 7.2 based (RC2) snap seems to have cleared up the issue, so I suspect something was not right with the 7.1 em driver.

Using pfSense-2.0-ALPHA-ALPHA-20090317-0314.iso full install.
I was testing adding a second WAN on OPT1. Went to interfaces, OPT1 and enabled.
Set for static, set IP and subnet. The gateway option had a handy 'add a new one' button.
When adding a new gateway this way, the name defaulted to OPT1-GW, which appears to be an invalid name.
Changing the name to OPT1GW works fine. For the lazy who just want to click-through, setting an invalid default causes confusion.

IPsec / Alix IPsec benchmarks 1.2 1.2.2 1.2.3 glxsb hifn
« on: February 27, 2009, 05:05:43 pm »
I've done some testing with a couple of Alix 2c3 boxes with iperf.
All tests were done using the same setup:
PC's are running base loads of FreeBSD 7.1 beta2, em nics. Alix wans connected via crossover.
The hifn cards used were Soekris vpn1411's in each box.

Here is with AES-128
1.2            14 Mb/s
1.2(hifn)     37 Mb/s
1.2.2          14 Mb/s
1.2.2(glxsb) 13 Mb/s *kldload glxsb.ko on each box after booting
1.2.2(hifn)   26 Mb/s
1.2.3          13 Mb/s *pfSense-1.2.3-20090225-0212.img (glxsb is in the kernel)
1.2.3(hifn)   12 Mb/s

This is with 3DES
1.2             8 Mb/s
1.2(hifn)     39 Mb/s
1.2.3           8 Mb/s
1.2.3(hifn)   27 Mb/s

Granted there could be faults with my testing, but here are some observations:
1) glxsb is not helping ipsec throughput in my configuration. It may be lowering cpu usage, I didn't check that.
2) The vpn1411 helps Ipsec throughput significantly.
3) Having glxsb in the kernel is a bad idea if you have a hifn and want to do AES.
4) The 7.x releases seem to be slower with hardware crypto.

These results lead me to believe that keeping glxsb in the 1.2.3 kernel is a bad idea. Perhaps a checkbox that would add it the loader.conf? That way it could be disabled for hifn users.

For sanity checking here are my IPSec settings:
agressive negotiation
identifier my ip address
rijndael sha1 DH group 2 lifetime 28800 PSK
Phase 2
ESP rijndael (AES) SHA1 PFS 2 lifetime 28800

Installation and Upgrades / Resized 1.2.2 embedded image with Alix tweaks
« on: January 27, 2009, 05:29:02 pm »
A couple of people have expressed interest in a resized embedded image, or an embedded image that defaults to vr0 and vr1, or an embedded version that has simple LED control, so I have uploaded a custom image I made to one of those lame free file sharing sites that makes you watch dumb ads while you download.

Before you try it, be aware that the modifications I made could cause bad things to happen. If you have troubles, please go back to the stock pfSense image and test before reporting any problems.
Also, my upgrade attempts so far with 2.0-alpha and 1.2.3 have resulted in an unbootable system, so the larger image may not be that useful. And if you manage to upgrade it, it will overwrite all the customizations.

I started with the 1.2.2 embedded image and made the following changes:
1) Copied in glxsb.ko from FreeBSD 7.1 to /boot/kernel/ (you could manually load it to test)
2) Copied in alixresetbtn compiled on FreeBSD 7 from code posted on the m0n0wall forum,2210.msg7085.html#msg7085
3) Changed the default NICS to vr0 and vr1 from sis0 and sis1 (no interface assign on Alix)
4) Changed the autboot_delay from 5 to 2 seconds.
5) Updated /etc/bogons
6) Copied a simple script to /usr/local/etc/rc.d/ to turn on LED2 when fully booted.
7) Added a command to turn off LED2 to /etc/rc.shutdown
8) Resized the image to slightly under 1 GB (so it would fit on various 1 GB cards)

The technique was taken mostly from,1998.msg11406.html

If you want to try this totally unsupported image, you can download it here:

Pages: [1] 2 3