Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - mrzaz

Pages: [1] 2 3
1
Small question:
Will the presentation and presentation PDF used in the "pfSense Hangout - June 2017 - Advanced Captive Portal" session be available in the Hangout Archive soon ?
Could not find it there.   And the hangout was almost a week ago. I could not attend the hangout but would like to see it afterwards.

Best regards
Dan Lundqvist
Stockholm, Sweden

2
Documentation / Found a small error "Remote_Config_Backup" in Wiki.
« on: May 06, 2017, 12:18:21 pm »
Hello Jim,

I think I found a small error in the "Remote_Config_Backup" in Wiki. Or at least differences depending on what platform it is executed on.
https://doc.pfsense.org/index.php/Remote_Config_Backup

I have found that the script for taking backup and more specific the "donotbackuprrd=no" stopped working between 2017-02-01 -> 2017-03-01 timeframe
(which is the monthly backup schedule) where it stopped backup the XML with full RRD.

I started to check the script and made a change from "donotbackuprrd=no" to "donotbackuprrd=0" and then it started working again.
Please update the WIKI page with this.  Possible a note that on some platforms "=0" is needed instead of "=no".

All my backups taken with donotbackuprrd=no does NOT contain RRD data but when I changed to "donotbackuprrd=0" it started working directly.
Script running on Synology DS713+ with DSM 6.1-15047 Update 1

Code: [Select]
root@DiskStation3TB:/volume1/web_backend/tools# /usr/bin/wget --version
GNU Wget 1.15 built on linux-gnu.

+digest +https +ipv6 -iri +large-file -nls +ntlm +opie +ssl/openssl


My working script now contains:

Code: [Select]
#!/bin/ash
BACKUPDIR="/volume1/BACKUPNEW/pfsensebak/backup/daily"
USERNAME="<removed>"
PASSWORD="<removed>"
PORT="80"
SITES="x.x.x.x"
ZIP="/usr/bin/zip"
FIND="/usr/bin/find"
RMFILE="/bin/rm"
WGET="/usr/bin/wget"
BACKUPDAYS="30"
RMFILE="/bin/rm"
cd /volume1/web_backend/tools
for site in $SITES

do
       $WGET -qO- --keep-session-cookies --save-cookies /tmp/cookies.txt --no-check-certificate --timeout=10 http://$site:$PORT/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > /tmp/csrf.txt
       $WGET -qO- --keep-session-cookies --load-cookies /tmp/cookies.txt --save-cookies /tmp/cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=$USERNAME&passwordfld=$PASSWORD&__csrf_magic=$(cat /tmp/csrf.txt)" --timeout=10 http://$site:$PORT/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > /tmp/csrf2.txt
       if [ -e /tmp/csrf2.txt ]; then
       DATETMP="`date +%Y%m%d-%H%M%S`"
       FILENAME1="$BACKUPDIR/config-$site-$DATETMP.xml"
       FILENAME2="$BACKUPDIR/config-$site-$DATETMP-withrrd.xml"
                  $WGET --keep-session-cookies --load-cookies /tmp/cookies.txt --no-check-certificate --post-data "download=download&donotbackuprrd=1&__csrf_magic=$(head -n 1 /tmp/csrf2.txt)" --timeout=10 http://$site:$PORT/diag_backup.php -O $FILENAME1 > /dev/null 2>&1
                  $WGET --keep-session-cookies --load-cookies /tmp/cookies.txt --no-check-certificate --post-data "download=download&donotbackuprrd=0&__csrf_magic=$(head -n 1 /tmp/csrf2.txt)" --timeout=120 http://$site:$PORT/diag_backup.php -O $FILENAME2 > /dev/null 2>&1
                  rm -f /tmp/cookies.txt
                  rm -f /tmp/csrf.txt
                  rm -f /tmp/csrf2.txt
       $ZIP -q -9 -j $FILENAME1.zip $FILENAME1
       $ZIP -q -9 -j $FILENAME2.zip $FILENAME2
       $RMFILE $FILENAME1
       $RMFILE $FILENAME2
else
       echo "Failed to retrieve backup from $site"
fi
                                                                                                   
done
                                                                                                             
$FIND $BACKUPDIR -type f -name "*.xml.gz" -mtime +$BACKUPDAYS -exec rm {} \;
$FIND $BACKUPDIR -type f -name "*.xml.zip" -mtime +$BACKUPDAYS -exec rm {} \;



I also have a modified version as well (it requires rar executable as well):

Code: [Select]
#!/bin/ash
BACKUPDIR="/volume1/BACKUPNEW/pfsensebak/hansbuhlin/daily"
USERNAME="<removed>"
PASSWORD="<removed>"
PORT="443"
SITES="x.x.x.x"
RAR="/volume1/web_backend/tools/rar"
FIND="/usr/bin/find"
RMFILE="/bin/rm"
WGET="/usr/bin/wget"
BACKUPDAYS="30"
RMFILE="/bin/rm"
cd /volume1/web_backend/tools
/volume1/web_backend/tools/rar
for site in $SITES

do
       $WGET -qO- --keep-session-cookies --save-cookies /tmp/cookies.txt --no-check-certificate --timeout=10 https://$site:$PORT/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > /tmp/csrf.txt
       $WGET -qO- --keep-session-cookies --load-cookies /tmp/cookies.txt --save-cookies /tmp/cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=$USERNAME&passwordfld=$PASSWORD&__csrf_magic=$(cat /tmp/csrf.txt)" --timeout=10 https://$site:$PORT/diag_backup.php  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > /tmp/csrf2.txt
       if [ -e /tmp/csrf2.txt ]; then
       DATETMP="`date +%Y%m%d-%H%M%S`"
       FILENAME1="$BACKUPDIR/config-$site-$DATETMP-rarpasswordencrypted.xml"
       FILENAME2="$BACKUPDIR/config-$site-$DATETMP-withrrd-rarpasswordencrypted.xml"
                  $WGET --keep-session-cookies --load-cookies /tmp/cookies.txt --no-check-certificate --post-data "download=download&donotbackuprrd=1&__csrf_magic=$(head -n 1 /tmp/csrf2.txt)" --timeout=10 https://$site:$PORT/diag_backup.php -O $FILENAME1 > /dev/null 2>&1
                  $WGET --keep-session-cookies --load-cookies /tmp/cookies.txt --no-check-certificate --post-data "download=download&donotbackuprrd=0&__csrf_magic=$(head -n 1 /tmp/csrf2.txt)" --timeout=120 https://$site:$PORT/diag_backup.php -O $FILENAME2 > /dev/null 2>&1
                  rm -f /tmp/cookies.txt
                  rm -f /tmp/csrf.txt
                  rm -f /tmp/csrf2.txt
       $RAR a -ep -m5 -hp<replace with own password> $FILENAME1.rar $FILENAME1
       $RAR a -ep -m5 -hp<replace with own password> $FILENAME2.rar $FILENAME2
       $RMFILE $FILENAME1
       $RMFILE $FILENAME2
else
       echo "Failed to retrieve backup from $site"
fi
                                                                                                   
done
                                                                                                             
$FIND $BACKUPDIR -type f -name "*.xml.rar" -mtime +$BACKUPDAYS -exec rm {} \;

//Dan Lundqvist

3
IPv6 / pfSense looses config on IPv6 interface after some time.
« on: March 01, 2017, 03:44:10 pm »
Have seen a problem for a long time that has still not been resolved.
I have  Huricane IPv6 GIF and an Interface for this.
If I configure the interface with IP/mask/gateway the config is shown in the gui OK.
BUT then after a few days sometimes weeks suddenly the config is gone in the GUI but also in the XML. 
But traffic still works OK.

- Happens without reboot. Spontaniously after some time.
- Works for a few days/weeks where IPv6 config is seen as normal in GUI but then suddenly it is gone but traffic still works.
- When it occur, ping to remote site still works.  (see ping below)
- See screenshot with dashboard shoing that IPv6 traffic is working even if no config is seen in the GUI.
- Seen also in previous versions upto and including 2.3.3
- Has happened numerous times.
- Also in XML config for interfaces the data is gone.  (See example below)
- Seems like somehow pfSense screws something up and overwrites/removes some of the settings in the IPv6 interface.
  But under the hood, in the OS config, it is still configured and working.
- Never seen it on any other IPv4 interface. It is always the same IPv6 interface.

WHEN OK:
   <opt1>
      <descr><![CDATA[WANv6_TUNNELBROKER]]></descr>
      <if>gif0</if>
      <enable></enable>
      <spoofmac></spoofmac>
      <ipaddrv6>2001:470:27:dd5::2</ipaddrv6>
      <subnetv6>64</subnetv6>

      <gatewayv6>TUNNELBROKERNETGWv6</gatewayv6>
   </opt1>

WHEN FAULT OCCURS:
   <opt1>
      <descr><![CDATA[WANv6_TUNNELBROKER]]></descr>
      <if>gif0</if>
      <enable></enable>
      <spoofmac></spoofmac>
      <gatewayv6>TUNNELBROKERNETGWv6</gatewayv6>
   </opt1>


PING6(56=40+8+8 bytes) 2001:470:27:dd5::2 --> 2001:6b0:8:2::233
16 bytes from 2001:6b0:8:2::233, icmp_seq=0 hlim=57 time=2.123 ms
16 bytes from 2001:6b0:8:2::233, icmp_seq=1 hlim=57 time=6.498 ms
16 bytes from 2001:6b0:8:2::233, icmp_seq=2 hlim=57 time=2.159 ms

--- webc.sunet.se ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 2.123/3.593/6.498/2.054 ms

See attached screenshots.


This is starting to getting on my nerves as fault still occurs and now I needed to report it.

Please contact me if you need more details for the redmin bug-report or if you want me to write it there myself.

Best regards
Dan Lundqvist
MRZAZ.COM
Stockholm, Sweden

4
OpenVPN / OpenVPN Client Export fault in export for TAP and IOS/Android
« on: February 28, 2017, 04:32:25 pm »
Hello,

I was just adding a TAP based OpenVPN server (for the purpose of bridging LAN) on port 1195 and already have an existing OpenVPN Server on 1194
and have now found a bug in the Client Export function.

If I select the "1195" server that is TAP based and select "Inline - OpenVPN Connect (IOS and Android)" and save the file
and then try to use it, it complaints against TUN failure instead of TAP.

I then opened the file created and saw that it was missing the "dev tap" option.

Then tried "Inline - Android" with same thing.
If I select "Standard Config - Config Only" then "dev tap" is included on the first line.

Right now, TAP is not available on Android and IOS in non-rooted mode, but still I think this is a bug.  Shouldn't "dev tap" be included in the config file?

Dan Lundqvist
Stockholm, Sweden

5
DHCP and DNS / Possible bug in DNS Resolver.
« on: October 12, 2016, 09:21:03 am »
Hello,

During investigation of another problem I think I may have stumbled on a possible bug related to DNS Resolver and Forwarding mode.
After reviewing the DNS Hangout with Jim P I thought I had it covered but saw a strange behaviour during the testing.

According to how I have understood the whole is:
- DNS Resolver in Non-Forwarding mode will do a lookup to available root servers on all available WAN.
- DNS Resolver in Forwarding mode will do lookup to the forwarding DNS IP defined for each WAN gateway.
eg.
The following is defined in General - DNS Server Settings:
DNS Server 1     8.8.8.8     WANGW               - wan - 87.x.x.1
DNS Server 2     8.8.4.4     WAN2MOBILEGW - opt3 - 192.168.125.1

This will send a DNS request to 8.8.8.8 out the WANGW and a DNS request to 8.8.4.4 out on WAN2MOBILEGW.
Of course, the "Outgoing Network Interfaces" in DNS Resolver must have the NIC for WANGW and WAN2MOBILEGW selected. (WAN + WAN2MOBILE in my case)

What I have seen is that even if I define one DNS to only one Gateway, the request is sent to both DNS IPs defined
on all interfaces that has been defined in DNS Resolver as outgoing.

eg. 8.8.8.8 and 8.8.4.4 is sent to both WAN and WAN2
instead of
8.8.8.8 -> WAN
8.8.4.4 -> WAN2
even with this config, it will send out DNS requests to both 8.8.8.8 and 8.8.4.4

This is pcap traces taken on the WAN2MOBILE
23:38:32.516036 IP 192.168.125.2.61987 > 8.8.8.8.53: UDP, length 63
23:38:32.532043 IP 192.168.125.2.51270 > 8.8.4.4.53: UDP, length 53
23:38:32.617246 IP 8.8.8.8.53 > 192.168.125.2.5918: UDP, length 111
23:38:32.679359 IP 192.168.125.2.11608 > 8.8.4.4.53: UDP, length 56
23:38:32.679987 IP 8.8.4.4.53 > 192.168.125.2.27262: UDP, length 149
23:38:32.691486 IP 8.8.4.4.53 > 192.168.125.2.51270: UDP, length 149
23:38:32.691613 IP 8.8.8.8.53 > 192.168.125.2.61987: UDP, length 111
23:38:32.714615 IP 8.8.4.4.53 > 192.168.125.2.11608: UDP, length 220

What I could see in the /etc/resolv.conf is:
nameserver 127.0.0.1
search mrzaz.com
nameserver 8.8.8.8
nameserver 8.8.4.4

I did a small test where I removed all DNS entries in General and then all DNS lookup stopped working from clients.
$ cat /etc/resolv.conf
nameserver 127.0.0.1
search mrzaz.com

Then I added IPs again without selecting any gateways and saw this.
$ cat /etc/resolv.conf
nameserver 127.0.0.1
search mrzaz.com
nameserver 8.8.8.8
nameserver 8.8.4.4

- How is the DNS defined in General actually tied to a specific gateway in FreeBSD (read Ubound) when defined in pfSense?

Btw. I am using Gateway Group and gateway rules for this in "Rules".

I get the feeling that there is a bug lurking but can't be sure.

UPDATED:
I checkeded the routing table and i have the following:
8.8.4.4   192.168.125.1   UGHS   57459   1500   ue1   
8.8.8.8   87.96.165.1   UGHS   954168   1500   re0   

So there should be static routes forcing the DNS out the correct interface but still I see both 8.8.8.8 and 8.8.4.4 on ue1 in the example.

After some more tests I had to insert a rule that captured the IP 8.8.8.8 / 8.8.4.4 and forced it through the "default" gateway and not DualGW Gateway group.
So after all, it may not be a bug BUT think this should be handled somehow as this could be a trap that is easy to fall in and difficult to spot.

Best regards
Dan Lundqvist
Stockholm, Sweden

6
Hello,
I am trying to setup a Dual WAN Failover scenario with WAN (static IP interface) + 4G modem WAN2 interface using Gateway Group with Tier1 on WAN and Tier2 on WAN2mobile.

- I have defined one DNS on each WAN (8.8.8.8) and WAN2mobile (8.8.4.4)
- I have tried both Forwarding and Non-Forwarding mode on DNS Resolver.  (but will use the Forwarding mode as it will work better with MultiWAN according to Jim Pingle)
- I have tied the outgoing interfaces in DNS Resolver to WAN + WAN2. (to allow DNS traffic on any of these interfaces)
- I have changed the rules to use the Gateway Group in for all the relevant rules.

The problem I am struggeling with is:
How can I prevent the system to NOT send out any DNS requests on WAN2 until this interface becomes active at the failover scenario. (Tier2 becomes active)
I have tried with and without the "Default gateway switching" but no difference. (Think this should be off, when doing "Gateway Group" AFAIK ?!)
And I do want to use pfSense as resolver for the clients as I want to be able to use the Host override function for local lookups of local services.

I would like the WAN2 interface to be almost silent and only possible send out some local ARP requests, some local Broadcasts and
possible some unfrequent pings by dpinger to verify connectivity of the interface. I have already disabled all the SSDP packets on
the interface today with rules.

As it is now, I am seeing a lot of DNS requests originating from the pfSense WAN2mobile IP-interface IP towards external DNS servers
and it is NOT triggered by any local LAN PC as the only PC currently using this router is my desktop PC and I have done a packet capture
on the incoming LAN (in pfSense) using promiscious mode and could not see any device trigging the DNS requests seen out on WAN2.

Am i doing something wrong or is it a way to use pfSense "DNS Resolver" in a MultiWAN GatewayGroup scenario but only having it send
out any DNS requests to WAN2 when Tier2 becomes active.

I want to avoid any un-necesary traffic on the WAN2 interface when it is only idling waiting to take over in a failover scenario.
As the subscription has a cap limit / month on the 4G I do not want to waste any traffic.

Best regards
Dan Lundqvist
Stockholm, Sweden

UPDATED:
Another strange thing is that If I have Forwarding mode set in DNS Resolver and have 8.8.4.4 IP defined as DNS for WAN2
and 8.8.8.8 for WAN, I see DNS forwarding to both 8.8.8.8 and 8.8.4.4 on the WAN2 interface.

23:38:32.516036 IP 192.168.125.2.61987 > 8.8.8.8.53: UDP, length 63
23:38:32.532043 IP 192.168.125.2.51270 > 8.8.4.4.53: UDP, length 53
23:38:32.617246 IP 8.8.8.8.53 > 192.168.125.2.5918: UDP, length 111
23:38:32.679359 IP 192.168.125.2.11608 > 8.8.4.4.53: UDP, length 56
23:38:32.679987 IP 8.8.4.4.53 > 192.168.125.2.27262: UDP, length 149
23:38:32.691486 IP 8.8.4.4.53 > 192.168.125.2.51270: UDP, length 149
23:38:32.691613 IP 8.8.8.8.53 > 192.168.125.2.61987: UDP, length 111
23:38:32.714615 IP 8.8.4.4.53 > 192.168.125.2.11608: UDP, length 220

The following is defined in General - DNS Server Settings:
DNS Server 1     8.8.8.8     WANGW               - wan - 87.x.x.1
DNS Server 2     8.8.4.4     WAN2MOBILEGW - opt3 - 192.168.125.1

What I could see in the /etc/resolv.conf is:
nameserver 127.0.0.1
search mrzaz.com
nameserver 8.8.8.8
nameserver 8.8.4.4

I did a small test where I removed all DNS entries in General and then all DNS lookup stopped working from clients.
$ cat /etc/resolv.conf
nameserver 127.0.0.1
search mrzaz.com

Then I added IPs again without selecting any gateways and DNS lookup started working again even without any gateways selected.
$ cat /etc/resolv.conf
nameserver 127.0.0.1
search mrzaz.com
nameserver 8.8.8.8
nameserver 8.8.4.4

- How is the DNS defined in General actually tied to a specific gateway i FreeBSD when defined in pfSense?

Seems like even if I define one DNS to only one Gateway, the request is sent to both DNS IPs defined
on all interfaces that has been defined in DNS Resolver as outgoing.

eg. 8.8.8.8 and 8.8.4.4 is sent to both WAN and WAN2
instead of
8.8.8.8 -> WAN
8.8.4.4 -> WAN2

Also I still do not know how to limit an outgoing request based on the Gateway group Tier1 or 2 selection mode. 
(eg. only send DNS on interface that is currently active in the group)

7
DHCP and DNS / Strange DNS querys on wrong WAN.
« on: September 18, 2016, 04:08:26 am »
Hello,
I have a strange behaviour that I can't figure out what it originates from.

I have 3 WAN, where WAN3 is going through a mobile broadband dongle.

WAN1 is the main outoing, but WAN2 is used, by rules, for outgoing from some machines. (outgoing loadbalancing)
WAN3 is not set as default and do not have any rules pointing traffic to this interface. (at the moment)

I have DNS Forwarder setup and 2 DNS IPs defined pointing to WAN1 under general.
I have checked and only dnsmasq and NOT unbound is enabled. (unbound is not even in the service table as it is switched off)

I also have the following:
DNS Query Forwarding
Query DNS servers sequentially = TRUE
(If this option is set, pfSense DNS Forwarder (dnsmasq) will query the DNS servers sequentially in the order specified (System - General Setup - DNS Servers), rather than all at once in parallel.)

According to this, only the DNS servers defined should be queryd and NOT root server 8.8.8.8

BUT, what I see when doing packet capture is that something still generates DNS traffic from the pfSense WAN3 IP to google root DNS 8.8.8.8
and I can not figure out what and also HOW as it should not be possible depending how pfsense is configured.

Anyone that have any idea on HOW and WHY this requests goes out and from WHAT ?

I run pfSense 2.3.2

Dan Lundqvist
Stockholm, Sweden

8
Hello,

I have been trying to use pfSense 2.3.2 Bootstrap webgui in a mobile Samsung S7 Edge and have tested both Internal browser and also Chrome
but have found a problem related to expandning long menus and scrolling.

What happens is that the browser, when in "mobile mode" does not recognize that the screen is "getting longer" when a large menu is expanded
so when trying to scroll down the whole screen it stops prematurely and I am not able to scroll down to the bottom to see all items in the menu.

I have tried to use thew "Get PC version" in internal but no god, but managed to use "Get desktop version" in Chrome but with the disadvantage
that it then zooms out to the whole screen and that contradicts the whole scaling capability of Bootstrap. That it would scale well regardless of display size.

All else scaling to mobile devices works perfect in Bootstrap but not the menus. These needs som rework for optimal usage on small mobile devices.

Screenshot_20160904-121238.png      Screenshot when only expanding the menu.
Screenshot_20160904-121247.png      Screenshot when expanding the "Services" menu and scrolling page to bottom. As seen missing 6 entries in the menu.
Screenshot_20160904-121255.png      Screenshot when expanding the "Diagnostics" menu and scrolling page to bottom. As seen missing 21 entries in the menu.

If needed, I can write a bug report in redmine ?

Bets regards
Dan Lundqvist
Stockholm, Sweden

UPDATE: I have now tested the same in Windows and using FireFox and Chrome and minimize the browser window so it scales down to 1 column mode
and I see the same problem.... If I select menu and then a menu item with long list I am not able to scroll down to the last item.  Same as for the mobile.
The scroller, seems to scroll only the underlying dashboard page and not the full page and it has to do with when the user has selected "Top Navigation = Fixed".

This is a bit catch22.  I wonder if it is possible to dynamically change the TopNavigation from Fixed to "Scrolls with Page" when it switches to 1 column mode
so admins moving from PC to iPad to Mobile don't need to sacrify and set "Scroll" even if they want Fixed when on Desktop PC ?

Or at least add an option so the users can select if they want this behaviour or not.

9
Hello,

I am trying to setup a plain failover scenario with a normal WAN + USB 3G modem PPP but have
problem that router does not change default GW to Tier2 during failover but still sticking to WAN GW (Tier1).

I have a "ppp0 /dev/cuaU0.0" defined and an interface "MobileWAN" as IPV4 type PPP with correct APN.
If I check the interfaces I get the following:

MOBILEWAN Interface (opt3, ppp0)
Status     up
PPP    up

Uptime (historical)    01:32:01(00:01:53)
Cell Signal (RSSI)    rssi:25 level:-63dBm percent:81%
Cell Mode    None, No Service Mode
Cell SIM State    Invalid SIM/locked State
Cell Service    No Service
Cell Upstream    5625
Cell Downstream    8438
Cell Current Up    2
Cell Current Down    2
MAC Address    00:00:00:00:00:00
IPv4 Address    79.102.3.99
Subnet mask IPv4    255.255.255.255
Gateway IPv4    10.64.64.0

IPv6 Link Local    fe80::82ee:73ff:fe18:9ab8%ppp0
MTU    1492
In/out packets    6354/13551 (350 KiB/574 KiB)
In/out packets (pass)    6354/13551 (350 KiB/574 KiB)
In/out packets (block)    183/0 (24 KiB/0 B)
In/out errors    0/0
Collisions    0

I have verified to traceroute using the Src IP and it seems to work OK.  It goes out the PPP route instead of WAN.

In the Routing/Gateways Tab I have added a working IP for the MonitorIP as it is normally cloaked with ppp.
I have set the weight to "2". (And weight "1" on the WAN Gateway).  WAN Gateway is set as "Default Gateway".

I have created a Gateway Group called "FailoverMOBILE" and selected WAN gateway as "Tier1" and MOBILEWAN_PPP as "Tier2"
and the trigger level (right now) to "Member Down".

I have also added 2 DNS addresses on the MOBILEWAN under General Setup as well as added MOBILEWAN to the outgoing NIC in DNS Resolver.

If I then check Status/Gateways both WAN + MOBILEWAN_PPP shows RTT and Loss figures OK and Status is ONLINE on both.
If I then check Status/Gateway Groups, Tier1 WAN ONLINE and Tier2 MOBILEWAN_PPP ONLINE.
If I check the Routes table, WAN GW is the "default".

I then try to trigger a fault by disconnecting the WAN cable and then the WAN in Gateway and Gateway Groups goes OFFLINE.
BUT, even after waiting minutes the "default" gateways in Routes still points to WAN GW IP.
And when trying traffic from inside LAN i get "Destination host unreachable" from pfSense machine. (which is normal as the GW still points to WAN)

If I then force the MOBILEWAN_PPP as "Default Gateway" in the Gateways tab manually, then traffic resumes and i can surf from inside igain. (using MOBILEWAN GW)

Question is why the router does not change the default gateway to MOBILEWAN_PPP when the WAN Gateway is marked OFFLINE?
Anyone who has an idea?

I am running:
Version    2.3.2-RELEASE (amd64) built on Tue Jul 19 12:44:43 CDT 2016 FreeBSD 10.3-RELEASE-p5
Platform    pfSense
CPU Type    Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz 4 CPUs: 1 package(s) x 4 core(s)

Best regards
Dan Lundqvist
Stockholm, Sweden

UPDATE:  I tried to change to "Packet loss" in Gateway Group but it still did NOT change the "default" gw to PPP but sticks to WAN IP that is disconnected/DOWN.
General log shows:
Aug 20 20:28:05    php-fpm    17795    /rc.newipsecdns: MONITOR: Alltele is down, omitting from routing group FailoverMOBILE
Aug 20 20:28:06    xinetd    12378    Reconfigured: new=0 old=1 dropped=0 (services)
Aug 20 20:28:06    xinetd    12378    readjusting service 6969-udp
Aug 20 20:28:06    xinetd    12378    Swapping defaults
Aug 20 20:28:06    xinetd    12378    Starting reconfiguration
.
Aug 20 20:28:05    php-fpm    17795    /rc.filter_configure_sync: MONITOR: Alltele is down, omitting from routing group FailoverMOBILE

Gateway log shows:
Aug 20 20:32:10    dpinger       Alltele 87.96.165.1: sendto error: 65
numerous times....

10
Packages / Revamp of an old closed question regarding uPnP proxy.
« on: January 14, 2015, 07:22:03 pm »
This is to revamp an old question regarding "uPnP proxy" that was answered by jimp but was only partly true.
https://forum.pfsense.org/index.php?topic=58956.msg316481#msg316481

The IGMP Proxy that is included in the pfSense is good with handling local LANs physically tied to a defined NIC.
However, it does not work well in an IPSec Site2Site routed environment and also not good in an OpenVPN Peer2Peer Site2Site routed environment.

- For IPSec, you don't get any NIC to tie in as Downstream. (AFAIK)

- For OpenVPN in Peer2Peer SharedKey, you will have both the routed net (routing table) and also the transport /30 net.
  If you connect an interface to the ovpnsX network port, it will only place the packets from the upstream on the
  traffic net and not on the LAN in the destination side. (AFAI have seen when doing tests)

The only thing that works is when you Setup a OpenVPN Server (and create an interface tied to this ovpns) and connect with
a normal client where the client is getting it's real IP on the same net as the pfSense OpenVPN adapter. 
(eg. pfSense on 192.168.123.1 and PC client connected with OpenVPN client get 192.168.123.2)
This I have tried working, but could not get the site2site version working. 
The SSDP packets doesn't go all the way to the destination LAN but gets stuck halfway.

The uPnP Proxy works in another way where it sets up a "Layer 3" routeable connection between 2 or more locations
and let the system take care of the transport between the entities. Then the proxy extract the encapsulated SSDP
and drop it out on the local LAN. (similar to what IGMP proxy does)

I would really like the uPnp Proxy compiled as a package, but don't know if I have the skills to make the existing
into a working package. !?

Best regards
Dan Lundqvist
Stockholm, Sweden

11
Running 2.2 RC, upgraded from 2.1.5

Feels like there should be a setting to set DPD logging to "Silent" as it is filling up the IPSec log in notime
rendering the internal 50 entries logfile pretty useless.

Code: [Select]
Dec 14 22:38:14 charon: 12[ENC] parsed INFORMATIONAL_V1 request 3909045383 [ HASH N(DPD_ACK) ]
Dec 14 22:38:14 charon: 12[NET] received packet: from x.x.x.142[500] to y.y.y.51[500] (108 bytes)
Dec 14 22:38:14 charon: 12[NET] sending packet: from y.y.y.51[500] to x.x.x.142[500] (108 bytes)
Dec 14 22:38:14 charon: 12[ENC] generating INFORMATIONAL_V1 request 1435593695 [ HASH N(DPD_ACK) ]
Dec 14 22:38:14 charon: 12[ENC] parsed INFORMATIONAL_V1 request 3707901410 [ HASH N(DPD) ]
Dec 14 22:38:14 charon: 12[NET] received packet: from x.x.x.142[500] to y.y.y.51[500] (108 bytes)
Dec 14 22:38:14 charon: 14[NET] sending packet: from y.y.y.51[500] to x.x.x.142[500] (108 bytes)
Dec 14 22:38:14 charon: 14[ENC] generating INFORMATIONAL_V1 request 2178405737 [ HASH N(DPD) ]
Dec 14 22:38:14 charon: 14[IKE] sending DPD request
Dec 14 22:38:14 charon: 14[IKE] <con3|55> sending DPD request
Dec 14 22:38:11 charon: 14[NET] sending packet: from 2001:x:x:y::2[500] to 2001:x:x:x::2[500] (108 bytes)
Dec 14 22:38:11 charon: 14[ENC] generating INFORMATIONAL_V1 request 2831055247 [ HASH N(DPD_ACK) ]
Dec 14 22:38:11 charon: 14[ENC] parsed INFORMATIONAL_V1 request 3725588196 [ HASH N(DPD) ]
Dec 14 22:38:11 charon: 14[NET] received packet: from 2001:x:x:x::2[500] to 2001:x:x:y::2[500] (108 bytes)
Dec 14 22:38:11 charon: 14[ENC] parsed INFORMATIONAL_V1 request 3921281913 [ HASH N(DPD_ACK) ]
Dec 14 22:38:11 charon: 14[NET] received packet: from 2001:x:x:x::2[500] to 2001:x:x:y::2[500] (108 bytes)
Dec 14 22:38:11 charon: 14[NET] sending packet: from 2001:x:x:y::2[500] to 2001:x:x:x::2[500] (108 bytes)
Dec 14 22:38:11 charon: 14[ENC] generating INFORMATIONAL_V1 request 2380266072 [ HASH N(DPD) ]
Dec 14 22:38:11 charon: 14[IKE] sending DPD request
Dec 14 22:38:11 charon: 14[IKE] <con2|48> sending DPD request
Dec 14 22:38:10 charon: 14[NET] sending packet: from y.y.y.51[500] to x.x.x.130[500] (92 bytes)
Dec 14 22:38:10 charon: 14[ENC] generating INFORMATIONAL_V1 request 3542310356 [ HASH N(DPD_ACK) ]
Dec 14 22:38:10 charon: 14[ENC] parsed INFORMATIONAL_V1 request 3358983493 [ HASH N(DPD) ]
Dec 14 22:38:10 charon: 14[NET] received packet: from x.x.x.130[500] to y.y.y.51[500] (84 bytes)
Dec 14 22:38:04 charon: 15[NET] sending packet: from y.y.y.51[500] to x.x.x.142[500] (108 bytes)
Dec 14 22:38:04 charon: 15[ENC] generating INFORMATIONAL_V1 request 1379051311 [ HASH N(DPD_ACK) ]
Dec 14 22:38:04 charon: 15[ENC] parsed INFORMATIONAL_V1 request 2954687851 [ HASH N(DPD) ]

Dan Lundqvist
MRZAZ.COM
Stockholm, Sweden

12
Background:

I have three phase 1 connections (four Phase 2)
- IPv4, dest1, 1 ph1, 1 ph2
- IPv4, dest2, 1 ph1, 2 ph2
- IPv6, dest2, 1 ph1, 1 ph2

I have one IPSec connection (dest 2) with two Phase 2 nets (192.168.120.0 and 192.168.121.0) going over the same Phase1 connection.

Previously in 2.1.5, this was shown as 4 entries in the Dashboard IPSec table.  (Basically one each representing one phase2 connection each.)
If one phase 2 has gone down, then one entry in the Dashboard IPSec table was down and it was also seen as one down in the Overview screen in the Dashboard IPSec table.

In 2.2 RC, there is still 4 entries in the Dashboard IPSec table and it looks exactly the same as in 2.1.5

HOWEVER now it show all four entries as green "UP", even if I know that one Phase2 is NOT up.
If I check the IPSec Status page and expand the "Show child SA entries", the "192.168.121.0" net is not up.
Feels to me that this is a bug in the 2.2 RC Dashboard IPSec widget.

(192.168.121.0 net is the OpenVPN Server for roadwarriors and is not always in state where someone is connected = No ping/traffic from this interface over the IPSec.)

See attached screenshots.

UPDATE:
I found this bug #4045 that is suppose to be resolved according to Chris.
https://redmine.pfsense.org/issues/4045
According to cmb, it is not the same fault as 4045, but a new one.

Dan Lundqvist
MRZAZ.COM
Stockholm, Sweden

13
Hello,

Upgraded from 2.1.5 to 2.2 RC and most went OK. However I found, what I think is, a bug.

I have 3 interfaces.   WAN (IPv4 only, DHCP), LAN (IPv4 and IPv6, both static IP) and TUNNELBROKER (IPv6, static IP connected via GIF-tunnel to Tunnelbroker.net)

After the upgrade the system has auto-created a dynamic IPv4 Gateway called "TUNNELBROKER_TUNNELV4"
(which is tied with IPv4) for my TUNNELBROKER IPv6 interface. But as said, this interface is a pure IPv6 and
NOT IPv4 so this dynamic interface should not have been created at all.

The only way a dynamic gateway should be created is if I, on the TUNNELBROKER interface, define IPv4 as DHCP.

It is not possible to remove (only possible to disable).  If I disable it and then remove it, system recreates it again.

See attached screenshots.

UPDATE:
Could possible be the same/similar as reported in #4102
https://redmine.pfsense.org/issues/4102

"Now, with 2.2 RC, a bogus $IFACENAME_TUNNELV4 dynamic gateway gets created in addition to $IFACENAME_TUNNELV6..."

Best regards
Dan Lundqvist
MRZAZ.COM
Stockholm, Sweden

14
Packages / Bug in package "Bind" for pfSense causing it not to start.
« on: November 07, 2014, 02:04:05 am »
Hello,

I have found a bug in the package "Bind" for pfSense and I think it is a pfSense package bug and not a generic Bind bug.

When package is installed and configured it always don't start with the following error:

Code: [Select]
Nov 7 08:41:11 named[64040]: exiting (due to fatal error)
Nov 7 08:41:11 named[64040]: loading configuration: failure
Nov 7 08:41:11 named[64040]: /etc/namedb/named.conf:22: missing ';' before '}'
Nov 7 08:41:11 named[64040]: loading configuration from '/etc/namedb/named.conf'
.
.
Nov 7 08:41:11 named[64040]: starting BIND 9.9.5-P1 -c /etc/namedb/named.conf -u bind -t /cf/named/

I have verified this on 2 different installations wher one never have had bind installed prior.

What I found is that the problem occurs when "Forwarder IPs" is defined.

After inspecting the actual named.conf file in "/cf/named/etc/namedb/named.conf" I found a fault
in row22:  "forwarders { xx.xx.xx.xx };"   NOTE: (i have left out the actual IP).

The problem is that all values should end with a semicolon after the value also inside.
eg.
forwarders { xx.xx.xx.xx };
SHOULD BE
forwarders { xx.xx.xx.xx; };

When I changed this in my installation, bind started up just fine and is now working OK.
As the row above IS having my sitespecific DNS IP inserted it is not a fault caused by
default bind files shipped with package but is modified by the local pfSense installation/package.

Could responsible for the bind package, please update the package and release a working one.

For remedy on existing installations to get bind working, do the following:

- Diagnostics / Edit file
- "Browse" for "/cf/named/etc/namedb/named.conf"
- Modify row 22 and add a semicolon after the IP inside the { } in "forwarders { xx.xx.xx.xx; };"
- Save file
- Now try to start the Bind service again.

NOTE!  This modification must be done EVERYTIME you modify anything in the pfSense Bind GUI as it saves
the file again with the faulty missing semicolon. This means even if you just disable/enable the service.
Any modification that requires the Save button to be pressed will remove the semicolon and it needs
to be inserted manually again and restart service.


UPDATED 2014-11-10:
I have reviewed the code and there is no validation of the input whatsoever for the "Forwarders" entry so it will accept anything including text. (this will of course not work with BIND)
No validation/forming that the data to be written to the named.conf is in the correct format is done. The values from the form is written straight into to named.conf file.
I think this is also valid for other multi-edit fields as well on other pages.

This will make it easier to workaround though as it is now (short term) possible to write it in the correct format (as bind wants it) in the config page.
Write it in the following form:


<IP>;

or

<IP>;<space><IP>;

or

<IP>;<space><IP>;<space><IP>;

e.g.
10.0.0.1;
10.0.0.1; 10.0.0.2;
10.0.0.1; 10.0.0.2; 10.0.0.3;

//Dan Lundqvist

15
IPsec / IPSec Tunnel StaticIP_R1->DynamicIP_R2 with 2.1_RC0 possible ?
« on: August 08, 2013, 05:02:59 pm »
Hello,

I just want to get the latest status about the IPSec support in 2.1_RC0.

I have several "normal" tunnels, both IPv4 and IPv6 up and running on Static->Static routers
but is now faced with a problem that I need to connect to a pfSense router that is not allowed to get
staticIPs and would like to avoid the "Mobile Client/Roadwarrior" setup as I still wants to tunnel
the other ends internal net.

Is it possible to setup an IPSec Tunnel StaticIP_Router1 -> DynamicIP_Router2 using other PeerIdentifier type than IP
and using a DynamicIP hostname in the "Remote gateway" entry?

If course, there could be temporary problems if R2 is forced to change IP and the tunnel will go down
temporary until it could re-initialize (the Dynamic IP hostname updates to new IP and the cached is thrown from DNS-cache
and tunnel inits again) but we could live with that.

I have seen other routers having this feature working so it should be possible and as the whole IPSec stack
has largely been rewritten in 2.1 I was hoping for some better support in this area.

I am running fairly uptodate 2.1_RC0 on my end.

Best regards
Dan Lundqvist
Stockholm, Sweden

Pages: [1] 2 3