pfSense Gold Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - jason0

Pages: [1] 2 3 4
DHCP and DNS / using rfc2136 clients for >1 hostname
« on: January 18, 2018, 01:46:06 am »

I am presently using pfsense 2.3.5 with an older alix board.  I do have a new sg1000 on its way so will be running 2.4.x shortly...

I have several internal web servers behind a nat ipv4 address, and haproxy working the inbound web requests to the servers. 

I found the RFC 2136 clients part of dynamic dns and since I control the dns server (bind9), this makes me very happy.

So I have a configuration based on the howto example working.  YAY!

Since I have 8 different web servers in my domain, it looks like I need 8 rfc 2136 clients: one per name needed. 

Can I use the same key, or do I need to generate a separate key for each name?  The BIND9 Administrator Reference Manual seems to imply yes, so I thought I would check. 

Alternately, might there be a need to be able to have >1 name in an rfc 2136 client?  This way, the rfc 2136 ciient "granularity" is at the domain level...

If I can use the same key, I probably have some edit suggestions for the rfc 2136 howto...

Thank you in advance for your time...


IPv6 / comcast business head-scratcher...
« on: January 04, 2018, 04:35:07 pm »

I am running
I have enabled ipv6 on my comcast connection at work.  (this is a completely different setup from my residence).

I requested a 60, because it's the only setting that would get a response from comcast.

on my wan, i received a /64...However on my lan and opt1 that are set to track the wan (0 and 1 prefixes respectively) I received /63 networks.

Here's more:

According to my comcast business login, the range is xxxx:yyyy::38:f600::/56.

The wan settings:

The lan settings:
   track wan
   prefix 0

The opt1 settings:
   track wan
   prefix 1

The astute observer would see that both the lan and opt1 ipv6 addresses are in the same subnet.  If I change opt1's prefix to 2, the ip address assigned to opt1 is the same.


IPv6 / comcast xfinity (residential) non-responsive
« on: January 02, 2018, 11:18:57 pm »

I have been beating my head against comcast for a while now.  I would really like to go native ipv6.

1) my cablemodem is in bridged mode
2) my wan port is set to dhcpv6 (and dhcp for ipv4)
2.5) I am requesting via ipv4 connectivity
2.6) i am requesting prefix size 60
2.7) I am sending a prefix hint
3) ipv4 works fine.

I see the link-local addresses for both wan and upstream, but no global ipv6 at all.

I haven't configured my lan as I am using hurricane electric at the moment. 

When I filter the dhcp logs for dhcp6c, all I see is:

Jan 2 20:47:39   dhcp6c   85061   extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:21:df:12:d0:00:0d:b9:21:55:e4
Jan 2 20:47:39   dhcp6c   85061   failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jan 2 20:47:39   dhcp6c   85061   <3>["/var/etc/"] (31)
Jan 2 20:47:39   dhcp6c   85061   /var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined

What do I do?

General Discussion / old/retiring pfsense hardware sought...
« on: December 20, 2017, 12:13:51 pm »

I am building a business but we don't have a solid enough income stream to use something like aws.  I would very much like to find some hardware capable of running pfsense.  For instance: my day job we have two lanner fw-7541 devices.  I love these things. 

My thought is to ping you guys and see if anyone is retiring/replacing older pfsense hardware that I can acquire before they go to the scrap heap.

So here's my requested criteria:

1) 64-bit capable (assuming x64 hardware)
2) at least 2 gig ram
3) at least 4 gig storage
4) at least 2 ethernet ports, (capable of 100mbps, would be very happy with gigabit ethernet

Would like to have:
a) small form-factor, embedded preferred (no fans, solid state, etc...)
b) a sata port and enough power to drive a 2.5 inch hard drive.
c) upgradable ram...
d) aes-ni cpu crypto
e) capable of running pfsense 2.4+

Please contact me

I don't have a budget yet. 

Traffic Monitoring / ntopng emitter
« on: December 11, 2017, 01:26:25 pm »

The version of ntopng showing in the package manager is 0.8.11, whereas the ntopng's version on their site is 3.x.

Does the 0.8.11 version mean the freebsd ports version, or the actual version of ntopng?

Also, as I am running pfsense on embedded systems, is there a configuration that will send probed info to another ntopng server to be processed and stored there, or should I try to configure nprobe?


DHCP and DNS / Fixed: Not-a-bug: Bug affecting dhcpd failover state
« on: November 08, 2017, 01:37:44 pm »

I believe I found a bug.

I am running pfsense 2.4.1-release (amd64) on two fw-7541c lanner firewalls. ( not supported by the pfsense team...I know).

I have verified the config.xml files are nearly identiical (enclosed). 

The bug is in the dhpd.conf files on either system.  I have also enclosed both files.

Primary dhcpd.conf exerpt:
   failover peer "dhcp_lan" { primary; ... split 128; mclt 600; }
   failover peer "dhcp_opt2" { secondary; ... }

Secondary dhcpd.conf exerpt:
   failover peer "dhcp_lan" { secondary; ... }
   failover peer "dhcp_opt2" { secondary; ... }

Note that "secondary" appears in the failover description from the primary system, and also does not include split, or mclt. 

With this configuration, no dhcp addresses are handed out by either server on the "dhcp_opt2" aka em4.1002.

In the dhcpd logs on either primary or backup, I see the messages (for the correct interface):
DHCPDISCOVER from xx:yy:zz:aa:bb:cc via em4.1002: peer holds all free leases
DHCPREQUEST for from xx:yy:zz:aa:bb:cc  via em4.1002: not responding (recovering)

Otherwise: carp seems to operate correctly.

The symptoms are that no ip addresses are handed out on the guestwifi, and the following appears on the dhcpd.leases status page:

Pool Status
Failover GroupMy StateSincePeer StateSince
dhcp_lan (LAN)normal2017/11/08 18:05:08normal2017/11/08 18:05:13
dhcp_opt2 (GUESTWIFI)recover2017/11/08 17:53:22unknown-state2017/11/08 17:53:22

I followed the instructions on, and no change occurs.

My work-around is I have removed "dhcp server settings" from the sync-options, removed the peer address from the primary dhcp config for the guest wifi, and disabled the guestwifi dhcp server on the secondary system.


General Questions / Phantom rules remain after interface deletion
« on: October 10, 2017, 12:44:28 pm »

I am planning to upgrade from 2.1.5 to the latest release.  In the process I have been significantly reducing my network's complexity here: I removed three vlans, openvpn, ipsec, etc.

I can't delete an alias though: I get the error "cannot delete alias.  currently in use by 'block openvpn from logicbox'"

I backed up my configuration and discovered the rule in question (and others) are still defined in the downloaded configuration. 

Aside from rebuilding the entire pfsense router from scratch, or rebuilding the interfaces and deleting the rules, how do I go about stripping out the cruft?

Thank you for your time!


General Questions / Known 2.1.4 - 2.1.5 upgrade issues?
« on: October 09, 2014, 12:57:35 pm »

Are there any known issues with 2.1.5?  I would like to know before I commit.  The last time I upgraded none of my ip aliases would work and I almost lost customers.

Thanks for all of your time!

Feedback / New forum slot / advanced search
« on: October 09, 2014, 12:54:06 pm »

When I upgraded from 2.1.3 to 2.1.4, I ran into a show-stopper issue: all of my ip aliases used with carp had stopped working.  There had already been a patch published, and once pointed to the correct forum entry I fixed the problem.  It caused lots of gnashing of the teeth while I was trying to find a fix. 

By the way, I am very happy with the response I got, but that really isn't why I am writing this here under feedback.

Prior to the upgrade I spent some time searching the forums for known issues in upgrading to 2.1.4, but wasn't able to distinguish across the >1000 search responses.

This time before I upgrade, I have tried to search for 2.1.5 issues in the forums and redmine.  Again, there's no easy way to filter out issues pertaining to upgrades. 

When I look at the development forums, I see there is always one titled "x.x Snapshot Feedback and Problems", and when the release occurs, this title rotates to the next snapshot release.

May I suggest a similar forum? Perhaps "<version> confirmed issues"? 

Or perhaps a tag that can be searched for and an advanced search feature? (does smf allow tags?)  Is there a such thing as blessed tags, where only the official developers can say "2.1.5_confirmed_issue"?



I have two firewalls configured with carp.  They are at my remote colo, and I access the network there via ipsec vpn.  I noticed recently that I could only access the lan ip address of the primary firewall, but not the secondary firewall. 

It makes sense: only one of the firewalls will have the ipsec vpn functioning while it's in master mode: the other firewall won't have a clue where to send response packets since there isn't a vpn there at all.  It would need to route through the master firewall.

Is there a means to install a route that is dependent on the vpn NOT being present?  ie: firewall B is in carp backup mode, thus to access my side of the point to point vpn, it would need to route the packets through firewall A.


webGUI / I have to keep re-logging into firewalls
« on: July 09, 2014, 02:38:46 am »

I have two firewalls setup in a carp formation.  As a result, when I am doing package management, or need to compare settings, I will have two tabs on my web browser:one for each firewall.

Once I updated to 2.1.4, when I switch between tabs, I have to login to that firewall again.  Even if a mere 10 seconds passes.  It's as if the session management is clobbering one-another.  The act of logging into firewall A breaks the login on the other tab for firewall B.  The system logs on both firewalls show each successful login, but don't have anything when the login is apparently broken.

It's making me a bit crazy.  Is there a fix for this? 

Browser is chrome, safari, and firefox, on two separate macintoshes.


CARP/VIPs / IP Alias on "localhost interface" vs "carp interface"
« on: May 28, 2014, 01:18:03 am »

I have two questions regarding vip aliases, and I will give you a scenario:

I have two firewalls both running pfsense 2.1.3, configured as a primary and secondary CARP pair.

We have a /28 network for our wan ip addresses.  Three are dedicated to my upstream provider's implementation of VRRP.  Another three are dedicated to my implementation of carp.  Both CARP and the upstream VRRP work very well together, thanks to a number answers you guys helped me with earlier.

The remaining 8 ip addresses are assigned as ip aliases and are tied to internal hosts using 1:1 nat.  I ran into the difficulty where the ip aliases did not propagate via pfsync: I solved it by assigning them to "localhost" and this leads me to my question:

1) what is the difference between binding the alias to the 'localhost' interface versus the wan carp interface?  Why would I choose one or the other?

2) what type of problem is resolved by being able to bind a wan ip alias to a different interface?  For instance, I COULD create an ip alias with an additional wan ip, and bind it to my LAN port: but what does that get me?

Is the word "localhost" possibly a misnomer?  Is it more a generic word use like "any of the interfaces listed"?

Thank you for your time!


CARP/VIPs / lan and wan carp state mismatch
« on: February 21, 2014, 12:49:04 am »

I am setting up two pfsense routers.  on my lan side, I have three vlans.  My wan side has no tagged traffic on it.  Each interface has a carp address turned up, and pfsync is operating correctly. 

Upstream are two VRRP switches.  I have both my wan ports on my routers connected to a switch with both vrrp ports connected.  Manual oubound nat is turned up, and all traffic is being mapped to the wan carp address.

The trouble comes from me testing the failover: at least half of the time they cease to pass packets.  I figured out by watching the carp status that the lan side and wan side get out of phase, and the routing gets asymmetric.  I verified this by pinging from an internal host and running tcpdump on each router's wan port:  the icmp echo request exits one router, and the echo reply comes back to the other router.

Is there a way to ensure all carp addresses switch over maintaining one router as active and the other passive?  Should they already do so and something's not right?

I saw the section in the book about using ip aliases and tying them to the carp address, but that looks like aliases on the same interface as the carp address only.



General Questions / Bug? ipsec vpn stopped when vlans configured
« on: February 13, 2014, 03:22:07 pm »

I turned up three vlans on my router and my site to site vpn stopped.  Restoring the configuration and rebooting the firewall fixed it. 

When it happened a second time, I disabled the new vlan interfaces,with no change.  Rebooting again fixed it.

The local racoon logs showed no activity on the ipsec vpn at all.  The remote pfsense racoon logs showed "[Remote Side not responding]"

I have the racoon.conf file before and after the last reboot.  There are three sections missing from the "before" file:

Listen {...}
remote ipaddr {...}
remote anonymous {...}

It's as if the racoon.conf file got mangled and racoon reloaded when I clicked "save changes".

it makes sense: without the Listen part, racoon won't bind to any ports.  If it happens again, I will check the output of sockstat.

Here are the pertinent information:

1) local version of pfsense: 2.1, remote version (other end of site to site vpn): 2.0.3
2) Wan port is bge0
3) vlan ports are only on bge1.

Is this a bug?

IPsec / ipsec in pfsense 2.1: different ipsec tunnels based on user
« on: February 11, 2014, 12:28:45 pm »

Is it possible to have multiple phase 1 settings for mobile IPsec differentiated by user login, authentication source, or group membership? 
For example:
  • I may want to use different phase 1 settings for administrators
  • I may want to use different ip subnets for different user groups

I would like to be able to have different phase 2 entries apply based on the same type of thing.

I expect some of this is based on the limits of racoon underneath pfsense, but I am not certain what those limits really are.

Thanks for thinking about this!


Pages: [1] 2 3 4