pfSense Gold Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Asterix

Pages: [1] 2 3 4 5 6
1
2.4 Development Snapshots / Static Route - Aliases issue
« on: November 10, 2017, 03:38:16 pm »
Having a L3 network I need to setup multiple static routings pointing to different L3 networks that is being managed by my Cisco switch. To make things easier I have setup multiple Aliases referring to the internal networks.. like LAN, VoIP, Video.. etc. and 1 alias covering all IPv4 networks and 1 covering all the IPv6 counterparts. The Aliases work fine under Rules section, never experienced an issue there.

Today I was trying to clean up the Static Route section as I have multiple IPv4 and IPv6 routes. I started by adding an Alias to "Destination Network" which got filled as I started to type one of the defined IPv4 Aliases, then selected 24 under subnet since all my internal IPV4 subnets are /24, then selected the IPv4 gateway I had defined in the gateways section and hit save. At first it looks like the settings stick but this does not work.. the info gets saved but the subnet turns back to /32 and that may be creating issues for the Static Route function to work. Is there a way to either define the subnet and make it stick OR make the subnet part optional since the Alias (network) many have the subnet defined. See similar issue with IPv6 static route as well.

Due to the this issue I had to define 8 static routes (4 IPv4 and 4 IPv6) which could had been easily accomplished with just 2 static routes.

2
Cache/Proxy / E2guardian4
« on: November 09, 2017, 05:49:17 pm »
Installed the E2guardian4 package this evening but having issues getting it to start filtering. I see the below error in the logs. I do not have a CA configured and have selected manual local proxy 127.0.0.1 at port 3128. But the below error seems that E2 is still looking for a CA at port 8888.



/pkg_edit.php: The command '/usr/local/etc/rc.d/e2parent.sh start' returned exit code '1', the output was 'FATAL: No valid signing SSL certificate configured for HTTP_port 127.0.0.1:8888 Squid Cache (Version 3.5.27): Terminated abnormally. CPU Usage: 0.016 seconds = 0.016 user + 0.000 sys Maximum Resident Size: 47616 KB Page faults with physical i/o: 0'

No valid signing SSL certificate configured for HTTP_port 127.0.0.1:8888

3
As the subject says, I am not able to restore Status_Traffic_Totals package. Is there an update required in the config.xml script to pick up the package during a config backup?

4
The dashboard traffic graphs widget does not reflect the custom interface descriptions but just the default names like wan, lan, opt1, opt2.. etc. Previous pfSense widget reflected the custom interface descriptions.

Any idea if the code will be updated for the final release.

5
2.4 Development Snapshots / Snort failing to load rules
« on: January 17, 2017, 12:23:45 pm »
Have been getting this error since last couple of days. Tried updating my 2.4 snapshot and reinstalled snort on a fresh 2.4 install. Getting the same error.

Can anyone help me find that 20835 rule which is causing the issue.


Jan 17 18:15:13   php-fpm   87708   /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 4219 -D -q --suppress-config-log -l /var/log/snort/snort_vmx04219 --pid-path /var/run --nolock-pidfile -G 4219 -c /usr/local/etc/snort/snort_4219_vmx0/snort.conf -i vmx0' returned exit code '1', the output was ''
Jan 17 13:15:13   snort   18792   FATAL ERROR: /usr/local/etc/snort/snort_4219_vmx0/rules/snort.rules(20835) Rule options must be enclosed in '(' and ')'.

6
Virtualization installations and techniques / Errors in VM instance
« on: December 30, 2016, 05:15:48 pm »
I moved too VM last night. Using ESXi 6.5. In the pfSense instance I am seeing a series of constant errors which were present during the install process as well. I thought it may be a corrupt iso file so I re-downloaded twice and now did an upgrade to the latest snapshot. Still these errors.

I am running the ESXi host on a month old SSD drive. Not sure if I need to do anything special to activate TRIM on the host or the guest. Please advice.

7
Routing and Multi WAN / Inter VLAN Routing - Internet Access
« on: December 26, 2016, 02:59:13 pm »
I have a Netgear GSM7248v2 L2 switch. I was searching for a L3 switch as I needed to stop all inter VLAN traffic from going through pfSense. 5TB backups and file transfers were killing the network. After some research I found that my switch infact can do VLAN routing. Found a netgear manual online and followed the steps and now have a good internal routed vlan environment.

My problem now is that only the first VLAN is able to browse the internet and the rest 3 VLANs can only browse if the gateway is set to the respective pfSense NIC instead of the switch IP. With this config the data is still routed through pfSense which kinda beats the purpose of routed VLANs.

Here is my setup.

Switch
LAN (VLAN 10) - 10.1.1.1
VoIP (VLAN 20) - 10.2.1.1
Video (VLAN 30) - 10.3.1.1
.. and so on

The above are IP configured with virtual ports on the switch. Devices on vlan 10 can ping and connect to vlan 20/30 and vice versa. They can all ping the virtual interfaces 10.1.1/1.2/1.3

on pfSense I have similar network with dedicated (no vlans) NICs for each network

LAN - 10.1.1.2
VoIP - 10.2.1.2
Video - 10.3.1.2
.. and so on

Now with normal setup the DHCP on each network assigns the pfSense network interface as the default gateway. This is causing all the devices to route through pfSense to hop on to the other VLAN for file transfers. Tested it multiple times and still see traffic going through pfSense.
Online netgear documentation says to assign the routing vlan IP as the default gateway, which makes sense. But the moment I set the default gateway in DHCP to 10.1.1.1 or 10.2.1.1 for each network, I am unable to browse or route to the internet. I can't even ping the pfSense IP 10.1.1.2 from the other networks as data is not flowing through the VLAN to pfSense.

I believe its a simple routing fix I need to do in pfSense to show it the downstream router/switch IP (10.1.1.1/10.2.1.1....) for directing WAN traffic to the specific network since I can ping from pfSense to the devices in all the subnets as well. I need to change the default gateway for each subnet/network their respective switch IP 10.1.1.1/10.2.1.1....

Could someone please provide step by step direction on how to get this done in pfSense?


Example..

Video network.
IP            10.3.1.xx
Subnet     255.255.255.0
Gateway  10.3.1.1 (switch IP)  (internet works when this is set to 10.3.1.2)
DNS        10.3.1.2 (pfSense DNS)




8
Firewalling / Resolved: T-Mobile CellSpot connectivity issues
« on: October 01, 2016, 10:14:58 pm »
Since past week I have been trying to get my T-Mobile CellSpot connect to T-Mobile network(208.54.0.0). Have turned on NAT reflection and NAT UDP ports 123, 500 and 4500. For some odd reason the firewall is blocking the CellSpot communication ports. This used to work fine till v2.2 but since I have updated to v2.3 the CellSpot has connectivity issue which was all plug and play in the past. I see the firewall states show the Cellspot is creating a connection on ports 500 and 4500 to the T-Mobile network but the data is not going pass the firewall.

9
General Questions / UPnP & NAT-PMP settings restore
« on: June 20, 2016, 09:02:01 pm »
Found a bug (I think)..

If the UPnP & NAT-PMP setting is enabled, a backup and restore to clean install won't restore it's settings. Everything else restores but UPnP & NAT-PMP comes up disabled (unchecked)

10
Packages / ClamAV HTTPS scanning
« on: May 27, 2016, 07:58:55 am »
Did a fresh install of 2.3.1 and installed Squid. Configured exclusive mode (non-transparent). Using WPAD for clients. Checked and confirmed https and https traffic flow thru Squid.

Did a eicar virus download test for ClamAV and I found just http traffic being scanned. It's not scanning https.

Is there any specific setting to get https scanning working?

11
2.3-RC Snapshot Feedback and Issues - ARCHIVED / Inter-LAN traffic
« on: March 02, 2016, 11:05:42 am »
Transferring data from a desktop in LAN to a NAS in Video network. Both LAN and Video are internal networks with 10.1.1.0/24 and 10.3.1.0/24 subnets. A Netgear managed switch takes care of different networks behind pfSense. All the networks have been configured as VLANs in the managed switch.

The pfSense traffic graph reflects the data being transmitted between the two networks. Shouldn't this be totally transparent to pfSense with no knowledge of what's happening behind the scenes? Am I supposed to see the data transfers between the two? If not, what am I missing in the rules that's forcing it to go through pfSense for routing data instead of the switch?

12
I finally got CARP working. It worked for the initial period but after setting Failover peer IP of the opp node I saw the DHCP service would fail to start.

It throws the following error on both master and slave.


Feb 16 00:59:00   php-fpm   98621   /services_dhcp.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid igb1 igb2 igb3 igb2_vlan4' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.3-P1 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpd.conf line 32: expecting allow/deny key ignore dynamic ^ /etc/dhcpd.conf line 32: expecting a parameter or declaration ignore dynamic bootp clients; ^ Configuration file errors encountered -- exiting If you think you have received this message due to a bug rather than a configuration issue please read the section on submitting bugs on either our web page at www.isc.org or in the README file before submitting a bug. These pages explain the proper process and the information we find helpful for debugging.. exitin


I have re-checked and the clock on both the nodes are in sync. Not sure what this means "/etc/dhcpd.conf line 32: expecting a parameter or declaration ignore dynamic bootp clients". I checked that path and there is no dhcpd.conf file in /etc folder 

Through online search I found it to be in /var/dhcpd/etc/dhcpd.conf

Line 32 is this.
        hardware ethernet 00:21:6b:ab:08:bc;

13
Have set 1.1.1.1 and 2.2.2.2  /24 pfsync interfaces. Both OPT4 and rules in place. But I am unable to connect the two. Pings fail from both ends. Connected direct through a cat6 cable and even tried using a switch giving it it's own private environment.

Hope it's a bug, as I wasted my entire weekend troubleshooting this. Can anyone please provide some guidance. Thanks.

14
2.3-RC Snapshot Feedback and Issues - ARCHIVED / DNS IPv6
« on: February 06, 2016, 09:30:07 pm »
In 2.3 DNS when doing a host nslookup it does not return the IPv6 address, just the IPv4.

Can an option be added in the DNS resolver to "Register DHCPv6 leases in the DNS Resolver" and "Register DHCPv6 static mappings in the DNS Resolver"?

15
2.3-RC Snapshot Feedback and Issues - ARCHIVED / DHCP Leases sorting
« on: February 02, 2016, 05:33:17 pm »
On DHCP leases page ascending or desending sorting is not working correctly. None of the columns behaving correctly when sorted.

Pages: [1] 2 3 4 5 6