pfSense Gold Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Evgeny

Pages: [1] 2 3
1
Russian / Правила в Squid
« on: May 15, 2012, 07:55:24 am »
Заранее извиняюсь, если уже спрашивали.
Никогда сам не работал со Squid, но приятелю срочно понадобилось. Вороде всё шуршит, но такая странная штука с правилами. Если он в Blacklist ставит www.bbc.co.uk, то весь домен блокируется без проблем. А вот когда он хочет запретить только плэйер www.bbc.co.uk/iplayer, то правило "не срабатывает" и player нормально открывается.
В чём подвох?

2
Russian / автороское
« on: July 31, 2011, 09:41:47 pm »

3
Russian / pfSense 1.2.3 packages down?
« on: March 08, 2011, 09:10:55 am »
Кто-нибудь проверьте пожалуйста. Мой 1.2.3 не показывает доступные пакеты вообще. Проблемы на стороне репозитория или у меня локально что-то?
Спасибо.

4
Hello,
probably missing something simple here.... nevertheless here is a problem that just kills me.
pfSense-1.2.3
LAN=192.168.0.1/24
WAN=192.168.3.2/24 gateway 192.168.3.1
WAN1(OPT1 em1)=10.0.0.2/24 gateway 10.0.0.1
WAN2(OPT2 em0)=10.0.1.2/24 gateway 10.0.1.1
All interfaces are on different nics, static addressing is everywhere, no external switching between interfaces.
I have a loadbalancing pool from WAN1 and WAN2 with ip to monitor=respective gateways
On LAN I have a rule routing all traffic through this loadbalancing pool.
Test scenario: from PC connected to LAN I periodically go to the same web-site 97.107.134.79 waiting for all states to disappear between attempts.
Now dumps. This is my first attempt that goes through WAN2:
Code: [Select]
# tcpdump -ni em0 -e host 97.107.134.79
20:39:48.143093 00:1b:21:7c:a1:6c > 00:26:f2:56:49:bc, ethertype IPv4 (0x0800), length 66: 10.0.1.2.2263 > 97.107.134.79.80: S 3695044687:3695044687(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
20:39:48.144004 00:1b:21:7c:a1:6c > 00:26:f2:56:49:bc, ethertype IPv4 (0x0800), length 66: 10.0.1.2.30502 > 97.107.134.79.80: S 4101759538:4101759538(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
20:39:48.237129 00:26:f2:56:49:bc > 00:1b:21:7c:a1:6c, ethertype IPv4 (0x0800), length 66: 97.107.134.79.80 > 10.0.1.2.2263: S 2213084595:2213084595(0) ack 3695044688 win 5840 <mss 1420,nop,nop,sackOK,nop,wscale 6>
20:39:48.237379 00:26:f2:56:49:bc > 00:1b:21:7c:a1:6c, ethertype IPv4 (0x0800), length 66: 97.107.134.79.80 > 10.0.1.2.30502: S 2203729880:2203729880(0) ack 4101759539 win 5840 <mss 1420,nop,nop,sackOK,nop,wscale 6>

After some time the same connection request goes through WAN1, please pay attention to destination MAC-addresses:
Code: [Select]
# tcpdump -ni em1 -e host 97.107.134.79
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
20:41:44.681552 00:1b:21:7c:a4:57 > 00:26:f2:56:49:bc, ethertype IPv4 (0x0800), length 66: 10.0.0.2.37567 > 97.107.134.79.80: S 238567 8252:2385678252(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
20:41:44.686356 00:1b:21:7c:a4:57 > 00:26:f2:56:49:bc, ethertype IPv4 (0x0800), length 66: 10.0.0.2.28692 > 97.107.134.79.80: S 425659 6844:4256596844(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
20:41:44.934133 00:1b:21:7c:a4:57 > 00:26:f2:56:49:bc, ethertype IPv4 (0x0800), length 66: 10.0.0.2.56267 > 97.107.134.79.80: S 150322 3532:1503223532(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
20:41:47.680118 00:1b:21:7c:a4:57 > 00:26:f2:56:49:bc, ethertype IPv4 (0x0800), length 66: 10.0.0.2.37567 > 97.107.134.79.80: S 238567 8252:2385678252(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
So, in the second case it uses different interface but destination-mac of WAN2 gateway!
Code: [Select]
# arp -an
? (10.0.0.1) at 00:26:f2:56:4b:86 on em1 [ethernet]
? (10.0.1.1) at 00:26:f2:56:49:bc on em0 [ethernet]
...
The problem is intermittent - approximately 90% of connection over new interface fail. But if an attempt is successfull then previous interface starts using 'wrong' destination mac.
More weird stuff: everything works as expected if I forward traffic through loadbalancers WAN-WAN1 or WAN-WAN2.

Could anybody please give me a hint on what is going on here -(((
Thanks!

5
Russian / с наступающим!
« on: December 24, 2010, 01:07:55 pm »
Ну что, скоро пьянки уже начнутся, народ разбредётся совсем, а посему: "Всех с Новым Годом, товарисчи! и да зравствует pfSense!"

6
Development / GIT and URL specification
« on: November 25, 2010, 09:43:34 pm »
Hi,
could somebody explain please why this works:
Code: [Select]
$git fetch git@rcs.pfsense.org:pfsense/my_clone_here.git
but this one does not work:
Code: [Select]
$ git fetch ssh://git@rcs.pfsense.org/pfsense/my_clone_here.git
Access denied or bad command
fatal: The remote end hung up unexpectedly
Thanks.

7
General Discussion / Forum notifications get marked by spam filter
« on: November 18, 2010, 11:57:46 am »
Hi forum admins,
it's rather annoying than problematic but when I receive notification about personal message or any topic that I am watching my spam-filter reports:
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "MIME-Version"

Indeed in headers we have "Mime-Version: 1.0" two times.

Is it fixable?
Thanks.

8
Russian / Что вам не нравится в pfSense?
« on: October 28, 2010, 01:51:20 pm »
Под тему попадает также "какой функциональности не хватает". Прошу высказываться. Интересно послушать. 

9
Простите за флуд...
Не спрашивайте зачем, но появилась такая необходимость изобразить нормальный NAT TCP портов с одного интерфейса Windows XP на другой. Краткий поиск по гуглу особых успехов не принёс. Кто-нибудь знает программулину, котороая это умеет делать?
Спасибо.

10
General Questions / two pfSense boxes and NTP
« on: May 21, 2010, 09:00:03 am »
Trying to make pfSense-nano to get time from pfSense-1.2.3
On client I see
21 May 09:58:09 ntpdate[46964]: no server suitable for synchronization found
21 May 09:58:14 ntpdate[46967]: no server suitable for synchronization found

On the server I see
09:59:04.710161 IP 192.168.81.251.123 > 192.168.81.252.123: NTPv4, Client, length 48
09:59:04.710527 IP 192.168.81.252.123 > 192.168.81.251.123: NTPv4, Server, length 48
09:59:04.711410 IP 192.168.81.251.123 > 192.168.81.252.123: NTPv4, Client, length 48
09:59:04.711455 IP 192.168.81.252.123 > 192.168.81.251.123: NTPv4, Server, length 48
09:59:04.712534 IP 192.168.81.251.123 > 192.168.81.252.123: NTPv4, Client, length 48
09:59:04.712588 IP 192.168.81.252.123 > 192.168.81.251.123: NTPv4, Server, length 48
09:59:04.713534 IP 192.168.81.251.123 > 192.168.81.252.123: NTPv4, Client, length 48
09:59:04.713577 IP 192.168.81.252.123 > 192.168.81.251.123: NTPv4, Server, length 48
09:59:09.820997 IP 192.168.81.251.123 > 192.168.81.252.123: NTPv4, Client, length 48
09:59:09.821065 IP 192.168.81.252.123 > 192.168.81.251.123: NTPv4, Server, length 48
09:59:09.822234 IP 192.168.81.251.123 > 192.168.81.252.123: NTPv4, Client, length 48
09:59:09.822277 IP 192.168.81.252.123 > 192.168.81.251.123: NTPv4, Server, length 48
09:59:09.823233 IP 192.168.81.251.123 > 192.168.81.252.123: NTPv4, Client, length 48
09:59:09.823281 IP 192.168.81.252.123 > 192.168.81.251.123: NTPv4, Server, length 48
09:59:09.824357 IP 192.168.81.251.123 > 192.168.81.252.123: NTPv4, Client, length 48
09:59:09.824403 IP 192.168.81.252.123 > 192.168.81.251.123: NTPv4, Server, length 48

Can somebody explain why it is not working?
Thanks.
Evgeny.

11
Firewalling / Reusing TCP ports
« on: May 19, 2010, 09:43:46 am »
Hi,
setup:
Cisco----->LAN pfs1 1.2.3 WAN ---->OPTx pfs2 1.2 OPTy----->
For some reason sometimes Cisco (not managed by me) sends SYN packets with source:destination IP/ports already presented in pf active connections table (there is a state for this combination).
pfs1 passes these packets through, pfs2 drops them without any notification in logs.
Question please:
1) what would be correct behavior?
2) how can I make pfs2 to pass these packets without upgrading to 1.2.3?
3) is it 100% that upgrade will fix this?

Thanks,
Evgeny.

12
CARP/VIPs / CARP and rules
« on: May 12, 2010, 08:57:02 am »
Hi!
after connecting one client with Cisco VRRP to pfSense CARP-cluster our logs are hammered with:
Code: [Select]
May 12 09:46:00 last message repeated 108 times
May 12 09:43:59 last message repeated 29 times
May 12 09:43:28 kernel: carp_input: received len 20 < sizeof(struct carp_header)
and indeed the packets are received by pfSense:
Code: [Select]
09:53:08.614168 IP 10.29.252.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 200, prio 240, authtype simple, intvl 1s, length 20
These 20 byte length packets come from cisco. I thought of explicitly disabling them from reaching our system to get rid of these entries in system log but I found out that there is no rule allowing CARP traffic coming to interface.
Could anybody confirm please: any packet coming to 224.0.0.18 does not go through pf rules?
Thanks.

13
Russian / Официальные партнёры
« on: May 06, 2010, 01:19:44 pm »
Кто-нидь из форумчан работает в "Гиперметрика"?

14
Russian / DHCP + PPTP on WAN
« on: April 30, 2010, 07:56:57 am »
Есть задумка реализовать сабж без всякий VLAN и других извращений. Нужны добровольцы. Пишите, кто может погонять мой код.
Если всё заработает, сделаю в виде пакета под 1.2.3.

PS: временно делаю эту тему sticky.

15
2.0-RC Snapshot Feedback and Problems - RETIRED / DHCP + PPTP on WAN
« on: April 12, 2010, 10:55:46 am »
Hello!
will it be possible in 2.0 to have:
1) WAN interface gets IP from provider using DHCP.
2) Then PPTP connection is brought up on WAN to access Internet.
Thanks.

Pages: [1] 2 3