Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - rudivd

Pages: [1] 2
1
Nederlands / XS4All IPv6 met 2.4.2
« on: January 06, 2018, 05:57:43 am »
Hallo,

Ik heb een soortgelijk probleem eerder gehad, maar re lijkt na
updating van PFsense (achter mijn Fritz 7369 v. 6.32) weer
een probleem met  (ik denk de MTU op) IPv6.
ik hang aan dr14.d12.xs4all.net

Situatie:

xs4all - 7369 - PFsense (2.4.2) - intern netwerk

mijn pfsense krijgt netjes een prefix met dhcpv6 PD van de fritz, deze
prefix verdeel ik met "track interface" over een aantel interne interfaces.
so far so good, dan deel ik met ratvd via slaac de v6 nummers uit..

http://test-ipv6.com geeft mij een 10/10 ;-)
youtube werkt over v6 (only) prima, meeste v6 sites ook.
r.

Het probleem manifesteert zich dat sommige websites "niet werken".
of heel heel langzaam laden. Ook is het vaak (niet altijd) zo dat images
in de facebook (ios) app niet laden. Een typische niet werkende site
over v6 is bijv. www.tilaa.com, mijn vps provider, of
www.restaurantdejonker.nl

Zet ik v6 op de LAN interface van mijn pfsense uit lijkt het probleem
verdwenen. Het zit dus in v6.

NB Ik heb een allow-rule voor alle ICMP v6 types op mijn pfsense WAN
(en ook LAN) interface staan.

Dingen die ik al geprobeerd heb zijn

- verkleinen MTU op de fritz naar 1492 (was een eerdere oplossing)
- verkleinen MTU op pfsense zowel op WAN (naar 1492) als op LAN

Ik ben al eens eerder aan het knutselen geweest, en het leek iets met
de PATH MTU discovery voor v6 te maken te hebben tussen mijn client
en de andere "kant", ergens.  Ook had het te maken met de firmware of
settings van de edge-router bij xs.

Hebben mensen een soortgelijke setup (wel) werkend ? en hoe staat
dan eea ingesteld !?

Suggesties zijn van HARTE WELKOM

Rudi

2
IPv6 / Re: IPv6 prefix delegation to OVPN interfaces
« on: December 18, 2017, 02:43:30 pm »
I might have solved it by changing my (tunnel) subnet in openvpn.
It was 2001:xxxx:xxxx:FF:: changed it to 2001:xxxx:xxxx:ef:: according
to my real lan interface that got tracked to 2001:xxxx:xxxx:e4:xxxx:xxxx:xxxx:xxxx

It might be something weird with subnets :-) still do not understand that it worked before.

Still I am in favour of the feature request https://redmine.pfsense.org/issues/7281

Rudi

3
IPv6 / Re: IPv6 prefix delegation to OVPN interfaces
« on: December 18, 2017, 11:37:34 am »
Yes, indeed it might, but still weird. without this proposed change it has worked in 2.2

I selected a prefix for the tunnel network that was within my (provider)assigned prefix,
where also the real interfaces IP#s were selected from. Also, yes, it was /64. this worked
in 2.2, but ceased to work in 2.4.2....

Grmpf.

Rudi


4
IPv6 / IPv6 prefix delegation to OVPN interfaces
« on: December 18, 2017, 08:38:56 am »
Hi all,

I got prefix delegation working for my DSL connection (fritz-> provider (xs4all)). With the setting "follow interface"
I get clear v6 adresses and subnets on my *wired* (ie REAL) interfaces. ipv6 works through these interfaces. Now,
when it comes to OVPN (server) interfaces, I only can set a tunnel network for v6 in the setup. (this is with 2.4.2)

On 2.2.5 I got this working by selecting a subnet within my v6 block, (in the openvpn settings as tunnel subnet)
 but not used by the real interfaces, and not changing anything else (in other settings apart from ovpn).
I had v6 through openvpn with a correct v6 ip address on the client (which was within the selected tunnel
network (as it showed on the internet as well) and had routing to the internet). No problems there.

Getting the same setup working on 2.4.2, I get the idea that the dhcp6 client on WAN just asks and gets subnets for
the wired (real) interfaces, and does not request either the full v6 range or the subnets I select for the OVPN server
in pfsense, as I got outgoing packets from the ovpn client, and can ping6 alle real pfsense interfaces including the WAN
but not the router (fritz) and beyond. Yes, I have allowed ipv6* on the OVPN interface to * in firewall rules.....

Any idea here ?! The weird thing is that it looks that the behaviour (either dhcp6c or openvpnd)  has changed
from 2.2.x -> 2.4.2

Thanks !
Rudi


5
OpenVPN / Re: Getting IPv6 to work over OpenVPN
« on: December 18, 2017, 05:11:03 am »
Hi,

Got this very same issue. Moved a from working with v6 (ovpn) config from 2.2 (yeah, old !)
to 2.4.2, and reconfigured openvpn.

Before with the same settings in 2.2 I got everything (including openvpn v6) working now,
I got in the (same as you) situation where I see packets over v6 coming to the openvpn link,
but no reply from the (outside) net, while I set rules on the ovpn interface to allow both v4 and v6.
I have the tunnel interface net defined as a /64 from my providers /58.
V6 routing on non-openvpn interfaces works great !

Do I need a static route to the ovpn interface maybe ?! (not needed before)

It might be due to the fact that the prefixes in the /58 that I use in the client subnet have not
explicitly been requested by dhcpv6 or so ? where before this just worked..
(note, I only changed the version of pfsense, nothing else)

Related question, how do I tell the dhcpv6 client to request that specific prefix as well as the others
that are distributed through the wired interface (ipv6-follow)

Rudi

6
Official pfSense Hardware / Re: SG-3100 Router Advertisement Daemon
« on: November 06, 2017, 01:32:54 pm »
Hi all,

Just received my 3100. (2.4.1-RELEASE) I *need* ravd to work reliably for it to
be deployed. I have not yet tested the box with ravd, but is this bug acknowledged
(and reproduceable ? ) ?

Is there an estimate for 2.4.2 where a fix could | should be implemented ?

Thanks ! Rudi

7
Routing and Multi WAN / Re: Apinger stops feeding rrdtool
« on: December 23, 2015, 07:48:47 am »
Anyone got the correct method to restart apinger from cron ?! Got the same problem, really annoying !

Thanks
Rudi

8
IPv6 / xs4all native IPv6 on pfsense
« on: December 18, 2015, 06:00:31 am »
Hi all,

I recently upgraded from 2.1 to 2.2.5 on a soekris 6501.
the setup has a FritzBox (7360 software 6.30) set to Assign DNS server and IPv6 prefix (IA_PD)
How do I get this v6 working with PD on my pfsense ? (earlier I did static IPv6 WAN and added routes to fritz using telnet).
I have on my LAN (and other interfaces ) static v6 ip numbers, and RA on for that subnet on that interface (worked before)
I do not want / need "track interface"

I have read various posts, and came up with the following setup:

interfaces: WAN DHCP6, Advanced send options: ia-pd 0 Identity Assoc Statement: "Prefix delegation" ticked.
I now see some weird behaviour. My WAN gets an (global) v6 number next to the link local ones. I assumed just link local (correct ?)

Now v6 does not work, not even from the pfsense box, let alone from LAN or other interfaces

What is the correct setup here ?? (both for Fritz and pfsense)

It seens that in ratvd.conf (on pfsense) there is also an entry for the WAN interface, which I find strange, as the WAN is just dhcp6 client right ?!

Is there some light on this with you specialists ?
Rudi


9
Firewalling / packets getting blocked
« on: July 11, 2014, 02:50:02 am »
Hi all,

I regulary see packets being blocked from my LAN to outside, where I have set my firewall to allow.
pretty often they heve are either FIN ACK, FIN ACK PUSH or ACK PUSH ticked, and are blocked by
the default deny rule ...

Sorry for my ignorance, but I think they should be allowed, or am I thinking wrong ?

Thanks.
R.

10
General Questions / Re: URGENT: pfsense eats his /etc/inc/system.inc
« on: June 27, 2014, 12:48:38 am »
@jimp,

Thanks for your reply. A broken USB media was also the thing I was expecting, but a brand-new
(brand, kingston) USB key did the same thing with the same config, after restart_packages was
called. Now I removed postfix and things look promising (fingers crossed) for 2 days now.

Rudi

11
Packages / Postfix package breaks 2.1.3 ?
« on: June 25, 2014, 04:32:28 am »
Hi all,

I posted this message just today: https://forum.pfsense.org/index.php?topic=78547.0
could this be the return of issue : https://forum.pfsense.org/index.php?topic=44319.0 ?

My system seemingly suddenly looks to corrupt the system.inc file......

Rudi

12
General Questions / URGENT: pfsense eats his /etc/inc/system.inc
« on: June 25, 2014, 02:49:46 am »
Hi all,

I'm running 2.1.3 on a soekris 6501 (boot from usb) where I had no problems for a month or so.
Right now, I see pfsense corrupting the /etc/inc/system.inc on a regular basis. it seems to be
connected to the restarting packages, where either it tries to stop postfix:


Jun 24 19:12:22 pfsense postfix/postfix-script[79176]: fatal: the Postfix mail system is not running
Jun 24 19:12:22 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/postfix.sh stop' returned exit code '1', the output was ''
Jun 24 19:12:22 pfsense php: rc.start_packages: sync_package_postfix called with via_rpc=no
Jun 24 19:12:22 pfsense php: rc.start_packages: The command '/sbin/mount -u -w -o sync,noatime /cf' returned exit code '1', the output was 'mount: /dev/ufs/cf : Device busy'
Jun 24 19:12:23 pfsense php: rc.start_packages: sync_package_postfix called with via_rpc=no
 

or someway it tries to restart unbound:

Jun 24 19:12:53 pfsense php: rc.start_packages: Stopping postfix
Jun 24 19:12:53 pfsense postfix/postfix-script[45581]: fatal: the Postfix mail system is not running
Jun 24 19:12:53 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/postfix.sh stop' returned exit code '1', the output was ''
Jun 24 19:13:00 pfsense php: servicewatchdog_cron.php: Service Watchdog detected service unbound stopped. Restarting unbound (Unbound is a validating, recursive, and caching DN...)
Jun 24 19:13:06 pfsense php: servicewatchdog_cron.php: Message sent to xxx@xxx OK
Jun 24 19:13:09 pfsense php: config.inc: The command '/usr/pbi/unbound-i386/sbin/unbound-control start' returned exit code '1', the output was '[1403629989] unbound-control[91750:0] fatal error: could not exec unbound: No such file or directory'
Jun 24 19:13:14 pfsense Unbound_Alarm[96496]: Unbound has exited.
Jun 24 19:13:14 pfsense Unbound_Alarm[96897]: Attempting restart...
Jun 24 19:13:18 pfsense Unbound_Alarm[1080]: Unbound has resumed.


which then results in a next time :

Jun 24 20:17:15 pfsense postfix/postfix-script[31549]: fatal: the Postfix mail system is not running
Jun 24 20:17:16 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/postfix.sh stop' returned exit code '1', the output was ''
Jun 24 20:17:18 pfsense php: rc.start_packages: The command '/sbin/mount -u -w -o sync,noatime /cf' returned exit code '1', the output was 'mount: /dev/ufs/cf : Device busy'
Jun 24 20:17:19 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/unbound.sh stop' returned exit code '255', the output was ' Parse error: syntax error, unexpected $end, expecting T_VARIABLE or T_END_HEREDOC or T_DOLLAR_OPEN_CURLY_BRACES or T_CURLY_OPEN in /etc/inc/system.inc on line 948'
Jun 24 20:17:19 pfsense php: rc.start_packages: The command '/usr/local/etc/rc.d/unbound.sh stop' returned exit code '255', the output was ' Parse error: syntax error, unexpected $end, expecting T_VARIABLE or T_END_HEREDOC or T_DOLLAR_OPEN_CURLY_BRACES or T_CURLY_OPEN in /etc/inc/system.inc on line 948'

and if you look in the filesystem the first (19:13) action has corrupted /etc/inc/system.inc.
Needless to say the GUI does not work anymore after this.
When I manually copy the system.inc things seem to be ok again.

I have installed the following packages:

mailreport       Network Management     2.0.12
Postfix Forwarder        Services       2.10.2 pkg v.2.3.7
Service Watchdog         Services       1.6 
Unbound  Services       1.4.22_2

Have any of you encountered such a problem ??
This is really weird, as it started occurring seemingly "out of the blue"

Rudi



13
webGUI / Re: OpenVPN client status problem
« on: May 31, 2014, 12:36:20 pm »
Thanks robi,

but if the client ovpn fails, and automagically reconnects, the gui should keep track
I suppose, maube there is room for enhancement here.

Rudi

14
OpenVPN / OpenVPN client status problem
« on: May 30, 2014, 12:44:43 pm »
Hi all,

In 2.1.3 I see a problem with the openvpn client status display as shown here. Anyone has this same issue ??
https://forum.pfsense.org/index.php?topic=77637.0

Rudi

15
webGUI / OpenVPN client status problem
« on: May 30, 2014, 12:41:03 pm »
Hi,

This problem is related to 2.1.3.

I have 2 openvpn clients defined. If they are connected the status display does not (correctly) reflect the status, when one of the 2 clients had a sucessfull reconnect it does not show connected, and keeps: showine "Unable to contact daemon    Service not running? although the network to the client is up.

Rudi

Pages: [1] 2