pfSense Gold Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - parsalog

Pages: [1] 2
1
I am fighting this same issue, any updates on this issue.  I am running a super micro server as well. it seems a lot of people are seeing the trap 12 when using the intel igb driver specifically?

2
IPsec / Re: IPsec dropping VLAN traffic to only one site
« on: November 17, 2017, 04:14:31 pm »
Solved  , I had a typo on the phase two on one side, for the VLAN subnet......

3
IPsec / IPsec dropping VLAN traffic to only one site
« on: November 17, 2017, 01:40:06 pm »
This problem has me baffled . I just upgraded my firewall , I am on the newest version of pfsense, clean install. I recreated all my IPsec tunnels, to 8 different sites. For only one site, my VLAN traffic fails in one direction. The VLAN is a Voice VLAN , so the symptom with only 1 of 8 locations is I can hear them on the phone, but they cannot hear me, voice traffic is UDP. If I try pinging from that VLAN interface , the pings fail. Pinging does fail in the opposite direction as well. 

the other three non VLAN subnets all can connect thru the same tunnel without issue.

4
Routing and Multi WAN / BGP local-AS missing from Neighbor Parameters
« on: December 02, 2016, 10:33:54 am »
I have found myself in a scenario where I need more than one AS assigned to the same box. One is a public AS the other is a private AS. Doing a little research it appears the command that I am looking for is "local-AS" , but it is not in the pull down options for "Neighbor Parameters" . Does any one know if openBGPD supports it, is there an easy way to edit the list?

5
In doing more testing, I have discovered that it only appears to be android devices failing, I have only tested Samsung devices so far. I tested a apple iPad on the 10.1.3.0/24 and a laptop as well, both were able to access everything on the 10.1.1.0/24 . so this appears to be an android issue ????

6
Originally my network had just one subnet the 10.1.1.0 /24 , but I ran out of IPs

As such I added the 10.1.2.0/24 to accommodate more device.

I guess I could have done a /22 , but I was under the impression the router could connect the two subnets, and giving me the option to apply firewall rules to the traffic between each.

just recently I have run out of IPs again, so I have added the 10.1.3.0/24

also what I find interesting is I am only having issues with mobile devices. this IP scheme has been working with out issues on my PC's and printers.

7
which part has you confused?

under interfaces the LAN is set with a static IP of 10.1.1.1 and the subnet is a /16

under firewall  and Virtual IPs , I have added two virtual IPs 10.1.2.1 and 10.1.3.1  but have a subnet of /24

the idea is that any device on the 10.1.2.0/24 will have 10.1.2.1 for its gateway,  and any device on the 10.1.3.0/24 will have 10.1.3.1 for its gateway

8
I have three LAN subnets 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24  , well more actually, but they fall outside the scope of this issue.

all wireless devices(tablets, phones...) get assigned to the 10.1.3.0/24 via reservations from a DHCP superscope

all server equipment (web, email...)fall in the 10.1.1.0 /24

any phone or tablet using the 10.1.3.0/24 can access the outside internet without issue.

my problem is they cannot reach the internal 10.1.1.0/24 .

That said they do "appear" to have the ability to ping, but tcp traffic fails, port 80, 443  . Cant send email, or pull up internal websites .

I have pfsense configured with a LAN of 10.1.1.1 /16 and I have an Virtual IP type "IF Alias" of 10.1.2.1/24 and 10.1.3.1/24 on the same interface .

9
IPsec / Re: Cron Ipsec auto restart on fail , and email notify
« on: April 29, 2013, 10:29:29 am »
thank you for taking the time to follow up, DPD is disabled for the IPsec, as I found that same conclusion, but my "GRE" tunnels are what's failing.

10
IPsec / Cron Ipsec auto restart on fail , and email notify
« on: April 17, 2013, 11:37:33 am »
I had seen this topic previously, but not an answer fitting exactly what I needed. From what I can tell GRE is part of the IPsec service (racoon). My GRE tunnels tend to fail about once a week (connecting to Cisco equipment), and I have to restart the service. Using elements from others I wrote this PHP script which runs as a cron, that sends a restart command ( rather than off and on ), only when it can't ping the other side, and then email notifies me. my code is horrible, and someone with more talent can probably clean it up quite a bit, but it does work. I figure it might help someone else any how. I run it with this cron command " */4     *     *     *     *     root     /usr/local/bin/php -q /root/pingresetvpn.php  "

<?php
require_once("util.inc");
require_once("functions.inc");
require_once("pkg-utils.inc");
require_once("globals.inc");
require_once("ipsec.inc");
require_once("vpn.inc");
require_once("service-utils.inc");
require_once("vslb.inc");
include('phpmailer/class.phpmailer.php');

$ipsec=$config['ipsec'];
$value = 0 ;
$outside = 0 ;
exec("/sbin/ping -c 1 -t 1 IpOfOtherSide",$ret1,$exit1);//first GRE tunnel, should work the same for IPsec tunnel
exec("/sbin/ping -c 1 -t 1 IpOfOtherSide",$ret2,$exit2);// second GRE tunnel, should work the same for IPsec tunnel
exec("/sbin/ping -c 1 -t 1 8.8.8.8",$ret4,$exit4); //googles DNS server but any external pingable site will do
print  $exit1."\n";
print  $exit2."\n";
print  $exit4."\n";
if ($exit1 == null){
Print "ping1 Success \n";
$value += 1;
}
Else{
Print "ping1 Fail \n";}
if ($exit2 == null){
Print "ping2 Success \n";
$value += 1;
}
Else{
Print "ping2 Fail \n";}
if ($exit4 == null){
Print "ping4 Success \n";
$outside += 1;}
Else{
Print "ping4 Fail \n";}
print "Value is ".$value."\n";
if ($value == 2){
print "All is Well in Asthland \n";
}
Else {
   if ($outside == 1){
      print "All is Well outside the relm , but not at home \n";
      vpn_ipsec_force_reload();
      print "IPsec restarted accrodngly \n";
      $mail = new PHPMailer();
      $mail->IsSMTP();
      $mail->Host = "youropenrelaymailserver";
      $mail->From = "you@yourdomain.com";
      $mail->FromName  =  "Firewall Report";
      $mail->AddAddress("you@yourdomain.com");
      $mail->Port  =  "25";
      $mail->Subject = "GRE is down restarting VPN ";
      $mail->Body = "IPsec has been restarted check for problems";
      if(!$mail->Send())
         {
         echo 'Message was not sent.';
         echo 'Mailer error: ' . $mail->ErrorInfo;
         }
   }
   if ($outside == 0){
      print "Not the VPN fault wait for internet \n";
      $mail = new PHPMailer();
      $mail->IsSMTP();
      $mail->Host = "youropenrelaymailserver";
      $mail->From = "you@yourdomain.com";
      $mail->FromName  =  "Firewall Report";
      $mail->AddAddress("you@yourdomain.com");
      $mail->Port  =  "25";
      $mail->Subject = "Internet is down";
      $mail->Body = "could not ping outside";
      if(!$mail->Send())
         {
         echo 'Message was not sent.';
         echo 'Mailer error: ' . $mail->ErrorInfo;
         }
   }
}
exit(1);
?>

11
IPsec / Re: GRE keep alive, connection drops once a week.
« on: February 21, 2013, 03:21:24 pm »
Under diagnostics, and PFinfo  I noticed some packets are getting blocked, not sure what to do with that info, or if it is relevant.

gre0
   Cleared:     Mon Nov 12 16:28:37 2012
   References:  [ States:  0                  Rules: 10                 ]
   In4/Pass:    [ Packets: 0                  Bytes: 0                  ]
   In4/Block:   [ Packets: 0                  Bytes: 0                  ]
   Out4/Pass:   [ Packets: 43039508           Bytes: 34927813259        ]
   Out4/Block:  [ Packets: 5993               Bytes: 5565603            ]
   In6/Pass:    [ Packets: 0                  Bytes: 0                  ]
   In6/Block:   [ Packets: 0                  Bytes: 0                  ]
   Out6/Pass:   [ Packets: 22                 Bytes: 1692               ]
   Out6/Block:  [ Packets: 0                  Bytes: 0                  ]
gre1
   Cleared:     Mon Nov 12 16:28:37 2012
   References:  [ States:  0                  Rules: 8                  ]
   In4/Pass:    [ Packets: 0                  Bytes: 0                  ]
   In4/Block:   [ Packets: 0                  Bytes: 0                  ]
   Out4/Pass:   [ Packets: 10901950           Bytes: 1862315434         ]
   Out4/Block:  [ Packets: 8                  Bytes: 320                ]
   In6/Pass:    [ Packets: 0                  Bytes: 0                  ]
   In6/Block:   [ Packets: 0                  Bytes: 0                  ]
   Out6/Pass:   [ Packets: 56                 Bytes: 4292               ]
   Out6/Block:  [ Packets: 0                  Bytes: 0                  ]

12
IPsec / GRE keep alive, connection drops once a week.
« on: February 20, 2013, 05:58:57 pm »
Does anybody know of a way to enable keep alive on GRE. My GRE connections turn off about once a week for unknown reasons, and I have to restart the IPsec service to get them to turn back on.

I am connecting to Verizon, thru a IPsec transport , they have Cisco equipment on the other side. they say I am showing carrier transition errors. On that note I unaware of any GRE diagnostic tools.

I did have to increase net.link.gre.max_nesting in the system tunables to make the connection work in the first place.

any ideas would be appreciated.

thank you.

13
Solved !

so fortunately I stumbled across this post http://forum.pfsense.org/index.php?topic=54243.0

I had enabled RIP when I was transitioning from Watchguard to pfSense. So I turned it off as it is needed no more, and BGP routes now appear , YAY ! ;D     

14
Good to know someone is out there, thank you acherman.

For what it is worth looking back on this project BGP is fairly easy, as things go, once you understand all the terms used... Working with Verizon , translated Cisco network, not much of the language they used lined up... so once I figured out what they were saying it was not too difficult to get connected to their network. If you end up having to use GRE over Ipsec  transport, like I did, be aware you will have to patch the interface, as pfSense is missing some cisco compatibility options.

Also, having been thru every turtorial I could find on bgp for pfSense, I am of the oppinion that many of the guys who write them don't know what they are doing .

Good Luck on your effort.

15
Still no solution yet, but I do have a new symptom . If I manualy add the route, and BGP sends a route update, then the route I had manualy added disapears. But or coarse the new one does not appear.

Also, I tried launching bgpd as root from SSH, and the results are not different.

I added a Depends on GRE line (which is absent from the web interface), and again no differnce.

I am stating to wonder if this is a bug. I am running the 64 bit distro. Does anyone out there have a working 64bit install with BGP?

Also, I am starting to wonder if anyone on PFsense has a correctly working BGP, I have read a couple BGP tutorials, and each time the user manualy added the route, but that make no sense?

Also, due to the lack of responses I am wondering if I am in the right forum section, moderator thoughts?

2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:16:13 EST 2011
FreeBSD 8.1-RELEASE-p6

Pages: [1] 2