Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Derelict

Pages: 1 ... 643 644 645 646 [647] 648 649 650 651 ... 653
9691
CARP/VIPs / Re: high availability...1 WAN IP
« on: December 13, 2013, 05:30:12 am »
Isn't pfsync completely independent from CARP/failover?

Check out System->High Avail Sync.

There's no requirement to set up CARP to use it AFAIK.

9692
DOH!

(Worked.)

9693
So I've had a couple hangs on my home system where the disk just freaks out, I got the out of inodes errors, could not read or write to the disk, etc. 

After a failure and a power cycle I started getting the message below in the dashboard update check area.

I figured the disk was failing so I backed up the config, replaced the drive, installed 2.1 fresh, and restored the config.

This message in dashboard persists.  "Obtaining update status..." then it barfs this up:

Quote
Version    2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:48 EDT 2013
FreeBSD 8.3-RELEASE-p11
Warning: fopen(/tmp/config.lock): failed to open stream: Device not configured in /etc/inc/util.inc on line 127 Warning: flock() expects parameter 1 to be resource, null given in /etc/inc/util.inc on line 138 Warning: fclose() expects parameter 1 to be resource, null given in /etc/inc/util.inc on line 139 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/util.inc:127) in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/util.inc:127) in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/util.inc:127) in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/util.inc:127) in /usr/local/www/guiconfig.inc on line 51 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/util.inc:127) in /usr/local/www/guiconfig.inc on line 52 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/util.inc:127) in /usr/local/www/guiconfig.inc on line 55 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /etc/inc/util.inc:127) in /etc/inc/auth.inc on line 1357 Warning: fopen(/tmp/pfSense_version): failed to open stream: No space left on device in /etc/inc/pfsense-utils.inc on line 1620

Unable to check for updates.

Everything seems to work fine.  I even made a quick php script doing what the lock function does and it runs fine:

Code: [Select]
[2.1-RELEASE][root@cox-gw]/root(26): cat test.php
<?php
if ($fp fopen("/tmp/config.lock""w")) {
                if (
flock($fpLOCK_SH)) {
                        echo 
"flock success\n";
fclose($fp);
                } else {
                        echo 
"flock fail\n";
                        
fclose($fp);
}
}
?>

[2.1-RELEASE][root@cox-gw]/root(27): php test.php
Content-type: text/html

flock success
[2.1-RELEASE][root@cox-gw]/root(28): cat /tmp/pfSense_version
2.1-RELEASE
[2.1-RELEASE][root@cox-gw]/root(30):

/tmp/config.lock is fine.  I removed it and it was properly recreated.

System->Firmware->Auto Update works fine:
Quote
Downloading new version information...done
Obtaining current version information...done

You are on the latest version.

Plenty of space:
Code: [Select]
[2.1-RELEASE][root@cox-gw]/root(30): df -hi
Filesystem     Size    Used   Avail Capacity iused ifree %iused  Mounted on
/dev/ad4s1a    447G    259M    411G     0%    7.6k   60M    0%   /
devfs          1.0k    1.0k      0B   100%       0     0  100%   /dev
/dev/md0       3.6M     68k    3.3M     2%      34   732    4%   /var/run
devfs          1.0k    1.0k      0B   100%       0     0  100%   /var/dhcpd/dev

All the logs are normal.

Not sure what else to do.  Everything looks fine, except for these error messages in the dashboard.

9694
All RADIUS does is give the NAS instructions in reply attributes.  It's up to the NAS to disconnect the user based on those received attributes.  What NAS is it?

9695
Someone crossed the streams.

Glad it's fixed.

9696
Well, that can't happen.

Either sk1 and sk2 are bridged or both those interfaces are on the same LAN segment.

What aren't you telling us?  ;)

9697
OPT1 will never see INBOUND traffic from OPT2 or OPT3.

To keep pfSense from routing between interfaces (assuming typical pass any any rules) you need to, for example, reject traffic INBOUND on OPT2 with *destinations* of OPT1 net and OPT3 net, followed by the pass any any rule.

Regarding DHCP, it sounds like there's a layer 2 problem somewhere which is allowing the wrong interface to receive the DHCP request.  DHCP logs show anything interesting when this happens?

Are each of these interfaces connected to separate LAN segments?  Or are you doing something "different?"

Does your network look like this?


9698
Development / Added Disable HTTPS Forwards to Captive Portal / Github n00b
« on: December 10, 2013, 06:04:34 pm »
I am a total github n00b.  I added a feature some might be interested in.  It allows one to use SSL login pages in captive portal but disable the forwards of connections to port 443 to the CP.

https://github.com/derelict-pf/pfsense/commit/c19339b453e07afd11e8d795e7519ac5c6592667

I have no idea if that is the proper format nor how to view changes in relation to RELENG_2_1.

I did the following:

Forked pfsense on github

$ git clone https://github.com/derelict-pf/pfsense.git
$ cd pfsense
$ git remote add upstream https://github.com/pfsense/pfsense.git
$ git fetch upstream
From https://github.com/pfsense/pfsense
 * [new branch]      RELENG_1_2 -> upstream/RELENG_1_2
 * [new branch]      RELENG_2_0 -> upstream/RELENG_2_0
 * [new branch]      RELENG_2_1 -> upstream/RELENG_2_1
 * [new branch]      master     -> upstream/master
$ git branch nohttpsforwards
Edit etc/inc/captiveportal.inc
Edit usr/local/www/services_captiveportal.php
$ git commit -a

9699
Captive Portal / Re: The dreaded HTTPS pre authentication
« on: December 10, 2013, 04:42:27 am »
I think I have added a "nohttpsforwards" checkbox to my test system.  At least it seems to work here.  Here is my description:

    Disable HTTPS forwards
If this option is set, attempts to connect to SSL/HTTPS (Port 443) sites will not be forwarded to the captive portal. This prevents certificate errors from being presented to the user even if HTTPS logins are enabled. Users must attempt a connecton to an HTTP (Port 80) site to get forwarded to the captive portal. If HTTPS logins are enabled, the user will be redirected to the HTTPS login page.

9700
Captive Portal / Re: The dreaded HTTPS pre authentication
« on: December 09, 2013, 12:34:37 pm »
The initial connection is not a redirect.  It is an ipfw forward.  The browser has no idea what is happening.  A cert error is presented to the user because the certificate presented by the CP does not match the site the user is trying to reach.  The initial https session must be established for the redirect to be sent to the browser.

9701
Captive Portal / Re: The dreaded HTTPS pre authentication
« on: December 08, 2013, 09:24:02 pm »
No, there is nothing you can do to avoid the initial cert error when the user is redirected.  The browser is expecting a certificate for, say, www.google.com, and it gets the CP's cert instead.

And when the user says "yes accept permanently" his browser will now trust your cert when going to www.google.com.  Enabling you to, henceforth, be able to MITM that site.  No bueno.

9702
Captive Portal / Re: The dreaded HTTPS pre authentication
« on: December 07, 2013, 03:21:00 pm »
Doesn't make any difference - a user that's not logged in, who attempts to access https://wherever, does not get redirected to the login page.

Yes, they do.  With a cert error.  Just tested on 2.1-RELEASE.

9703
General Questions / Re: OSX Finder very slow browsing shares via VPN
« on: December 07, 2013, 03:08:11 am »
DNS?

9704
General Questions / Re: Vlans not working
« on: December 07, 2013, 03:06:44 am »
Can you post screenshots of Interfaces->(assign)  Interfaces-(assign)->VLANs and the WAN, LAN, and OPT interface configs?

9705
General Questions / Re: Network switch sought
« on: December 07, 2013, 02:43:19 am »
Brocade ICX 6430

Pages: 1 ... 643 644 645 646 [647] 648 649 650 651 ... 653