pfSense Support Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - virgiliomi

Pages: 1 [2]
16
2.3-RC Snapshot Feedback and Issues - ARCHIVED / DHCPv6 on Track Interface
« on: February 27, 2016, 09:59:03 am »
Again, happy to see this added!! :)

One thing I noticed... while I request a /60 from my ISP, a /64 is given to each of my networks. But when  I go to the DHCPv6 Server settings, it shows Subnet Mask: 60 bits. While that holds true for the Prefix Delegation function, I don't think it should be valid for the service to be handing out individual IP addresses outside of the /64 that the interface is using (and while I haven't tested the validation of entering a range outside of my LAN's /64, the way it appears to me is that it would be accepted).

Example... I have 2001:aaaa:bbbb:ccc0::/60 from my ISP... On LAN, I select prefix 2 (2001:aaaa:bbbb:ccc2::/64)... the ADDRESS range I should be able to specify should be within only the /64.

The PREFIXES for delegation obviously need to be within the /60 though. Also, there should probably be an example way to enter the prefixes for delegation, as it took me a bit of trial and error to get it to accept my entries.

Edit to add: If the prefix that has been delegated is just a /64, the Prefix Range boxes should probably be disabled, since there aren't other prefixes that could be sub-delegated.

17
When removing a package, are the dependency packages also removed?

For example, I installed pfBlockerNG, which also installed four other packages as dependencies. When I remove pfBlockerNG, there's a line that says "Removing stale packages... done.", but it seems to appear way too fast for it to have actually removed the four other packages that were installed, if that's what that line is supposed to be showing.

Given that package dependencies are shown under the package description when you go to remove a package, there should be something indicating that the dependencies are being removed as well, or a reason why a package isn't being removed (i.e. it's a dependency for another package that is still installed).

I'm not a FreeBSD shell user, so if there's a command I can use to check the packages that are installed, I'd like to see if those four packages are still present or not.

18
Possible issue with the change of pfSense from lighttpd to nginx? Or is something else used as the web server?

I ran into this both on a VM I was running temporarily, as well as the bare metal (my Celeron J1900 box) that I'm running it on now.

19
I'll create a bug in Redmine if you want me to, but it looks like the logging of WebConfigurator successful logins can't be disabled. I'll check it to be disabled, save the change, and the page will reload showing the box checked. But if I go to the dashboard, then come back to the page, it will show the box as unchecked again, and a logout/login will show another "Successful login..." message on the console.

This is on the first beta build from 1/6... I'm planning to update as soon as the next build becomes available.

20
General Questions / Hardware crypto display doesn't appear
« on: July 28, 2015, 04:17:46 pm »
I haven't found a thread for this yet in the couple of forums that I've looked, so figured I'd start it since I have this issue as well...

It automatically displays on the dashboard where AES-NI is enabled under System>Advanced, Misc, and exists on the system.

This should be in the 'system information' widget, right? I have an A1SRi-2558F, AES-NI is enabled under the misc settings. It doesn't show for me. I tried to disable AES-NI and then enable it again, but that also did not work.

Status -> System logs does show "kernel: aesni0: <AES-CBC,AES-XTS,AES-GCM> on motherboard"
This may or may not be related to bug 4809.

Anyway, as later requested in the upgrade topic...

Start a new thread on that, including the output of:
Code: [Select]
grep -i aesni /var/log/dmesg.boot

Code: [Select]
Features2=0x43d8e3bf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,TSCDLT,AESNI,RDRAND>
And as with SisterOfMercy, this shows in the Status > System Logs:
Code: [Select]
kernel: aesni0: <AES-CBC,AES-XTS,AES-GCM> on motherboard
But even with all that, I see no Hardware Crypto display on the dashboard.

AES-NI was enabled on my system a while ago, and I've done a few updates and reboots since. I didn't realize there was something that should be showing until this topic came up.

21
IDS/IPS / Snort - rules update fails daily
« on: July 21, 2015, 04:41:58 pm »
So after leaving my pfSense box alone for a while, I went to the logs today and found the following...

Code: [Select]
Jul 21 01:05:07 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2973.tar.gz...
Jul 21 03:13:22 php: snort_check_for_rule_updates.php: [Snort] Rules download error: SSL read: error:00000000:lib(0):func(0):reason(0), errno 54
Jul 21 03:13:22 php: snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Jul 21 03:13:37 php: snort_check_for_rule_updates.php: File 'snortrules-snapshot-2973.tar.gz' download attempts: 2 ...
Jul 21 03:13:37 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules file download failed... server returned error '403'...
Jul 21 03:13:37 php: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
That bit of log entry has appeared every day since July 17. Manually trying to do the update doesn't seem to help much... it gets through anywhere between 25-50% of the download, stalls out, and sits there. I'm guessing that the same is happening overnight, causing the problem with updating.

The last successful rules update I had was July 15.

Additionally, the last time I had to reinstall the package (after updating to 2.2.3-RELEASE), it was a royal pain because the install process kept getting hung up at the downloading rules step. I had to manually disable the rule downloads in the config.xml in order to get Snort to reinstall, then re-enable them and experiment through the web gui to get the rules re-downloaded and installed. It took a LOT longer than it should have to get them installed and working because it would always stall somewhere between 25 and 50%. After a few attempts, I would need to restart php-fpm in order to regain access to the web gui.

Once in a while, I might hit a streak of luck and it'll download all the way through... but this is something that I would think should work properly a lot more often than it seems to be working.

I have a 150/10 cable connection through Comcast, so there shouldn't be any problems downloading the VRT rules in a very quick manner.

Any thoughts on how I can make the rules download process more reliable?

22
IDS/IPS / Snort at home - WAN or LAN?
« on: April 04, 2015, 04:36:40 pm »
So my pfSense box is running and stable, now I want to put Snort on and begin my dive into IDS.

As a home user using NAT, I think having Snort on the LAN is more what I'd be interested in, so I can identify a system or device that is triggering IPv4 alerts (IPv6 would be visible either way). I'm not running any critical systems accessible from the internet, so the firewall should be blocking anything inbound. If I were to have a forwarded port though, would Snort on the LAN interface still catch anything heading to the internal host from a forwarded port?

Are there benefits or concerns to running it one way over the other that I should be looking at as a home user?

23
IDS/IPS / snort.inc missing, install failed
« on: March 28, 2015, 01:57:11 pm »
Went to install Snort on my box today... it didn't install. Looks like snort.inc is missing. Full install log below...

Code: [Select]
Beginning package installation for snort .
Downloading package configuration file... done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
 Downloading https://files.pfsense.org/packages/10/All/snort-2.9.7.2-amd64.pbi ...  (extracting)
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Include snort.inc is missing!
Removing package...
Starting package deletion for snort-2.9.7.2-amd64...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Include file snort.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
done.
Failed to install package.

Installation halted.

24
General Questions / Unnecessary Dynamic DNS updates
« on: January 26, 2015, 09:16:29 pm »
So now that things have settled down since 2.2 is released and I'm not updating my pfSense box all the time with new snapshots, I've gone digging for other things on my bone-stock no-packages installation. Looking at the system logs, I have a page full of...

Code: [Select]
Jan 26 09:17:46 check_reload_status: updating dyndns WAN_DHCP
Jan 26 09:17:46 check_reload_status: Restarting ipsec tunnels
Jan 26 09:17:46 check_reload_status: Restarting OpenVPN tunnels/interfaces
Jan 26 09:17:46 check_reload_status: Reloading filter
Jan 26 09:17:47 php-fpm[26002]: /rc.dyndns.update: phpDynDNS (abc.domain.com): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.

Over and over again, sometimes as often as a few seconds between blocks, but more often 30 minutes or more. I have over 50 lines of this today, from the time above to the time I'm making this post. There doesn't appear to be any reason that it's doing this, at least that I can tell.

Any thoughts or other things I can look at to try and find the cause?

And no, it's not DHCP on the WAN causing these... lease time is like 4 days or so.

25
Ok... so very early Friday morning (just after 2:00a GMT-5), my cable modem automatically reset itself, likely due to maintenance by my provider. About 30 minutes later, IPv4 service is restored to normal. IPv6, on the other hand, seems to sit in an "unknown" state. I had to manually release/renew the WAN interface in order to restore IPv6 connectivity.

Not expecting a fix for 2.2 (though it would be nice), just wondering if it could get put on the list for a future update at this point.

The modem is an Arris/Motorola SB6183, service provider is Comcast.

I'm not running the most recent snapshot (1/4/15), so if something like this has been fixed in the past 12 days, then just let me know and I'll update. Otherwise I wasn't planning on updating until final release at this point.

Log clip of the affected period is below... 192.168.100.11 is the address my modem gave pfSense while it was trying to reconnect to the cable network. As a result of this, IPv4 appears to show no downtime because it was given a local address and gateway by the modem.

Code: [Select]
Jan 16 02:07:42 check_reload_status: updating dyndns WAN_DHCP6
Jan 16 02:07:42 check_reload_status: Restarting ipsec tunnels
Jan 16 02:07:42 check_reload_status: Restarting OpenVPN tunnels/interfaces
Jan 16 02:07:42 check_reload_status: Reloading filter
Jan 16 02:07:42 check_reload_status: updating dyndns WAN_DHCP
Jan 16 02:07:42 check_reload_status: Restarting ipsec tunnels
Jan 16 02:07:42 check_reload_status: Restarting OpenVPN tunnels/interfaces
Jan 16 02:07:42 check_reload_status: Reloading filter
Jan 16 02:07:43 php-fpm[42983]: /rc.dyndns.update: phpDynDNS (home.domain.com): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Jan 16 02:07:44 php-fpm[42983]: /rc.dyndns.update: phpDynDNS (home.domain.com): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Jan 16 02:07:58 kernel: re0: link state changed to DOWN
Jan 16 02:07:58 check_reload_status: Linkup starting re0
Jan 16 02:07:59 php-fpm[1856]: /rc.linkup: DEVD Ethernet detached event for wan
Jan 16 02:08:00 kernel: arpresolve: can't allocate llinfo for 24.xxx.xxx.1 on re0
Jan 16 02:08:04 php-fpm[1856]: /rc.linkup: Shutting down Router Advertisment daemon cleanly
Jan 16 02:08:04 kernel: arpresolve: can't allocate llinfo for 24.xxx.xxx.1 on re0
Jan 16 02:08:08 kernel: arpresolve: can't allocate llinfo for 24.xxx.xxx.1 on re0
Jan 16 02:08:12 kernel: arpresolve: can't allocate llinfo for 24.xxx.xxx.1 on re0
Jan 16 02:08:16 kernel: arpresolve: can't allocate llinfo for 24.xxx.xxx.1 on re0
Jan 16 02:08:19 check_reload_status: Linkup starting re0
Jan 16 02:08:19 kernel: re0: link state changed to UP
Jan 16 02:08:20 php-fpm[8587]: /rc.linkup: DEVD Ethernet attached event for wan
Jan 16 02:08:20 php-fpm[8587]: /rc.linkup: HOTPLUG: Configuring interface wan
Jan 16 02:08:20 kernel: arpresolve: can't allocate llinfo for 24.xxx.xxx.1 on re0
Jan 16 02:08:23 check_reload_status: rc.newwanip starting re0
Jan 16 02:08:23 php-fpm[8587]: /rc.linkup: Accept router advertisements on interface re0
Jan 16 02:08:23 php-fpm[8587]: /rc.linkup: ROUTING: setting default route to 192.168.100.1
Jan 16 02:08:23 check_reload_status: Restarting ipsec tunnels
Jan 16 02:08:24 php-fpm[15372]: /rc.newwanip: rc.newwanip: Info: starting on re0.
Jan 16 02:08:24 php-fpm[15372]: /rc.newwanip: rc.newwanip: on (IP address: 192.168.100.11) (interface: WAN[wan]) (real interface: re0).
Jan 16 02:08:24 php-fpm[15372]: /rc.newwanip: IP has changed, killing states on former IP 24.xxx.xxx.177.
Jan 16 02:08:24 php-fpm[15372]: /rc.newwanip: Could not find IPv6 gateway for interface (wan).
Jan 16 02:08:25 php-fpm[15372]: /rc.newwanip: ROUTING: setting default route to 192.168.100.1
Jan 16 02:09:01 php-fpm[8587]: /rc.linkup: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1421392141] unbound[51921:0] error: bind: address already in use [1421392141] unbound[51921:0] fatal error: could not open ports'
Jan 16 02:09:01 dhcpleases: kqueue error: unkown
Jan 16 02:09:02 php-fpm[8587]: /rc.linkup: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid re1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.2.6 Copyright 2004-2014 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 24 leases to leases file. Listening on BPF/re1/74:d4:35:xx:xx:xx/192.168.1.0/24 Sending on BPF/re1/74:d4:35:xx:xx:xx/192.168.1.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server. If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did ge
Jan 16 02:09:03 check_reload_status: updating dyndns wan
Jan 16 02:10:12 php-fpm[15372]: /rc.newwanip: Dyndns debug information (home.domain.com): Could not resolve checkip.dyndns.org to IP using interface IP 192.168.100.11.
Jan 16 02:10:12 php-fpm[15372]: /rc.newwanip: DynDNS (home.domain.com) There was an error trying to determine the public IP for interface - wan(re0). Probably interface is not a WAN interface.
Jan 16 02:10:13 php-fpm[15372]: /rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Jan 16 02:10:13 php-fpm[15372]: /rc.newwanip: Creating rrd update script
Jan 16 02:10:15 php-fpm[15372]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 24.xxx.xxx.177 -> 192.168.100.11 - Restarting packages.
Jan 16 02:10:15 check_reload_status: Starting packages
Jan 16 02:10:16 php-fpm[58661]: /rc.start_packages: Restarting/Starting all packages.
Jan 16 02:11:23 php-fpm[25234]: /rc.dyndns.update: Dyndns debug information (home.domain.com): Could not resolve checkip.dyndns.org to IP using interface IP 192.168.100.11.
Jan 16 02:11:23 php-fpm[25234]: /rc.dyndns.update: DynDNS (home.domain.com) There was an error trying to determine the public IP for interface - wan(re0). Probably interface is not a WAN interface.
Jan 16 02:31:09 check_reload_status: rc.newwanip starting re0
Jan 16 02:31:10 php-fpm[58661]: /rc.newwanip: rc.newwanip: Info: starting on re0.
Jan 16 02:31:10 php-fpm[58661]: /rc.newwanip: rc.newwanip: on (IP address: 24.xxx.xxx.177) (interface: WAN[wan]) (real interface: re0).
Jan 16 02:31:10 php-fpm[58661]: /rc.newwanip: IP has changed, killing states on former IP 192.168.100.11.
Jan 16 02:31:10 php-fpm[58661]: /rc.newwanip: Could not find IPv6 gateway for interface (wan).
Jan 16 02:31:10 php-fpm[58661]: /rc.newwanip: ROUTING: setting default route to 24.xxx.xxx.1
Jan 16 02:31:14 php-fpm[58661]: /rc.newwanip: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid re1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.2.6 Copyright 2004-2014 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 24 leases to leases file. Listening on BPF/re1/74:d4:35:xx:xx:xx/192.168.1.0/24 Sending on BPF/re1/74:d4:35:xx:xx:xx/192.168.1.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server. If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did
Jan 16 02:31:15 php-fpm[58661]: /rc.newwanip: phpDynDNS (home.domain.com): No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
Jan 16 02:31:16 php-fpm[58661]: /rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Jan 16 02:31:16 php-fpm[58661]: /rc.newwanip: Creating rrd update script
Jan 16 02:31:18 php-fpm[58661]: /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 192.168.100.11 -> 24.xxx.xxx.177 - Restarting packages.
Jan 16 02:31:18 check_reload_status: Starting packages
Jan 16 02:31:19 php-fpm[61885]: /rc.start_packages: Restarting/Starting all packages.

Attachments: Quality graphs for IPv4 and IPv6, showing IPv6 going down and IPv4 staying "online".

26
So I've been up and running for the past day and a half or so, no connectivity issues or anything. So when I log in to my pfSense box tonight, I notice that the localhost IP address is no longer listed as a DNS server in the web interface. Sure enough, it's not listed in resolv.conf. I check the System > General Settings page and the box for Do not use the DNS Forwarder as a DNS server for the firewall is NOT checked, and it has never been.

Just for grins, I tried cycling that option on then back off, but it still doesn't show the localhost address back in the DNS server list.

DHCP is still handing out my LAN address as a DNS server though, and all name lookups are working without any problems. I am using Unbound (DNS Resolver), not dnsmasq (DNS Forwarder).

27
So I have a /60 from my ISP via Prefix Delegation... LAN interface works great and everything with IPv6 (Track Interface, WAN, Prefix 0).

I've added a USB 3.0 Gigabit Ethernet interface (ASIX 88719-based, ue0/OPT1) and want to use that as a guest network. I set it up with IPv4 just fine, but when I set IPv6 to Track Interface, it shows a possible prefix range of 0 to 0. Knowing that I have more than that available, I enter any other valid value (1-f, since my LAN is using 0) and save/apply. When the settings page reloads, it now properly shows a range of 0 to f.

Another issue... it will actually let me select prefix 0, even though it is already in use by the LAN connection. It doesn't seem to actually do anything as far as the addressing goes (the LAN retains that prefix), but I should receive some kind of error that the prefix selected is already in use or something, rather than being prompted to Apply Changes.

Possibly related, but might not be... With the prefix set to any valid value 1-f, the OPT1 interface never shows a valid public IPv6 address, just a link-local IPv6 address.

EDIT to add: After a reboot, the OPT1/ue0 interface comes up with an IPv6 address in that prefix. It would be nice to prevent a reboot here.

28
So I have Comcast and get my WAN IPv6 address and LAN prefix via DHCPv6+PD... Nothing odd there. However, anytime I reboot my pfSense box (firmware update or otherwise), I need to manually release/renew the WAN interface when the reboot is done in order for the gateway to appear online and for IPv6 on my LAN to function again.

I don't believe I had to do this with 2.1... but I didn't run 2.1 very long before I got a system that I had to run 2.2 on (newer hardware that had issues with FreeBSD 8).

29
IPv6 / IPv6 on pfSense vs others
« on: October 10, 2014, 01:02:03 pm »
So a couple of things I've noticed about pfSense's IPv6 implementation compared to other routers' - and I include a number of open-source firmwares in that...

1. If you use DHCPv6+PD on the WAN, pfSense does not allow setting a "static" (I use quotes because technically the prefix could change) LAN IPv6 address for the router. Other router firmwares allow you to set the host portion of the IPv6 address that the router will use (I would usually use [prefix]::1), and then the router applies whatever prefix is designated by the ISP. Is there some reason that pfSense doesn't permit this?

2. Is there a reason that pfSense doesn't register its own LAN IPv6 address in the local DNS [forwarder|resolver] when it does register its IPv4 address? For example, I can ping gw and it will resolve to my pfSense box's LAN IPv4 address. But ping6 gw doesn't resolve. I know other routers do this also.

Pages: 1 [2]