Anil Garg | 1 Apr 07:39 2008
Picon

Re: Server NAT

Chris

This is a great product and the documentation for m0n0wall is also finest.  However, we should rewrite documentation for pfsense because there are different menu items etc.  I understand that the efforts are often reliant on community for success and therefore I feel that its even worth breaking this effort down into small recipes and then aggregate.

Please forgive me if spoke beyond the scope of a individual user.  BTW, I would be willing to contribute and support that documentation effort.

Anil Garg

Chris Buechler <cmb-zsHM3v2T5LBAfugRpC6u6w@public.gmane.org> wrote:

Anil Garg wrote:
> I am reading the m0n0wall documentation (its s o well written - kudos
> to the author)

What, you specifically buttering me up to get a response? ;)


>
> There is a pointer that for many public addresses to be mapped to
> servers inside, m0nowall specifies that "Server NAT should be used"
>
> What would be an equivalent for that in pfsense and if there is any
> difference. I could not find any documentation on the web anywhere
> which shows the difference.
>
>
> Is "Server NAT" acheiving the same goal that pfsense would do with a
> proxy ARP (under virtual IP)??

Server NAT in m0n0wall is the same as Inbound NAT with VIPs in pfSense.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org
For additional commands, e-mail: support-help-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org


Anil Garg | 1 Apr 08:40 2008
Picon

CARP

I have seen some documentation that shows how two pfsense can act as back up to the other (hot standby)..


Is it possible for servers behind pfsense to exploit the same capability?

Say we have one www.server on lan or dmz.  If this server to die, we want the system to point to another www.server on the same subnet.

Thanks much.

Olivier Mueller | 1 Apr 08:46 2008
Picon

Re: PPPoE gets disconnected on WAN port

Hello,

On Mon, 2008-03-31 at 15:46 +0100, tester wrote:
> sometimes PPPoE gets disconnected on WAN port of my
> pfSense's box and I have to click several times (at
> least twenty ones) on Reconnect button in
> 'webConfigurator-Status-Interfaces-WAN'. I want ask

It seems we are having the same kind of issues, just "lighter": 
once every few day, the PPPoE also gets disconnected, and
I have to click on the Reconnect Button (only once). 

No visible reason of the the disconnect in the logs, the VDSL line 
from green.ch is (and was) stable (before adding the Alix+pfSense
device, bridget to a Zyxel P2802HWL-I1).

pfSense Version: 1.2-Release. Still looking for a solution too... :)  
Activated syslog to a remote pc to be able to debug this problem if 
it occurs again today.

An auto-reconnect would be quite cool if it's not activated
by default (it seems to be the case, but then it's not working 
all the time?)

regards,
Olivier
Olivier Mueller | 1 Apr 09:14 2008
Picon

Re: PPPoE gets disconnected on WAN port

On Tue, 2008-04-01 at 08:46 +0200, Olivier Mueller wrote:
> pfSense Version: 1.2-Release. Still looking for a solution too... :)  
> Activated syslog to a remote pc to be able to debug this problem if 
> it occurs again today.

Et voila, it just happened again:

Apr  1 08:39:34 gw kernel: pflog0: promiscuous mode disabled
Apr  1 08:39:34 gw login: login on console as root
Apr  1 08:39:34 gw kernel: pflog0: promiscuous mode enabled
Apr  1 08:53:00 gw mpd: [pppoe] PPPoE connection closed
Apr  1 08:53:00 gw mpd: [pppoe] device: DOWN event in state UP
Apr  1 08:53:00 gw mpd: [pppoe] device is now in state DOWN
Apr  1 08:53:00 gw mpd: [pppoe] link: DOWN event
Apr  1 08:53:00 gw mpd: [pppoe] LCP: Down event
Apr  1 08:53:00 gw mpd: [pppoe] LCP: state change Opened --> Starting
Apr  1 08:53:00 gw mpd: [pppoe] LCP: phase shift NETWORK --> DEAD
Apr  1 08:53:00 gw mpd: [pppoe] setting interface ng0 MTU to 1500 bytes
Apr  1 08:53:00 gw mpd: [pppoe] up: 0 links, total bandwidth 9600 bps
Apr  1 08:53:00 gw mpd: [pppoe] IPCP: Down event
Apr  1 08:53:00 gw mpd: [pppoe] IPCP: state change Opened --> Starting
Apr  1 08:53:00 gw mpd: [pppoe] IPCP: LayerDown
Apr  1 08:53:00 gw mpd: [pppoe] IFACE: Down event
Apr  1 08:53:00 gw mpd: [pppoe] exec: /sbin/route delete 0.0.0.0
80.254.x.y
Apr  1 08:53:00 gw mpd: [pppoe] exec: /sbin/route delete 80.254.w.z
-iface lo0
Apr  1 08:53:00 gw mpd: [pppoe] exec: /sbin/ifconfig ng0 down delete
-link0
Apr  1 08:53:00 gw mpd: [pppoe] LCP: LayerDown
Apr  1 08:53:00 gw mpd: [pppoe] device: OPEN event in state DOWN
Apr  1 08:53:00 gw mpd: [pppoe] pausing 6 seconds before open
Apr  1 08:53:00 gw mpd: [pppoe] device is now in state DOWN
Apr  1 08:53:03 gw mpd: [pppoe] closing link "pppoe"...
Apr  1 08:53:03 gw mpd: [pppoe] link: CLOSE event
Apr  1 08:53:03 gw mpd: [pppoe] LCP: Close event
Apr  1 08:53:03 gw mpd: [pppoe] LCP: state change Starting --> Initial
Apr  1 08:53:03 gw mpd: [pppoe] LCP: LayerFinish
Apr  1 08:53:03 gw mpd: [pppoe] device: CLOSE event in state DOWN
Apr  1 08:53:03 gw mpd: [pppoe] device is now in state DOWN
Apr  1 08:53:06 gw mpd: [pppoe] opening link "pppoe"...
[...]
Apr  1 08:56:54 gw mpd: [pppoe] device is now in state DOWN
Apr  1 08:56:58 gw mpd: [pppoe] device: OPEN event in state DOWN
Apr  1 08:56:58 gw mpd: [pppoe] pausing 1 seconds before open
Apr  1 08:56:58 gw mpd: [pppoe] device is now in state DOWN
Apr  1 08:56:59 gw mpd: [pppoe] device: OPEN event in state DOWN
Apr  1 08:56:59 gw mpd: [pppoe] device is now in state OPENING
Apr  1 08:56:59 gw mpd: [pppoe] rec'd ACNAME "ipc-zhb790-r-br-03"
Apr  1 08:56:59 gw mpd: [pppoe] PPPoE connection successful
Apr  1 08:56:59 gw mpd: [pppoe] device: UP event in state OPENING
Apr  1 08:56:59 gw mpd: [pppoe] device is now in state UP
Apr  1 08:56:59 gw mpd: [pppoe] link: UP event
Apr  1 08:56:59 gw mpd: [pppoe] link: origination is local
Apr  1 08:56:59 gw mpd: [pppoe] LCP: Up event
Apr  1 08:56:59 gw mpd: [pppoe] LCP: state change Starting --> Req-Sent
Apr  1 08:56:59 gw mpd: [pppoe] LCP: phase shift DEAD --> ESTABLISH
Apr  1 08:56:59 gw mpd: [pppoe] LCP: SendConfigReq #12
Apr  1 08:56:59 gw mpd:  MRU 1492
Apr  1 08:56:59 gw mpd:  MAGICNUM ce56dc0c
[...]
then Auth, IF Up, Rules reload, all services back online.

According to the VDSL router, link was always up, so it "should" be an
issue on the pfsense box? But where... ? 

At least the auto-reconnect worked this time :-)
regards,
Olivier
David Rees | 1 Apr 10:11 2008
Picon

Re: CARP

On Mon, Mar 31, 2008 at 11:40 PM, Anil Garg <garg_art2002@...> wrote:
> Say we have one www.server on lan or dmz.  If this server to die, we want
> the system to point to another www.server on the same subnet.

Yes, you can do this with the Load Balancing feature.

-Dave
Gary Buckmaster | 1 Apr 15:32 2008

Re: CARP

Anil Garg wrote:
> I have seen some documentation that shows how two pfsense can act as 
> back up to the other (hot standby)..
>
>
> Is it possible for servers behind pfsense to exploit the same capability?
>
> Say we have one www.server on lan or dmz.  If this server to die, we 
> want the system to point to another www.server on the same subnet.
>
> Thanks much.
Yes, there are a number of mechanisms that allow this to happen.  It 
depends entirely on the type of operating system and applications you 
are using.  Many database server software offer a clustering feature.  
Linux has clustering capabilities through a couple of different 
facilities.  Spend some quality time with Google, I'm sure you'll find 
what you need.

-Gary
Anil Garg | 1 Apr 16:44 2008
Picon

Re: CARP

Thanks David and Thanks Gary.

I spent a lot of time reading and a few things are somewhat becoming clear..  CARP uses a trusted (preferably dedicated) link to send heartbeat signals to keep who is alive. This common knowledge enables some pfsense to stay inactive (to either act as dhcp server or act as a gateway). When something happens to master next in succession line takes over.
Very unique and innovative simple.

However most examples are for WAN side traffic and for keeping internet alive.  I will keep trying to find something that shows how servers can be balanced.
Its amazing because it even keeps the state.

Best Regards
Anil Garg

Gary Buckmaster <gary-+oj2b/mWtm+O2/wZUiRoQ5qQE7yCjDx5@public.gmane.org> wrote:

Anil Garg wrote:
> I have seen some documentation that shows how two pfsense can act as
> back up to the other (hot standby)..
>
>
> Is it possible for servers behind pfsense to exploit the same capability?
>
> Say we have one www.server on lan or dmz. If this server to die, we
> want the system to point to another www.server on the same subnet.
>
> Thanks much.
Yes, there are a number of mechanisms that allow this to happen. It
depends entirely on the type of operating system and applications you
are using. Many database server software offer a clustering feature.
Linux has clustering capabilities through a couple of different
facilities. Spend some quality time with Google, I'm sure you'll find
what you need.

-Gary

---------------------------------------------------------------------
To uns ubscribe, e-mail: support-unsubscribe-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org
For additional commands, e-mail: support-help-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org


Gary Buckmaster | 1 Apr 16:57 2008

Re: CARP

Then David is right, you want load balancing, not CARP high 
availability.  Look at the pfSense documentation for load balancing.

-Gary

Anil Garg wrote:
> Thanks David and Thanks Gary.
>
> I spent a lot of time reading and a few things are somewhat becoming 
> clear..  CARP uses a trusted (preferably dedicated) link to send 
> heartbeat signals to keep who is alive. This common knowledge enables 
> some pfsense to stay inactive (to either act as dhcp server or act as 
> a gateway). When something happens to master next in succession line 
> takes over.
> Very unique and innovative simple.
>
> However most examples are for WAN side traffic and for keeping 
> internet alive.  I will keep trying to find something that shows how 
> servers can be balanced.
> Its amazing because it even keeps the state.
>
> Best Regards
> Anil Garg
>
> */Gary Buckmaster <gary@...>/* wrote:
>
>     Anil Garg wrote:
>     > I have seen some documentation that shows how two pfsense can
>     act as
>     > back up to the other (hot standby)..
>     >
>     >
>     > Is it possible for servers behind pfsense to exploit the same
>     capability?
>     >
>     > Say we have one www.server on lan or dmz. If this server to die, we
>     > want the system to point to another www.server on the same subnet.
>     >
>     > Thanks much.
>     Yes, there are a number of mechanisms that allow this to happen. It
>     depends entirely on the type of operating system and applications you
>     are using. Many database server software offer a clustering feature.
>     Linux has clustering capabilities through a couple of different
>     facilities. Spend some quality time with Google, I'm sure you'll find
>     what you need.
>
>     -Gary
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: support-unsubscribe@...
>     For additional commands, e-mail: support-help@...
>
>
Bill Marquette | 1 Apr 20:56 2008
Picon

Re: CARP

On Tue, Apr 1, 2008 at 9:44 AM, Anil Garg <garg_art2002@...> wrote:
> However most examples are for WAN side traffic and for keeping internet
> alive.  I will keep trying to find something that shows how servers can be
> balanced.

If balancing is what you need, then use the load balancer built into
pfSense.  If active/passive, then while the load balancer will also
work fine, you might try one of the server high availability solutions
available outside of pfSense (CARP for the BSDs, linux's HA stuff, etc
- again Google will get you going there)

> Its amazing because it even keeps the state.

FWIW, to correct a few misstatements you've made in this thread.

"CARP requires a dedicated cable" - not correct, CARP is a multi-cast
protocol that is broadcast on the same network segment as the address
for it.
"it (CARP) even keeps the state" - not correct, pfsync keeps state
synchronization.  It's also highly recommended (as it's not
cryptographically secure) to run this on a dedicated cable.

--Bill
Anil Garg | 1 Apr 21:52 2008
Picon

Re: CARP

Bill

Thanks for correcting. I am quite green on this stuff and as they say little knowledge is dangerous!

Load balance built in is a great idea.  I will test that out too...

Bill Marquette <bill.marquette-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

On Tue, Apr 1, 2008 at 9:44 AM, Anil Garg wrote:
> However most examples are for WAN side traffic and for keeping internet
> alive. I will keep trying to find something that shows how servers can be
> balanced.

If balancing is what you need, then use the load balancer built into
pfSense. If active/passive, then while the load balancer will also
work fine, yo u might try one of the server high availability solutions
available outside of pfSense (CARP for the BSDs, linux's HA stuff, etc
- again Google will get you going there)

> Its amazing because it even keeps the state.

FWIW, to correct a few misstatements you've made in this thread.

"CARP requires a dedicated cable" - not correct, CARP is a multi-cast
protocol that is broadcast on the same network segment as the address
for it.
"it (CARP) even keeps the state" - not correct, pfsync keeps state
synchronization. It's also highly recommended (as it's not
cryptographically secure) to run this on a dedicated cable.

--Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org
For additional commands, e-mail: support-help-zsHM3v2T5LBBDgjK7y7TUQ@public.gmane.org

/E1597aS9LQAvxtiuMwx3w@public.gmane.org>


Gmane