I made the CoreSwitch on the Client-site be the DHCP Relay and everything workes flawless. This is acceptable for me, however, since I am going to rely on pfSense for a big data center / outsourcing project with several sites attached in the future, I would appreciate if someone can point me to what happened here. I am otherwise very happy with this product but this leaves a bad feeling without knowing what was going on. The articel (http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F) explaines to me why a static route was needed to get the packets into the tunnel (even though I would be very appreciative for more details on this "issue", which seems to be by design), but I don't really get why the packets go into the tunnel and disappear on the way back.

Also, is there a way to debug traffic inside the ipsec-tunnel? Probably not using a packet sniffer since the traffic is encrypted, but is there some other, possible ipsec related, logfile etc. to tell me when and why packets get dropped and for what reason?

Okay, I have logged some more on this issue. The appliance we use (from applianceshop.eu) is using the network cards: VIA VT6105M Rhine III 10/100BaseTX, 3 of them.

Every hour this passes by in the system logs:

Dec 6 09:54:43 dhclient[57082]: bound to xx.xx.xx.xx -- renewal in 3600 seconds. Dec 6 10:54:43 dhclient[57082]: DHCPREQUEST on vr1 to 195.130.132.102 port 67 Dec 6 10:54:43 dhclient[57082]: SENDING DIRECT ... Dec 6 10:55:36 dhclient[57082]: DHCPREQUEST on vr1 to 195.130.132.102 port 67 Dec 6 10:55:36 dhclient[57082]: SENDING DIRECT Dec 6 10:55:50 dhclient[57082]: DHCPREQUEST on vr1 to 255.255.255.255 port 67 Dec 6 10:55:50 dhclient[57082]: DHCPACK from 81.82.zz.zz Dec 6 10:55:51 dhclient[57082]: bound to xx.xx.xx.xx -- renewal in 3600 seconds. Dec 6 11:55:50 dhclient[57082]: DHCPREQUEST on vr1 to 195.130.132.102 port 67 Dec 6 11:55:50 dhclient[57082]: SENDING DIRECT ... Dec 6 11:56:33 dhclient[57082]: DHCPREQUEST on vr1 to 195.130.132.102 port 67 Dec 6 11:56:33 dhclient[57082]: SENDING DIRECT Dec 6 11:56:52 dhclient[57082]: DHCPREQUEST on vr1 to 255.255.255.255 port 67 Dec 6 11:56:52 dhclient[57082]: DHCPACK from 81.82.zz.zz Dec 6 11:56:52 dhclient[57082]: bound to xx.xx.xx.xx -- renewal in 3600 seconds.

On a similar setup (same provider) but with Linux and using the parameter "supersede dhcp-server-identifier 255.255.255.255;", I see this:

Dec  6 12:04:29 fw dhclient: DHCPREQUEST on eth4 to 255.255.255.255 port 67 Dec  6 12:04:29 fw dhclient: DHCPACK from 81.82.zz.zz Dec  6 12:04:29 fw dhclient: bound to yy.yy.yy.yy -- renewal in 3592 seconds.

Any workaround to get the same behaviour on pfsense 1.2.3 ?

Cheers,
Kristof.

how can pfsense auto update opendns with out i manual update it, i need pfsense auto update the ip every change of ip in router with out i do any thing
and what the use of wildcards?
thanks

Some alternative 4 port PCI cards: lan1641 and lan1741 from http://www.soekris.com
If buying second hand a card with Intel PRO/100 (fxp) NICs would probably be a good choice. I think a number of the major computer suppliers have produced multi-port network cards with Intel chips under their own brand (HP, COMPAQ etc).

A cheap (US$40) 5 port VLAN capable switch is the RB250G: http://routerboard.com/pricelist.php?showProduct=101

I have no experience with any of the above products.

@ashrocks:

but there is no way i can put a MAC address and assign a static IP for that drive to be accessed from my computer which is on the same network.

My home network has four computers wired to a switch which is wired to the LAN port of my pfSense box. Each of the four gets an IP address from DHCP running on pfSense and the IP address is keyed off their MAC address.

@ashrocks:

I don't know if that network drive sends out a DHCP request.

Its probably overdue that you found out if the drive is supposed to get IP configuration from DHCP (or can be configured to do so). If the drive doesn't send a DHCP request then I don't know how pfSense will give it an IP address based on its MAC address.

If the drive is supposed to send a DHCP request then you should be able to see the DHCP request logged in the DHCP log on pfSense (unless you are running a fairly recent snapshot build of 2.0 BETA) or in a packet trace.

@jimp:

When dealing with an AD Domain, it is usually best to leave DNS and DHCP handled by the DCs. You can set the DNS forwarders on the DCs to the pfSense router, but the clients should still point to the DCs directly for DNS.

Yea finding that out now.  I'll leave the AD server to deal with local DNS and then forward all other requests to the Pfsense box.  I'll test out DHCP, i'd like to keep that under Pfsense, but if i can't i'll keep that on the AD server as well.

Thanks wallabybob for calling out the routing issue.  Though your suggestion didn't immediately solve my problem, it got me to thinking and I decided to call my ISP for additional information on my IP address block.  It turns out that I needed to use a different IP range on the WAN side of the interface.  Case closed.

Hi,

dc0 also has the "Bridge with" option set to none. However I tried force saving the same configuration again and then rebooted pfsense. And after that, the bridge was gone :)
I've enabled the DHCP on both interfaces and now everything works fine(I will do some more tests though!). I remember that some time ago when I first tried to configure the second interface dc1 I've tried to bridge it with some other interface. Even though I think pfsense has been rebooted a few times after that, it seems that for some reason that bridge interface never was removed and that was the reason for this strange behavior.
Thank you very much jimp and wallabybob for your support! This forum rules ;)

If the DNS query from pfSense is supposed to go across the IPsec tunnel, you also need to be aware of this:

http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

@tux3132:

I think that my switch has an implementation 802.1q buggy.

Might be worth checking the switch support web pages to so see if there is a firmware upgrade or if others have reported similar problems. What switch are you using?

@tux3132:

Question : if I plug a cross cable between my server and my client Debian on which I have installed and configured the vlan packet, is it functional ?

If both ends of the cable support VLANs and are configured compatibly it should work. (I know nothing about configuring VLANs in Linux.) You probably won't need a cross over cable since it seems your NICs are pretty modern. Using a cross over cable won't hurt.

@brah:

Contrary to what the hint says, if you disable the override checkbox, the DNS Forwarder still works.

It (the DNS forwarder) should should still work, unless you disable the DNS forwarder. That override box doesn't disable the DNS forwarder it just controls where the DNS forwarder gets its name service: the DNS in the box above OR the DNS specified by the DHCP server upstream of the WAN interface.
@brah:

@wallabybob:

I don't understand what this means:
@brah:

The problem I'm having is that the WAN DNSs dissapear from now and then, but are still reachable, leaving my whole network without DNS service.

Until I read "but are still reachable" I thought you meant your manually specified WAN DNSs went offline for a while.

They don't go offline, they just disappear from the interface, which is why everything work fine if I set them as static.

Sorry, but I don't understand the explanation: from what interface do the DNSs disappear?

Back to the original statement:
@brah:

If I go into General Setup I can set a static DNS instead of taking the ones provided by my ISP, but if I do this the DNS Forwarder entries stop working.

I have two static DNSs specified in General Setup  to override DNS specified by my ISP. My DNS forwarder entries (specified on Services -> DNS forwarder) work. This has continued to work across a number of reboots.

Thanks JimP.

I usually listen to Leo and Steve's podcasts (here for those with some interest in what I'm talking about -
they can be found here: http://twit.tv/sn or on ITunes search Security Now)  in the background while doing other things.
He sure can ramble..

The words caught my attention. It will be intesting to hear from which side of the network he contends these "crashes" can source from. And yeah maybe linksys/belkin/dlink type devices. I think I did hear those names.

For those reading this thread, I'll revise it after next week if he discusses this. We'll see.

Seems that this error ocurred because of I forgot to disable the "Open WAN Rule" that comes with the appliance.
Disabled it and now the error doesn't appear anymore.

im sorry if make confusing the issue …
i just read the subject : (help) I need to protect my server from NetCut

MeroMarko, you get advantage or disadvantage from NetCut app ?
or maybe, if some one on your network use NetCut app, you get advantage or disadvantage ?

yes, it works
i forgot create a host map to the public IP :p
thx for ur helping,

There is already a similar enhancement request in redmine for "future" - it should be possible, though generally if you have separate subnets they are on separate interfaces so doing exactly what you propose isn't necessary.

Getting off topic, but I haven't had trouble using simple vlan setups on an Alix.
You would create vlan interfaces for each lan with the proper tags, use the vlan interfaces for LAN and LAN2.
It's easy to shoot yourself in the foot when reconfiguring, I like to do it via the WAN side.
Then make sure the parent interface on pfsense is connected to a trunk port on the switch.
There is good info on vlan configurations if you search about a bit.