New install observations



  • I'm just finished installing pfSense on an Atom 330 box (Zotac IONITX-L-E, 4GB RAM, dual ethernet PCI NIC, broadcom/apple mini PCIe WiFi card).

    Here are a few observations:

    a) the WiFi card doesn't seem to be recognized, even though it's a pretty much industry standard chip set (Broadcom 4321 801.11 a/b/g/n)

    b) any significant changes in IPSec setup require a reboot to work. While the tunnel will come up after changes, no traffic will flow until the system is rebooted

    c) there's no way to destroy and properly repartition a disk once a GEOM mirror was attempted. The disk has to be physically removed from the system, and repartitioned in an MBR scheme etc. before it can be properly reused in pfSense. There should be a destroy GEOM option in the installer menues.

    d) only two packages show up as being available in System:Package Manager. (Varnish and IP-Blocklist) Can an amd64 installation not install the packages that show up in the i386 setup? I did a test install before on a 32-bit CPU and obviously with an i386 architecture installer DVD, and I had dozens of packages listed available for installation.

    e) OS upgrades are funky: the dates of the build and the date of the update shown are not in sync. So you can install the latest update, and the system will still show an update is available, which is the same you just installed, because the system will report the build-time as the current version, while the update server reports a date/version based on when that build was packaged and put up on the server, and these two are obviously never the same, and therefore even the most current update will result in the system thinking it's out of date

    f) there seems to be an incompatibility between ZyWALL units and pfSense: the exactly the same tunnel will not come up ever if the mode is changed from aggressive to main on both sides. Switching back to aggressive, and things work fine, switching again to main mode and connectivity ends. Even with aggressive mode and a working tunnel, there are tons of messages like these to be found in the VPN/IPsec log:

    racoon: ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    racoon: ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    

    g) even though traffic flows from the LAN interface out the IPSec (which serves as the default route for the LAN interface), I can't get traffic to flow from the DMZ interface, which should be NATed out the WAN. Still investigating that one (could be an oversight on my side). To clarify my setup: I have a public class-C address block (my LAN) that I need to route to the public internet, but my ISP doesn't offer that service. So I have a colocation service with an IPSec VPN box, which acts as the gateway for my class-C net. So all my traffic is tunneled there, and so my LAN is using the colocation service as the routing gateway. I however also have a separate guest WiFi network, which can go directly to the internet using NAT and my ISP as gateway. No need for all that traffic to be tunneled, since it won't have public IP addresses anyway. Eventually, for performance reasons, there's some traffic out of the LAN that I want to NAT and send through the ISP rather than tunnel, with some policy routes, but that's down the road….

    h) it would be way cool if OpenCL could be used as crypto accelerator... I got that ION chip doing next to nothing in that machine, and it's likely more powerful than the main CPU. OpenCL would have the advantage of being portable and GPU agnostic.

    i) it would be nice if there were an option to have man pages installed. While I'm familiar with the basics of UNIX/BSD there are always system specific differences, i.e. Linux, FreeBSD, Mac OS X, etc. are all slightly different, so when doing anything at the shell level it would be nice to have man pages available to look up/confirm semantics.

    j) I'd love to have a manual for the system, but the pfSense manual is written for 1.x, which is quite a bit different from 2.x, and 1.x lacks several must-have features, which is why I'm trying to use 2.0 beta as it is. Is there a beta version of the pfSense book for 2.x?

    k) once a virtual interface, like e.g. an IPSec tunnel, is defined, it should show up everywhere where there are NICs defined. Routing should be more explicit, i.e. I should be able to specifically say if the WAN or the VPN is used as the the default route to the rest of the net for any other net (LAN, DMZ, etc.)
    In my case both the WAN and the IPSec VPN offer a route to the public internet, but that's not obvious in the GUI.
    There should only be a collection of (virtual) NICs, and then the routes between them should have to be explicitly defined. Right now the routes are implied in some non-intuitive way by the way the IPSec VPN is set up, because the VPN isn't a choice in the list of interfaces when setting up Gateways, nor can default gateways be defined on a per-interface basis. i.e. I want the WAN gateway to be the default gateway for the DMZ and the VPN virtual interface, but I want the VPN to be the default gateway for the LAN.
    The whole thing should work more like a patch-bay and cables than like some table based system in which not all elements are treated equally. In other words, just because the IPSec VPN requires the WAN to be established shouldn't mean that as far as the LAN and DMZ are concerned, it shouldn't be seen as an equivalent to the WAN when it comes to routing options.

    l) once an interface is (accidentally) MAC address spoofed, clearing the field and saving/applying the new settings does not restore the original MAC address, instead the spoofed address remains in effect. So unless you happen to know the NIC's real MAC address and you enter it manually, you can't get back to it (at least not through the GUI or without removing and re-adding the interface or similar drastic steps). When the spoof field is cleared, the NIC should revert to its hardware MAC address and give up on any previously set addresses.

    m) it seems impossible to have NAT apply only to specific FW rules. e.g. I want most of my LAN originated traffic to have no NAT and go out over the VPN tunnel, but web browsing (destination port 80) I'd like to use NAT and go out through the WAN gateway. So while FW rules can specify an alternate gateway, NAT can't be enabled on a per-rule base. Again, I'm a noob, and maybe I'm looking in the wrong place.

    n) In VPN:IPSec the Pre-Shared Keys tab terminates in a non-existing page

    o) Without starting yet another vi vs. whatever-editor war, I hate vi, and I'm very prone to screw things up using it. While installing the "emacs-OS" may be a bit overkill, something like nano would be nice if it were part of the standard distribution...

    Hope this makes sense ;)



  • @rcfa:

    I'm just finished installing pfSense on an Atom 330 box (Zotac IONITX-L-E, 4GB RAM, dual ethernet PCI NIC, broadcom/apple mini PCIe WiFi card).

    Here are a few observations:

    a) the WiFi card doesn't seem to be recognized, even though it's a pretty much industry standard chip set (Broadcom 4321 801.11 a/b/g/n)

    You don't say what version of pfSense you installed but (hopefully) since you posted in the forum for pfSense 2.0 BETA you installed one of the 2.0 BETA snapshots

    pfSense 2.0 BETA is based on FreeBSD 8.0 and the supported hardware list for FreeBSD 8.0 (at http://www.freebsd.org/releases/8.0R/hardware.html says The bwi(4)  driver supports Broadcom BCM43xx based wireless devices, including: so it appears your WiFi device should be recognised. I think support for bwi is new to FreeBSD 8.0 so your WiFi won't be recognised by any pfSense earlier than 2.0.

    Have you fulfilled the requirements in the bwi man page (http://www.freebsd.org/cgi/man.cgi?query=bwi&sektion=4&manpath=FreeBSD+8.0-RELEASE), particularly in relation to firmware for the WiFi device?

    Please confirm you installed a recent snapshot build of pfSense 2.0 BETA and provide the output of the shell commands dmesg and pciconf so we can better understand why your WiFi was not recognised.



  • Yup, very recent 2.0 beta snapshot installed. I hope the following answers the relevant questions about the configuration:

    uname -a

    FreeBSD myhost.mydomain.tld 8.0-STABLE FreeBSD 8.0-STABLE #1: Sat May 22 11:25:18 UTC 2010     sullrich@FreeBSD_8.0_pfSense_2.0-AMD64.snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8  amd64

    dmesg

    Copyright © 1992-2010 The FreeBSD Project.
    Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
    The Regents of the University of California. All rights reserved.
    FreeBSD is a registered trademark of The FreeBSD Foundation.
    FreeBSD 8.0-STABLE #1: Sat May 22 11:25:18 UTC 2010
       sullrich@FreeBSD_8.0_pfSense_2.0-AMD64.snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64
    Timecounter "i8254" frequency 1193182 Hz quality 0
    CPU: Intel(R) Atom(TM) CPU  330   @ 1.60GHz (1600.01-MHz K8-class CPU)
     Origin = "GenuineIntel"  Id = 0x106c2  Family = 6  Model = 1c  Stepping = 2
     Features=0xbfe9fbff <fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>Features2=0x40e31d <sse3,dtes64,mon,ds_cpl,tm2,ssse3,cx16,xtpr,pdcm,movbe>AMD Features=0x20100800 <syscall,nx,lm>AMD Features2=0x1 <lahf>TSC: P-state invariant
    real memory  = 4294967296 (4096 MB)
    avail memory = 3089707008 (2946 MB)
    ACPI APIC Table: <031910 APIC1152>
    FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
    FreeBSD/SMP: 1 package(s) x 2 core(s) x 2 HTT threads
    cpu0 (BSP): APIC ID:  0
    cpu1 (AP/HT): APIC ID:  1
    cpu2 (AP): APIC ID:  2
    cpu3 (AP/HT): APIC ID:  3
    ioapic0: Changing APIC ID to 4
    ioapic0 <version 1.1="">irqs 0-23 on motherboard
    wlan: mac acl policy registered
    ipw_bss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
    ipw_bss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
    module_register_init: MOD_LOAD (ipw_bss_fw, 0xffffffff80434cd0, 0) error 1
    ipw_ibss: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
    ipw_ibss: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
    module_register_init: MOD_LOAD (ipw_ibss_fw, 0xffffffff80434d70, 0) error 1
    wpi: You need to read the LICENSE file in /usr/share/doc/legal/intel_wpi/.
    wpi: If you agree with the license, set legal.intel_wpi.license_ack=1 in /boot/loader.conf.
    module_register_init: MOD_LOAD (wpi_fw, 0xffffffff80609ff0, 0) error 1
    ipw_monitor: You need to read the LICENSE file in /usr/share/doc/legal/intel_ipw/.
    ipw_monitor: If you agree with the license, set legal.intel_ipw.license_ack=1 in /boot/loader.conf.
    module_register_init: MOD_LOAD (ipw_monitor_fw, 0xffffffff80434e10, 0) error 1
    kbd1 at kbdmux0
    cryptosoft0: <software crypto="">on motherboard
    padlock0: No ACE support.
    acpi0: <031910 XSDT1152> on motherboard
    acpi0: [ITHREAD]
    acpi0: Power Button (fixed)
    acpi0: reservation of fefe1000, 1000 (3) failed
    acpi0: reservation of fee01000, ff000 (3) failed
    acpi0: reservation of fec00000, 1000 (3) failed
    acpi0: reservation of fee00000, 1000 (3) failed
    acpi0: reservation of 0, a0000 (3) failed
    acpi0: reservation of 100000, dff00000 (3) failed
    Timecounter "ACPI-safe" frequency 3579545 Hz quality 850
    acpi_timer0: <32-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
    cpu0: <acpi cpu="">on acpi0
    cpu1: <acpi cpu="">on acpi0
    cpu2: <acpi cpu="">on acpi0
    cpu3: <acpi cpu="">on acpi0
    acpi_hpet0: <high precision="" event="" timer="">iomem 0xfed00000-0xfed003ff on acpi0
    Timecounter "HPET" frequency 25000000 Hz quality 900
    pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0
    pci0: <acpi pci="" bus="">on pcib0
    pci0: <memory, ram="">at device 0.1 (no driver attached)
    isab0: <pci-isa bridge="">port 0x4f00-0x4fff at device 3.0 on pci0
    isa0: <isa bus="">on isab0
    pci0: <memory, ram="">at device 3.1 (no driver attached)
    pci0: <serial bus,="" smbus="">at device 3.2 (no driver attached)
    pci0: <memory, ram="">at device 3.3 (no driver attached)
    pci0: <processor>at device 3.5 (no driver attached)
    ohci0: <nvidia nforce="" mcp79="" usb="" controller="">mem 0xfad7f000-0xfad7ffff irq 22 at device 4.0 on pci0
    ohci0: [ITHREAD]
    usbus0: <nvidia nforce="" mcp79="" usb="" controller="">on ohci0
    ehci0: <nvidia nforce="" mcp79="" usb="" 2.0="" controller="">mem 0xfad7ec00-0xfad7ecff irq 23 at device 4.1 on pci0
    ehci0: [ITHREAD]
    usbus1: EHCI version 1.0
    usbus1: <nvidia nforce="" mcp79="" usb="" 2.0="" controller="">on ehci0
    ohci1: <nvidia nforce="" mcp79="" usb="" controller="">mem 0xfad7d000-0xfad7dfff irq 20 at device 6.0 on pci0
    ohci1: [ITHREAD]
    usbus2: <nvidia nforce="" mcp79="" usb="" controller="">on ohci1
    ehci1: <nvidia nforce="" mcp79="" usb="" 2.0="" controller="">mem 0xfad7e800-0xfad7e8ff irq 21 at device 6.1 on pci0
    ehci1: [ITHREAD]
    usbus3: EHCI version 1.0
    usbus3: <nvidia nforce="" mcp79="" usb="" 2.0="" controller="">on ehci1
    pci0: <multimedia, hda="">at device 8.0 (no driver attached)
    pcib1: <acpi pci-pci="" bridge="">at device 9.0 on pci0
    pci1: <acpi pci="" bus="">on pcib1
    nfe0: <nvidia nforce="" mcp79="" networking="" adapter="">port 0xc080-0xc087 mem 0xfad7c000-0xfad7cfff,0xfad7e400-0xfad7e4ff,0xfad7e000-0xfad7e00f irq 23 at device 10.0 on pci0
    miibus0: <mii bus="">on nfe0
    rgephy0: <rtl8169s 8110s="" 8211b="" media="" interface="">PHY 3 on miibus0
    rgephy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
    nfe0: [FILTER]
    atapci0: <nvidia nforce="" mcp79="" sata300="" controller="">port 0xc000-0xc007,0xbc00-0xbc03,0xb880-0xb887,0xb800-0xb803,0xb480-0xb48f mem 0xfad72000-0xfad73fff irq 20 at device 11.0 on pci0
    atapci0: [ITHREAD]
    atapci0: AHCI v1.20 controller with 6 3Gbps ports, PM not supported
    ata2: <ata 0="" channel="">on atapci0
    ata2: [ITHREAD]
    ata3: <ata 1="" channel="">on atapci0
    ata3: [ITHREAD]
    ata4: <ata 2="" channel="">on atapci0
    ata4: [ITHREAD]
    ata5: <ata 3="" channel="">on atapci0
    ata5: [ITHREAD]
    ata6: <ata 4="" channel="">on atapci0
    ata6: [ITHREAD]
    ata7: <ata 5="" channel="">on atapci0
    ata7: [ITHREAD]
    pcib2: <acpi pci-pci="" bridge="">irq 21 at device 12.0 on pci0
    pci2: <acpi pci="" bus="">on pcib2
    mskc0: <marvell yukon="" 88e8062cu="" gigabit="" ethernet="">port 0xd800-0xd8ff mem 0xfaefc000-0xfaefffff irq 16 at device 0.0 on pci2
    msk0: <marvell technology="" group="" ltd.="" yukon="" xl="" id="" 0xb3="" rev="" 0x03="">on mskc0
    miibus1: <mii bus="">on msk0
    e1000phy0: <marvell 88e1112="" gigabit="" phy="">PHY 0 on miibus1
    e1000phy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
    msk1: <marvell technology="" group="" ltd.="" yukon="" xl="" id="" 0xb3="" rev="" 0x03="">on mskc0
    miibus2: <mii bus="">on msk1
    e1000phy1: <marvell 88e1112="" gigabit="" phy="">PHY 0 on miibus2
    e1000phy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto
    mskc0: [ITHREAD]
    pcib3: <acpi pci-pci="" bridge="">at device 16.0 on pci0
    pci3: <acpi pci="" bus="">on pcib3
    vgapci0: <vga-compatible display="">port 0xec00-0xec7f mem 0xfb000000-0xfbffffff,0xe0000000-0xefffffff,0xf6000000-0xf7ffffff irq 22 at device 0.0 on pci3
    pcib4: <acpi pci-pci="" bridge="">irq 22 at device 21.0 on pci0
    pci4: <acpi pci="" bus="">on pcib4
    pci4: <network>at device 0.0 (no driver attached)
    pcib5: <acpi pci-pci="" bridge="">irq 23 at device 22.0 on pci0
    pci5: <acpi pci="" bus="">on pcib5
    pcib6: <acpi pci-pci="" bridge="">irq 20 at device 23.0 on pci0
    pci6: <acpi pci="" bus="">on pcib6
    pcib7: <acpi pci-pci="" bridge="">irq 21 at device 24.0 on pci0
    pci7: <acpi pci="" bus="">on pcib7
    acpi_button0: <power button="">on acpi0
    uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
    uart0: [FILTER]
    atrtc0: <at realtime="" clock="">port 0x70-0x71 on acpi0
    orm0: <isa option="" roms="">at iomem 0xc0000-0xce7ff,0xce800-0xcf7ff on isa0
    sc0: <system console="">at flags 0x100 on isa0
    sc0: VGA <16 virtual consoles, flags=0x300>
    vga0: <generic isa="" vga="">at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
    atkbdc0: <keyboard controller="" (i8042)="">at port 0x60,0x64 on isa0
    atkbd0: <at keyboard="">irq 1 on atkbdc0
    kbd0 at atkbd0
    atkbd0: [GIANT-LOCKED]
    atkbd0: [ITHREAD]
    ppc0: cannot reserve I/O port range
    p4tcc0: <cpu frequency="" thermal="" control="">on cpu0
    p4tcc1: <cpu frequency="" thermal="" control="">on cpu1
    p4tcc2: <cpu frequency="" thermal="" control="">on cpu2
    p4tcc3: <cpu frequency="" thermal="" control="">on cpu3
    Timecounters tick every 1.000 msec
    IPsec: Initialized Security Association Processing.
    usbus0: 12Mbps Full Speed USB v1.0
    usbus1: 480Mbps High Speed USB v2.0
    usbus2: 12Mbps Full Speed USB v1.0
    usbus3: 480Mbps High Speed USB v2.0
    ad4: 7631MB <lexar 20071016="" ata="" flash="" card="">at ata2-master UDMA66 SATA 3Gb/s
    ad6: 7935MB <smi 20050811="" model="">at ata3-master WDMA2 SATA 3Gb/s
    SMP: AP CPU #1 Launched!
    SMP: AP CPU #3 Launched!
    SMP: AP CPU #2 Launched!
    ugen1.1: <nvidia>at usbus1ugen2.1: <nvidia>at usbus2ugen0.1: <nvidia>at usbus0

    uhub0: <nvidia 1="" 9="" ehci="" root="" hub,="" class="" 0,="" rev="" 2.00="" 1.00,="" addr="">on usbus1
    uhub1: <nvidia 1="" 9="" ohci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus0
    uhub2: <nvidia 1="" 9="" ohci="" root="" hub,="" class="" 0,="" rev="" 1.00="" 1.00,="" addr="">on usbus2
    ugen3.1: <nvidia>at usbus3
    uhub3: <nvidia 1="" 9="" ehci="" root="" hub,="" class="" 0,="" rev="" 2.00="" 1.00,="" addr="">on usbus3
    Root mount waiting for: usbus3 usbus2 usbus1 usbus0
    uhub1: 6 ports with 6 removable, self powered
    uhub2: 6 ports with 6 removable, self powered
    Root mount waiting for: usbus3 usbus1
    Root mount waiting for: usbus3 usbus1
    uhub0: 6 ports with 6 removable, self powered
    uhub3: 6 ports with 6 removable, self powered
    Trying to mount root from ufs:/dev/ad4s1a
    pflog0: promiscuous mode enabled
    msk1: link state changed to UP
    nfe0: link state changed to UP
    […snip…]# pciconf -lbcv
    hostb0@pci0:0:0:0: class=0x060000 card=0xcb7910de chip=0x0a8210de rev=0xb1 hdr=0x00
       class      = bridge
       subclass   = HOST-PCI
    none0@pci0:0:0:1: class=0x050000 card=0xcb7910de chip=0x0a8810de rev=0xb1 hdr=0x00
       class      = memory
       subclass   = RAM
    isab0@pci0:0:3:0: class=0x060100 card=0xa13319da chip=0x0aad10de rev=0xb2 hdr=0x00
       class      = bridge
       subclass   = PCI-ISA
       bar   [10] = type I/O Port, range 32, base 0x4f00, size 256, enabled
    none1@pci0:0:3:1: class=0x050000 card=0xa13319da chip=0x0aa410de rev=0xb1 hdr=0x00
       class      = memory
       subclass   = RAM
    none2@pci0:0:3:2: class=0x0c0500 card=0xa13319da chip=0x0aa210de rev=0xb1 hdr=0x00
       class      = serial bus
       subclass   = SMBus
       bar   [10] = type I/O Port, range 32, base 0x4900, size 64, enabled
       bar   [20] = type I/O Port, range 32, base 0x4d00, size 64, enabled
       bar   [24] = type I/O Port, range 32, base 0x4e00, size 64, enabled
       cap 01[44] = powerspec 2  supports D0 D3  current D0
    none3@pci0:0:3:3: class=0x050000 card=0xcb7910de chip=0x0a8910de rev=0xb1 hdr=0x00
       class      = memory
       subclass   = RAM
    none4@pci0:0:3:5: class=0x0b4000 card=0xa13319da chip=0x0aa310de rev=0xb1 hdr=0x00
       class      = processor
       bar   [10] = type Memory, range 32, base 0xfad80000, size 524288, enabled
    ohci0@pci0:0:4:0: class=0x0c0310 card=0xa13319da chip=0x0aa510de rev=0xb1 hdr=0x00
       class      = serial bus
       subclass   = USB
       bar   [10] = type Memory, range 32, base 0xfad7f000, size 4096, enabled
       cap 01[44] = powerspec 2  supports D0 D1 D2 D3  current D0
    ehci0@pci0:0:4:1: class=0x0c0320 card=0xa13319da chip=0x0aa610de rev=0xb1 hdr=0x00
       class      = serial bus
       subclass   = USB
       bar   [10] = type Memory, range 32, base 0xfad7ec00, size 256, enabled
       cap 0a[44] = EHCI Debug Port at offset 0xa0 in map 0x14
       cap 01[80] = powerspec 2  supports D0 D1 D2 D3  current D0
    ohci1@pci0:0:6:0: class=0x0c0310 card=0xa13319da chip=0x0aa710de rev=0xb1 hdr=0x00
       class      = serial bus
       subclass   = USB
       bar   [10] = type Memory, range 32, base 0xfad7d000, size 4096, enabled
       cap 01[44] = powerspec 2  supports D0 D1 D2 D3  current D0
    ehci1@pci0:0:6:1: class=0x0c0320 card=0xa13319da chip=0x0aa910de rev=0xb1 hdr=0x00
       class      = serial bus
       subclass   = USB
       bar   [10] = type Memory, range 32, base 0xfad7e800, size 256, enabled
       cap 0a[44] = EHCI Debug Port at offset 0xa0 in map 0x14
       cap 01[80] = powerspec 2  supports D0 D1 D2 D3  current D0
    none5@pci0:0:8:0: class=0x040300 card=0x437b174b chip=0x0ac010de rev=0xb1 hdr=0x00
       class      = multimedia
       subclass   = HDA
       bar   [10] = type Memory, range 32, base 0xfad78000, size 16384, enabled
       cap 01[44] = powerspec 2  supports D0 D3  current D0
    pcib1@pci0:0:9:0: class=0x060401 card=0xa13319da chip=0x0aab10de rev=0xb1 hdr=0x01
       class      = bridge
       subclass   = PCI-PCI
       cap 0d[b8] = PCI Bridge card=0xa13319da
    nfe0@pci0:0:10:0: class=0x020000 card=0xa13319da chip=0x0ab010de rev=0xb1 hdr=0x00
       class      = network
       subclass   = ethernet
       bar   [10] = type Memory, range 32, base 0xfad7c000, size 4096, enabled
       bar   [14] = type I/O Port, range 32, base 0xc080, size  8, enabled
       bar   [18] = type Memory, range 32, base 0xfad7e400, size 256, enabled
       bar   [1c] = type Memory, range 32, base 0xfad7e000, size 16, enabled
       cap 01[44] = powerspec 2  supports D0 D1 D2 D3  current D0
    atapci0@pci0:0:11:0: class=0x010185 card=0xa13319da chip=0x0ab410de rev=0xb1 hdr=0x00
       class      = mass storage
       subclass   = ATA
       bar   [10] = type I/O Port, range 32, base 0xc000, size  8, enabled
       bar   [14] = type I/O Port, range 32, base 0xbc00, size  4, enabled
       bar   [18] = type I/O Port, range 32, base 0xb880, size  8, enabled
       bar   [1c] = type I/O Port, range 32, base 0xb800, size  4, enabled
       bar   [20] = type I/O Port, range 32, base 0xb480, size 16, enabled
       bar   [24] = type Memory, range 32, base 0xfad72000, size 8192, enabled
       cap 01[44] = powerspec 2  supports D0 D3  current D0
       cap 12[8c] = SATA Index-Data Pair
       cap 05[b0] = MSI supports 8 messages, 64 bit
    pcib2@pci0:0:12:0: class=0x060400 card=0xa13319da chip=0x0ac410de rev=0xb1 hdr=0x01
       class      = bridge
       subclass   = PCI-PCI
       cap 0d[40] = PCI Bridge card=0xa13319da
       cap 01[48] = powerspec 3  supports D0 D3  current D0
       cap 05[50] = MSI supports 2 messages, 64 bit
       cap 10[80] = PCI-Express 2 root port max data 128(256) link x4(x16)
    pcib3@pci0:0:16:0: class=0x060400 card=0xa13319da chip=0x0aa010de rev=0xb1 hdr=0x01
       class      = bridge
       subclass   = PCI-PCI
       cap 0d[40] = PCI Bridge card=0xa13319da
       cap 01[48] = powerspec 2  supports D0 D3  current D0
       cap 05[50] = MSI supports 2 messages, 64 bit
    pcib4@pci0:0:21:0: class=0x060400 card=0xa13319da chip=0x0ac610de rev=0xb1 hdr=0x01
       class      = bridge
       subclass   = PCI-PCI
       cap 0d[40] = PCI Bridge card=0xa13319da
       cap 01[48] = powerspec 3  supports D0 D3  current D0
       cap 05[50] = MSI supports 2 messages, 64 bit
       cap 10[80] = PCI-Express 2 root port max data 128(256) link x1(x1)
    pcib5@pci0:0:22:0: class=0x060400 card=0xa13319da chip=0x0ac710de rev=0xb1 hdr=0x01
       class      = bridge
       subclass   = PCI-PCI
       cap 0d[40] = PCI Bridge card=0xa13319da
       cap 01[48] = powerspec 3  supports D0 D3  current D0
       cap 05[50] = MSI supports 2 messages, 64 bit
       cap 10[80] = PCI-Express 2 root port max data 128(256) link x1(x1)
    pcib6@pci0:0:23:0: class=0x060400 card=0xa13319da chip=0x0ac710de rev=0xb1 hdr=0x01
       class      = bridge
       subclass   = PCI-PCI
       cap 0d[40] = PCI Bridge card=0xa13319da
       cap 01[48] = powerspec 3  supports D0 D3  current D0
       cap 05[50] = MSI supports 2 messages, 64 bit
       cap 10[80] = PCI-Express 2 root port max data 128(256) link x1(x1)
    pcib7@pci0:0:24:0: class=0x060400 card=0xa13319da chip=0x0ac710de rev=0xb1 hdr=0x01
       class      = bridge
       subclass   = PCI-PCI
       cap 0d[40] = PCI Bridge card=0xa13319da
       cap 01[48] = powerspec 3  supports D0 D3  current D0
       cap 05[50] = MSI supports 2 messages, 64 bit
       cap 10[80] = PCI-Express 2 root port max data 128(256) link x1(x1)
    mskc0@pci0:2:0:0: class=0x020000 card=0x622211ab chip=0x434311ab rev=0x14 hdr=0x00
       class      = network
       subclass   = ethernet
       bar   [10] = type Memory, range 64, base 0xfaefc000, size 16384, enabled
       bar   [18] = type I/O Port, range 32, base 0xd800, size 256, enabled
       cap 01[48] = powerspec 2  supports D0 D1 D2 D3  current D0
       cap 03[50] = VPD
       cap 05[5c] = MSI supports 2 messages, 64 bit enabled with 1 message
       cap 10[e0] = PCI-Express 1 legacy endpoint max data 128(128) link x4(x4)
    vgapci0@pci0:3:0:0: class=0x030000 card=0xa13319da chip=0x087d10de rev=0xb1 hdr=0x00
       class      = display
       subclass   = VGA
       bar   [10] = type Memory, range 32, base 0xfb000000, size 16777216, enabled
       bar   [14] = type Prefetchable Memory, range 64, base 0xe0000000, size 268435456, enabled
       bar   [1c] = type Prefetchable Memory, range 64, base 0xf6000000, size 33554432, enabled
       bar   [24] = type I/O Port, range 32, base 0xec00, size 128, enabled
       cap 01[60] = powerspec 2  supports D0 D3  current D0
       cap 05[68] = MSI supports 1 message, 64 bit
    none6@pci0:4:0:0: class=0x028000 card=0x0087106b chip=0x432814e4 rev=0x01 hdr=0x00
       class      = network
       bar   [10] = type Memory, range 64, base 0xfebfc000, size 16384, enabled
       bar   [18] = type Prefetchable Memory, range 64, base 0xf9f00000, size 1048576, enabled
       cap 01[40] = powerspec 2  supports D0 D1 D2 D3  current D0
       cap 05[58] = MSI supports 1 message, 64 bit
       cap 10[d0] = PCI-Express 1 endpoint max data 128(128) link x1(x1)
    #</nvidia></nvidia></nvidia></nvidia></nvidia></nvidia></nvidia></nvidia></smi></lexar></cpu></cpu></cpu></cpu></at></keyboard></generic></system></isa></at></power></acpi></acpi></acpi></acpi></acpi></acpi></network></acpi></acpi></vga-compatible></acpi></acpi></marvell></mii></marvell></marvell></mii></marvell></marvell></acpi></acpi></ata></ata></ata></ata></ata></ata></nvidia></rtl8169s></mii></nvidia></acpi></acpi></multimedia,></nvidia></nvidia></nvidia></nvidia></nvidia></nvidia></nvidia></nvidia></processor></memory,></serial></memory,></isa></pci-isa></memory,></acpi></acpi></high></acpi></acpi></acpi></acpi></software></version></lahf></syscall,nx,lm></sse3,dtes64,mon,ds_cpl,tm2,ssse3,cx16,xtpr,pdcm,movbe></fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,sep,mtrr,pge,mca,cmov,pat,clflush,dts,acpi,mmx,fxsr,sse,sse2,ss,htt,tm,pbe>



  • @rcfa:

    e) OS upgrades are funky: the dates of the build and the date of the update shown are not in sync. So you can install the latest update, and the system will still show an update is available, which is the same you just installed, because the system will report the build-time as the current version, while the update server reports a date/version based on when that build was packaged and put up on the server, and these two are obviously never the same, and therefore even the most current update will result in the system thinking it's out of date

    Someone might be working on this.

    @rcfa:

    l) once an interface is (accidentally) MAC address spoofed, clearing the field and saving/applying the new settings does not restore the original MAC address, instead the spoofed address remains in effect. So unless you happen to know the NIC's real MAC address and you enter it manually, you can't get back to it (at least not through the GUI or without removing and re-adding the interface or similar drastic steps). When the spoof field is cleared, the NIC should revert to its hardware MAC address and give up on any previously set addresses.

    To do this, it probably needs to save the old MAC address somewhere during boot, because I'm not sure if there is a way to find out the old MAC address once it has been changed.

    @rcfa:

    m) it seems impossible to have NAT apply only to specific FW rules. e.g. I want most of my LAN originated traffic to have no NAT and go out over the VPN tunnel, but web browsing (destination port 80) I'd like to use NAT and go out through the WAN gateway. So while FW rules can specify an alternate gateway, NAT can't be enabled on a per-rule base. Again, I'm a noob, and maybe I'm looking in the wrong place.

    If you want different NAT based on the source or destination, you need to enable advanced outbound NAT and use custom outbound NAT rules.

    @rcfa:

    o) Without starting yet another vi vs. whatever-editor war, I hate vi, and I'm very prone to screw things up using it. While installing the "emacs-OS" may be a bit overkill, something like nano would be nice if it were part of the standard distribution…

    I don't know whether any other editors are included, but I know there is at least also ee.



  • The pciconf output shows the WiFi device claims to be an Apple card with Broadcom BCM4328 chipset. This chipset allegedly supports 802.11 a/b/g/n. The bwi man page doesn't list any BCM432x chipset as supported. Support for 802.11n is very new in FreeBSD 8.0 and very limited so I'd guess your device is "too new" to be supported.

    If you were to state your wireless requirements and constraints (e.g. do you want 802.11n support? you are prepared to use the PCI slot (or is it a PCI Express slot)? you are happy to have a USB device?) there may be other readers who could suggest a suitable WiFi device.

    It would probably be better to post your other issues as separate topics. Posting so many issues in a single topic is highly likely to result in many of them getting overlooked.



  • @Efonne:

    @rcfa:

    e) OS upgrades are funky: the dates of the build and the date of the update shown are not in sync. So you can install the latest update, and the system will still show an update is available, which is the same you just installed, because the system will report the build-time as the current version, while the update server reports a date/version based on when that build was packaged and put up on the server, and these two are obviously never the same, and therefore even the most current update will result in the system thinking it's out of date

    Someone might be working on this.

    Great. Took me a few tries to figure out why I never managed to get a system that's up to date. I figured it out when I did a manual upgrade, looked at the package date vs. the build date, and then noticed that it compares apples to oranges when trying to do the upgrade, i.e. looking at the package date and comparing it to the build date.

    @Efonne:

    @rcfa:

    l) once an interface is (accidentally) MAC address spoofed, clearing the field and saving/applying the new settings does not restore the original MAC address, instead the spoofed address remains in effect. So unless you happen to know the NIC's real MAC address and you enter it manually, you can't get back to it (at least not through the GUI or without removing and re-adding the interface or similar drastic steps). When the spoof field is cleared, the NIC should revert to its hardware MAC address and give up on any previously set addresses.

    To do this, it probably needs to save the old MAC address somewhere during boot, because I'm not sure if there is a way to find out the old MAC address once it has been changed.

    I see. Saving things with an empty field and rebooting should restore the hardware MAC in that case?
    Maybe I didn't reboot (I think I did), but it seemed that an empty field just resulted in the existing settings not being changed, and thus the old spoofed MAC being retained in the configuration. Maybe I'll test that specifically when I get a chance.

    @Efonne:

    @rcfa:

    m) it seems impossible to have NAT apply only to specific FW rules. e.g. I want most of my LAN originated traffic to have no NAT and go out over the VPN tunnel, but web browsing (destination port 80) I'd like to use NAT and go out through the WAN gateway. So while FW rules can specify an alternate gateway, NAT can't be enabled on a per-rule base. Again, I'm a noob, and maybe I'm looking in the wrong place.

    If you want different NAT based on the source or destination, you need to enable advanced outbound NAT and use custom outbound NAT rules.

    So if I understand you correctly, if I use the advanced outbound NAT, then unless a specific rule is matched NO NAT is applied? Also, how does this affect routing? Currently, I have no NAT, and thus all traffic goes out the matching VPN tunnel. What I need is for specific matching rules the traffic using NAT and going out through the WAN interface directly.

    @Efonne:

    @rcfa:

    o) Without starting yet another vi vs. whatever-editor war, I hate vi, and I'm very prone to screw things up using it. While installing the "emacs-OS" may be a bit overkill, something like nano would be nice if it were part of the standard distribution…

    I don't know whether any other editors are included, but I know there is at least also ee.

    Great, that'll do. Since there are no man pages installed, something like man -k edit didn't work, so I didn't know about ee. Good enough for the few cases I may have to edit things at that level. Thanks for the hint.



  • @wallabybob:

    The pciconf output shows the WiFi device claims to be an Apple card with Broadcom BCM4328 chipset. This chipset allegedly supports 802.11 a/b/g/n. The bwi man page doesn't list any BCM432x chipset as supported. Support for 802.11n is very new in FreeBSD 8.0 and very limited so I'd guess your device is "too new" to be supported.

    I see. Well, OK then…

    @wallabybob:

    If you were to state your wireless requirements and constraints (e.g. do you want 802.11n support? you are prepared to use the PCI slot (or is it a PCI Express slot)? you are happy to have a USB device?) there may be other readers who could suggest a suitable WiFi device.

    …right now I don't need the WiFi support, I was just wondering why a relatively common NIC didn't show up.
    If it did work, I might use it as a WiFi access point for a guest LAN, but I have a spare Fonera device that can serve that purpose, so it's nothing of concern. My main LAN has a bunch of Apple AirPort Extreme and TimeCapsule base stations that extend each others range, so pfSense likely wouldn't be able to play well with that anyway.

    If newer versions of BSD start supporting the card, I'll think about what to do with it at that point.

    @wallabybob:

    It would probably be better to post your other issues as separate topics. Posting so many issues in a single topic is highly likely to result in many of them getting overlooked.

    Yup, sure. Specific issues, I may end up creating separate topics for. This was just sort of an overview thing, because I didn't know if I do a bunch of noob-stupid things, or which of these are known issues/limitations.
    Most of the things I worked around in the mean time, or they are not critical. So the routing/NAT/VPN setup questions will likely form a new thread soon.

    Thanks!



  • @rcfa:

    @Efonne:

    @rcfa:

    m) it seems impossible to have NAT apply only to specific FW rules. e.g. I want most of my LAN originated traffic to have no NAT and go out over the VPN tunnel, but web browsing (destination port 80) I'd like to use NAT and go out through the WAN gateway. So while FW rules can specify an alternate gateway, NAT can't be enabled on a per-rule base. Again, I'm a noob, and maybe I'm looking in the wrong place.

    If you want different NAT based on the source or destination, you need to enable advanced outbound NAT and use custom outbound NAT rules.

    So if I understand you correctly, if I use the advanced outbound NAT, then unless a specific rule is matched NO NAT is applied? Also, how does this affect routing? Currently, I have no NAT, and thus all traffic goes out the matching VPN tunnel. What I need is for specific matching rules the traffic using NAT and going out through the WAN interface directly.

    Oh, I think what you want to do just has to do with selecting the correct gateway on your allow rules on LAN.


  • Rebel Alliance Developer Netgate

    @rcfa:

    a) the WiFi card doesn't seem to be recognized, even though it's a pretty much industry standard chip set (Broadcom 4321 801.11 a/b/g/n)

    As others have stated, that is probably not supported yet. Just because you see it a lot doesn't mean it's really common or supported on FreeBSD. Wireless adapters take a while to trickle down to FreeBSD. I would hesitate at this point to still call any single chip that supports N as "common".

    @rcfa:

    b) any significant changes in IPSec setup require a reboot to work. While the tunnel will come up after changes, no traffic will flow until the system is rebooted

    Have you tried just going to Status > Services and restarting racoon?
    There were some changes in 1.2.x that made it reload only a tunnel that changed. It's possible that no longer works as expected, or a bug/difference in ipsec-tools 0.8 is causing this to fail. Rebooting is rarely necessary, it's more likely that restarting the racoon daemon will suffice.

    You might also try to go to Diagnostics > Command and flush the SAD/SPD with: setkey -F; setkey -FP

    @rcfa:

    c) there's no way to destroy and properly repartition a disk once a GEOM mirror was attempted. The disk has to be physically removed from the system, and repartitioned in an MBR scheme etc. before it can be properly reused in pfSense. There should be a destroy GEOM option in the installer menues.

    That may be nice to have, but you do not have to pull the disk. Just drop to a shell from the installer and issue the command to destory the geom info, or use dd to write zeroes to the beginning and end (or the whole) of the disk.

    @rcfa:

    d) only two packages show up as being available in System:Package Manager. (Varnish and IP-Blocklist) Can an amd64 installation not install the packages that show up in the i386 setup? I did a test install before on a 32-bit CPU and obviously with an i386 architecture installer DVD, and I had dozens of packages listed available for installation.

    There are not enough developers using x64 yet to fix/rebuild/approve them all. The only ones enabled are those known to work.

    @rcfa:

    e) OS upgrades are funky: the dates of the build and the date of the update shown are not in sync. So you can install the latest update, and the system will still show an update is available, which is the same you just installed, because the system will report the build-time as the current version, while the update server reports a date/version based on when that build was packaged and put up on the server, and these two are obviously never the same, and therefore even the most current update will result in the system thinking it's out of date

    That is being worked on. Also someone else pointed out that the auto-update may in fact install the x86 version in some cases (This may be someone who picked the x86 updater URL by hand)

    @rcfa:

    f) there seems to be an incompatibility between ZyWALL units and pfSense: the exactly the same tunnel will not come up ever if the mode is changed from aggressive to main on both sides. Switching back to aggressive, and things work fine, switching again to main mode and connectivity ends. Even with aggressive mode and a working tunnel, there are tons of messages like these to be found in the VPN/IPsec log:

    racoon: ERROR: notification INITIAL-CONTACT received in aggressive exchange.
    racoon: ERROR: exchange Identity Protection not allowed in any applicable rmconf.
    

    This is likely due to ipsec-tools 0.8. You might gather the info from both routers (e.g. contents of racoon.conf) and post to the ipsec-tools-devel list.

    @rcfa:

    g) even though traffic flows from the LAN interface out the IPSec (which serves as the default route for the LAN interface), I can't get traffic to flow from the DMZ interface, which should be NATed out the WAN. Still investigating that one (could be an oversight on my side). To clarify my setup: I have a public class-C address block (my LAN) that I need to route to the public internet, but my ISP doesn't offer that service. So I have a colocation service with an IPSec VPN box, which acts as the gateway for my class-C net. So all my traffic is tunneled there, and so my LAN is using the colocation service as the routing gateway. I however also have a separate guest WiFi network, which can go directly to the internet using NAT and my ISP as gateway. No need for all that traffic to be tunneled, since it won't have public IP addresses anyway. Eventually, for performance reasons, there's some traffic out of the LAN that I want to NAT and send through the ISP rather than tunnel, with some policy routes, but that's down the road….

    I'm not sure we have enough info to comment on that one. It could be any number of things, you'd have to watch with tcpdump on every interface to see how the traffic is flowing and what it's doing (and to see if it's actually getting NAT applied).

    @rcfa:

    h) it would be way cool if OpenCL could be used as crypto accelerator… I got that ION chip doing next to nothing in that machine, and it's likely more powerful than the main CPU. OpenCL would have the advantage of being portable and GPU agnostic.

    That's up to FreeBSD. :-)

    @rcfa:

    i) it would be nice if there were an option to have man pages installed. While I'm familiar with the basics of UNIX/BSD there are always system specific differences, i.e. Linux, FreeBSD, Mac OS X, etc. are all slightly different, so when doing anything at the shell level it would be nice to have man pages available to look up/confirm semantics.

    They just take up space for most people, though an add-on package might be nice. They are all on the web on FreeBSD's site too.

    @rcfa:

    j) I'd love to have a manual for the system, but the pfSense manual is written for 1.x, which is quite a bit different from 2.x, and 1.x lacks several must-have features, which is why I'm trying to use 2.0 beta as it is. Is there a beta version of the pfSense book for 2.x?

    We're working on it, but some things haven't settled down enough to even consider writing for. There are a couple chapters that are almost complete, but nothing for public consumption.

    @rcfa:

    k) once a virtual interface, like e.g. an IPSec tunnel, is defined, it should show up everywhere where there are NICs defined. Routing should be more explicit, i.e. I should be able to specifically say if the WAN or the VPN is used as the the default route to the rest of the net for any other net (LAN, DMZ, etc.)
    In my case both the WAN and the IPSec VPN offer a route to the public internet, but that's not obvious in the GUI.
    There should only be a collection of (virtual) NICs, and then the routes between them should have to be explicitly defined. Right now the routes are implied in some non-intuitive way by the way the IPSec VPN is set up, because the VPN isn't a choice in the list of interfaces when setting up Gateways, nor can default gateways be defined on a per-interface basis. i.e. I want the WAN gateway to be the default gateway for the DMZ and the VPN virtual interface, but I want the VPN to be the default gateway for the LAN.
    The whole thing should work more like a patch-bay and cables than like some table based system in which not all elements are treated equally. In other words, just because the IPSec VPN requires the WAN to be established shouldn't mean that as far as the LAN and DMZ are concerned, it shouldn't be seen as an equivalent to the WAN when it comes to routing options.

    IPsec doesn't route the way other interfaces do. It doesn't route at all. Traffic is grabbed as it enters the box and shoved down the tunnel. It's not usable in the same way. If you want a real routed VPN, use OpenVPN and then you can assign it as an interface and do whatever you like. You might be able to fake some things by adding a gateway under System > Routing and using static routes there.

    @rcfa:

    l) once an interface is (accidentally) MAC address spoofed, clearing the field and saving/applying the new settings does not restore the original MAC address, instead the spoofed address remains in effect. So unless you happen to know the NIC's real MAC address and you enter it manually, you can't get back to it (at least not through the GUI or without removing and re-adding the interface or similar drastic steps). When the spoof field is cleared, the NIC should revert to its hardware MAC address and give up on any previously set addresses.

    You'll probably have to reboot to get that done. As Efonne mentioned I don't think we store the original MAC anywhere, and I'm not sure you can query the card to find it again. It may be possible, it might be worth opening a ticket to check out.

    @rcfa:

    m) it seems impossible to have NAT apply only to specific FW rules. e.g. I want most of my LAN originated traffic to have no NAT and go out over the VPN tunnel, but web browsing (destination port 80) I'd like to use NAT and go out through the WAN gateway. So while FW rules can specify an alternate gateway, NAT can't be enabled on a per-rule base. Again, I'm a noob, and maybe I'm looking in the wrong place.

    You should be able to setup outbound NAT on any WAN-type interface for the LAN subnet, and if you direct traffic out that gateway with policy routes, it will get NAT applied when it leaves.

    @rcfa:

    n) In VPN:IPSec the Pre-Shared Keys tab terminates in a non-existing page

    I thought I fixed that. I'll check it again.

    @rcfa:

    o) Without starting yet another vi vs. whatever-editor war, I hate vi, and I'm very prone to screw things up using it. While installing the "emacs-OS" may be a bit overkill, something like nano would be nice if it were part of the standard distribution…

    ee is there. You can pkg_add -r nano, or whatever editor you like.


  • Rebel Alliance Developer Netgate

    @rcfa:

    n) In VPN:IPSec the Pre-Shared Keys tab terminates in a non-existing page

    This should be fixed in the next snapshot.



  • @jimp:

    @rcfa:

    a) the WiFi card doesn't seem to be recognized, even though it's a pretty much industry standard chip set (Broadcom 4321 801.11 a/b/g/n)

    As others have stated, that is probably not supported yet. Just because you see it a lot doesn't mean it's really common or supported on FreeBSD. Wireless adapters take a while to trickle down to FreeBSD. I would hesitate at this point to still call any single chip that supports N as "common".

    It's a card several years old, out of a Mac or AppleTV. So it's no exactly esoteric. But of course, that's no necessarily where most of FreeBSD is used, and lots of the lower-end laptops doesn't have multi-band/MIMO WiFi cards, that's unfortunately true.
    Thankfully not a show-stopper in my case.

    @jimp:

    @rcfa:

    b) any significant changes in IPSec setup require a reboot to work. While the tunnel will come up after changes, no traffic will flow until the system is rebooted

    Have you tried just going to Status > Services and restarting racoon?
    There were some changes in 1.2.x that made it reload only a tunnel that changed. It's possible that no longer works as expected, or a bug/difference in ipsec-tools 0.8 is causing this to fail. Rebooting is rarely necessary, it's more likely that restarting the racoon daemon will suffice.

    You might also try to go to Diagnostics > Command and flush the SAD/SPD with: setkey -F; setkey -FP

    Restarting racoon is a shell level thing, right? Because if it's available on the web interface, I didn't figure out how…

    @jimp:

    @rcfa:

    c) there's no way to destroy and properly repartition a disk once a GEOM mirror was attempted. The disk has to be physically removed from the system, and repartitioned in an MBR scheme etc. before it can be properly reused in pfSense. There should be a destroy GEOM option in the installer menues.

    That may be nice to have, but you do not have to pull the disk. Just drop to a shell from the installer and issue the command to destory the geom info, or use dd to write zeroes to the beginning and end (or the whole) of the disk.

    Actually, I tried the cat /dev/null > /dev/whateverDiskDev approach, but that failed with an error message
    The command to destroy the geom info wasn't obvious for the lack of man pages. And while I'm familiar with the basics of UNIX/BSD I'm more of a long-time NeXT -> Mac OS X user so these low level FreeBSD specific things I'm clueless about.
    Anyway, I got it done, but particularly novices who may want to do a few trial configurations, etc. may get stuck with this.

    @jimp:

    @rcfa:

    d) only two packages show up as being available in System:Package Manager. (Varnish and IP-Blocklist) Can an amd64 installation not install the packages that show up in the i386 setup? I did a test install before on a 32-bit CPU and obviously with an i386 architecture installer DVD, and I had dozens of packages listed available for installation.

    There are not enough developers using x64 yet to fix/rebuild/approve them all. The only ones enabled are those known to work.

    Not trying to be a smart-ass here, but isn't the whole point of a beta release that people test it? When the packages aren't available, there's no chance of testing them…

    @jimp:

    @rcfa:

    g) even though traffic flows from the LAN interface out the IPSec (which serves as the default route for the LAN interface), I can't get traffic to flow from the DMZ interface, which should be NATed out the WAN. Still investigating that one (could be an oversight on my side). To clarify my setup: I have a public class-C address block (my LAN) that I need to route to the public internet, but my ISP doesn't offer that service. So I have a colocation service with an IPSec VPN box, which acts as the gateway for my class-C net. So all my traffic is tunneled there, and so my LAN is using the colocation service as the routing gateway. I however also have a separate guest WiFi network, which can go directly to the internet using NAT and my ISP as gateway. No need for all that traffic to be tunneled, since it won't have public IP addresses anyway. Eventually, for performance reasons, there's some traffic out of the LAN that I want to NAT and send through the ISP rather than tunnel, with some policy routes, but that's down the road….

    I'm not sure we have enough info to comment on that one. It could be any number of things, you'd have to watch with tcpdump on every interface to see how the traffic is flowing and what it's doing (and to see if it's actually getting NAT applied).

    Well, this one is partially solved. While I still have some policy-based routing that I want to get implemented, the basic connectivity works now.

    However, it's interesting to see what the problem was: the WAN and the DMZ are on a dual ethernet NIC, the LAN uses the built-in NIC of the motherboard. After lots of testing, it turned out that I had an over 80% packet loss on the DMZ interface! No wonder things didn't work! So I added a USB ethernet interface and assigned the DMZ to that hardware, and instant connectivity as it should be.

    So now I'm trying to figure out if I have a damaged card, or if there's a driver issue with this dual ethernet card, which is Marvel/Yukon based.

    It's not a cable issue, because two different cables show the same symptoms, and the same cables work fine with the USB Ethernet interface.

    @jimp:

    @rcfa:

    i) it would be nice if there were an option to have man pages installed. While I'm familiar with the basics of UNIX/BSD there are always system specific differences, i.e. Linux, FreeBSD, Mac OS X, etc. are all slightly different, so when doing anything at the shell level it would be nice to have man pages available to look up/confirm semantics.

    They just take up space for most people, though an add-on package might be nice. They are all on the web on FreeBSD's site too.

    Add-on package would be very useful, because particularly as you're trying to get things going, access to the internet is kind of problematic, unless you have an iPad 3G or something floating around which e.g. I do not have.

    @jimp:

    @rcfa:

    k) once a virtual interface, like e.g. an IPSec tunnel, is defined, it should show up everywhere where there are NICs defined. Routing should be more explicit, i.e. I should be able to specifically say if the WAN or the VPN is used as the the default route to the rest of the net for any other net (LAN, DMZ, etc.)
    In my case both the WAN and the IPSec VPN offer a route to the public internet, but that's not obvious in the GUI.
    There should only be a collection of (virtual) NICs, and then the routes between them should have to be explicitly defined. Right now the routes are implied in some non-intuitive way by the way the IPSec VPN is set up, because the VPN isn't a choice in the list of interfaces when setting up Gateways, nor can default gateways be defined on a per-interface basis. i.e. I want the WAN gateway to be the default gateway for the DMZ and the VPN virtual interface, but I want the VPN to be the default gateway for the LAN.
    The whole thing should work more like a patch-bay and cables than like some table based system in which not all elements are treated equally. In other words, just because the IPSec VPN requires the WAN to be established shouldn't mean that as far as the LAN and DMZ are concerned, it shouldn't be seen as an equivalent to the WAN when it comes to routing options.

    IPsec doesn't route the way other interfaces do. It doesn't route at all. Traffic is grabbed as it enters the box and shoved down the tunnel. It's not usable in the same way. If you want a real routed VPN, use OpenVPN and then you can assign it as an interface and do whatever you like. You might be able to fake some things by adding a gateway under System > Routing and using static routes there.

    Somewhat of a bummer. I wish there were a platform that treats networking like Moog Modular synthesizer: you have blocks of functionality and "wires" by means of which you connect them.
    But I'll make do ;)
    Anyway, if IPSec doesn't route, does that mean it also bypasses Advanced Outgoing NAT? Because yesterday I was trying to force outgoing http traffic (from any port in the LAN to port 80 anywhere else using TCP) to use NAT, but it seemed traffic just wasn't affected and went out straight the VPN rather than through NAT-WAN.

    I guess, this topic I'll have to spawn off in a separate thread.

    @jimp:

    @rcfa:

    l) once an interface is (accidentally) MAC address spoofed, clearing the field and saving/applying the new settings does not restore the original MAC address, instead the spoofed address remains in effect. So unless you happen to know the NIC's real MAC address and you enter it manually, you can't get back to it (at least not through the GUI or without removing and re-adding the interface or similar drastic steps). When the spoof field is cleared, the NIC should revert to its hardware MAC address and give up on any previously set addresses.

    You'll probably have to reboot to get that done. As Efonne mentioned I don't think we store the original MAC anywhere, and I'm not sure you can query the card to find it again. It may be possible, it might be worth opening a ticket to check out.

    I'll try to do that once I have a bit breathing room again and get the critical stuff working.

    @jimp:

    @rcfa:

    m) it seems impossible to have NAT apply only to specific FW rules. e.g. I want most of my LAN originated traffic to have no NAT and go out over the VPN tunnel, but web browsing (destination port 80) I'd like to use NAT and go out through the WAN gateway. So while FW rules can specify an alternate gateway, NAT can't be enabled on a per-rule base. Again, I'm a noob, and maybe I'm looking in the wrong place.

    You should be able to setup outbound NAT on any WAN-type interface for the LAN subnet, and if you direct traffic out that gateway with policy routes, it will get NAT applied when it leaves.

    OK, I'll have to check out if I can make that work…

    @jimp:

    @rcfa:

    n) In VPN:IPSec the Pre-Shared Keys tab terminates in a non-existing page

    I thought I fixed that. I'll check it again.

    Cool.

    @jimp:

    @rcfa:

    o) Without starting yet another vi vs. whatever-editor war, I hate vi, and I'm very prone to screw things up using it. While installing the "emacs-OS" may be a bit overkill, something like nano would be nice if it were part of the standard distribution…

    ee is there. You can pkg_add -r nano, or whatever editor you like.

    ee does the job, I just wasn't aware of its existence… (which gets back to the man page issue...)


  • Rebel Alliance Developer Netgate

    @rcfa:

    Restarting racoon is a shell level thing, right? Because if it's available on the web interface, I didn't figure out how…

    Just go to Status > Services, find racoon in the list and hit the restart button. It looks like a bar-and-triangle icon, like |>. Next to stop. That'll do it.

    @rcfa:

    Actually, I tried the cat /dev/null > /dev/whateverDiskDev approach, but that failed with an error message
    The command to destroy the geom info wasn't obvious for the lack of man pages. And while I'm familiar with the basics of UNIX/BSD I'm more of a long-time NeXT -> Mac OS X user so these low level FreeBSD specific things I'm clueless about.
    Anyway, I got it done, but particularly novices who may want to do a few trial configurations, etc. may get stuck with this.

    There are command line programs that will do this, from gmirror:

    gmirror remove /dev/ad0
    

    Should remove the metadata from /dev/d0

    The cat /dev/null probably wouldn't work because gmirror metadata is stored at the end of the disk, not the beginning. So you'd have to work out the right parameters to dd count and offset in order to make it work, or just dd /dev/zero to the entire disk.

    @rcfa:

    Not trying to be a smart-ass here, but isn't the whole point of a beta release that people test it? When the packages aren't available, there's no chance of testing them…

    While that may be true of a more general release, if packages won't even install, or could blow things up, we'd rather err on the side of caution. 2.0 may be beta, but I'd still consider x64 more early beta, and packages (except for Varnish) on x64 as a crap shoot yet. There may be 64-bit issues that could cause problems that haven't been thought of yet, there are some known issues in the base system that are still being worked out.

    @rcfa:

    Add-on package would be very useful, because particularly as you're trying to get things going, access to the internet is kind of problematic, unless you have an iPad 3G or something floating around which e.g. I do not have.

    Internet access should Just Work™ but without an Internet connection you also couldn't install packages, and still wouldn't have man pages. :-)

    Really though no normal user should ever need the shell before they are on the Internet. If they need to hit the shell first for something, there is a problem elsewhere in the system that needs fixed.

    @rcfa:

    Anyway, if IPSec doesn't route, does that mean it also bypasses Advanced Outgoing NAT? Because yesterday I was trying to force outgoing http traffic (from any port in the LAN to port 80 anywhere else using TCP) to use NAT, but it seemed traffic just wasn't affected and went out straight the VPN rather than through NAT-WAN.
    I guess, this topic I'll have to spawn off in a separate thread.

    IPsec does not do any NAT at all. Outgoing or incoming. Not yet anyhow.

    @rcfa:

    ee does the job, I just wasn't aware of its existence… (which gets back to the man page issue...)

    Man pages wouldn't have helped you there, but apropos(1) might have.



  • Another potential problem with 64-bit packages is that those requiring compiled code may not have a 64-bit version compiled and uploaded to the package server.



  • Well, first off, again thanks for all the replies so far…
    ...just a few more things for clarification, which hopefully helps some other noobs, too.

    @jimp:

    @rcfa:

    Restarting racoon is a shell level thing, right? Because if it's available on the web interface, I didn't figure out how…

    Just go to Status > Services, find racoon in the list and hit the restart button. It looks like a bar-and-triangle icon, like |>. Next to stop. That'll do it.

    Yup I discovered these, also on the dashboard. I must have been struck by temporary blindness before. Sometimes it's the most obvious things one overlooks…

    @jimp:

    @rcfa:

    Not trying to be a smart-ass here, but isn't the whole point of a beta release that people test it? When the packages aren't available, there's no chance of testing them…

    While that may be true of a more general release, if packages won't even install, or could blow things up, we'd rather err on the side of caution. 2.0 may be beta, but I'd still consider x64 more early beta, and packages (except for Varnish) on x64 as a crap shoot yet. There may be 64-bit issues that could cause problems that haven't been thought of yet, there are some known issues in the base system that are still being worked out.

    Ok, makes sense, sort of. Is amd64 FreeBSD not able to execute regular i386 architecture binaries, i.e. do all packages have to be recompiled for amd64 first?
    Likely my Mac OS X bias got in the way, because there the 64-bit kernel can execute either 32-bit or 64-bit binaries, so in that context software either works or doesn't work, but being 32-bit doesn't matter on a 64-bit system. Of course, 64-bit binaries won't execute on a 32-bit system, but that's not what I'd be doing either.

    So then lets attack this from a different angle. I'm not hell-bent on running a amd64 installation, although I thought the bigger number of registers, etc. might speed up things a bit (particularly crypto).
    But until some of the packages I'd like to test (freeSwitch!) move over to the amd64 version, I'd be perfectly happy to run the 32-bit version of pfSense.

    That brings up however one key question: are configuration files designed to be portable, i.e. can I save the system config of an amd64 system and load it into an i386 architecture install, and vice-versa?

    Also, is there a page where one can monitor the progress of optional packages 32-bit vs. 64-bit? I'm aware of the one package tracking spreadsheet on google-docs that's somewhere linked to on the pfSense.org site, but that list makes no distinction between 32-bit and 64-bit package status. Something like that would be needed to keep an eye on the 64-bit system status, to allow switching back when critical pieces become available for testing.

    @jimp:

    @rcfa:

    Add-on package would be very useful, because particularly as you're trying to get things going, access to the internet is kind of problematic, unless you have an iPad 3G or something floating around which e.g. I do not have.

    Internet access should Just Work™ but without an Internet connection you also couldn't install packages, and still wouldn't have man pages. :-)

    Really though no normal user should ever need the shell before they are on the Internet. If they need to hit the shell first for something, there is a problem elsewhere in the system that needs fixed.

    It's basically a question of how easy it is to provide an optional install, either on the install DVD/CD or in the package system. Obviously there are higher priority items on the list right now than that, but a few scenarios come to mind: one are things like the geom issue I was dealing with, the second is that sometimes one has a working setup, tries something new, and saws off the branch one's sitting on. In that case it's useful to be able to look something up rather than setting up the system from scratch or restoring a potentially not-very-current backup configuration (Yeah, I know, one should always have a current backup config, but in reality, people forget at times…)

    Another reason why having man pages on the system is sometimes useful: if you have to do some maintenance over a slow link while on the road, then an ssh into the pfSense system is a lot more tolerable than trying to load web pages over something like a shaky GPRS connection; I've been in situations where I had to fix/reboot/etc. a router/vpn/firewall/server while stuck in some airport or train station. An slogin works reasonably well, web access is iffy, which brings up another suggestion:

    an iPhone/smartphone theme to the web interface.

    @jimp:

    @rcfa:

    Anyway, if IPSec doesn't route, does that mean it also bypasses Advanced Outgoing NAT? Because yesterday I was trying to force outgoing http traffic (from any port in the LAN to port 80 anywhere else using TCP) to use NAT, but it seemed traffic just wasn't affected and went out straight the VPN rather than through NAT-WAN.
    I guess, this topic I'll have to spawn off in a separate thread.

    IPsec does not do any NAT at all. Outgoing or incoming. Not yet anyhow.

    Hmpf. That's a fairly huge bummer. Is there any chance of IPSec getting refactored in a way similar to OpenVPN, which allows it to act more like a regular NIC, and thus be able to be routable, NATable, etc.?
    Even if it's not getting that flexible, NAT is fairly key. e.g. I have a remote client LAN that I need to connect to over VPN, but I need to NAT my machines into their address space. On my old ZyWall I could simply use an Alias IP range on the VPN, and my locally used public IPs would be mapped into private IPs as far as the VPN connection was concerned. So my machines never knew that they showed up on the other side of the VPN with a different network address.
    If I can't do that, then my machines, which all have public IP addresses, will show up with the public IP addresses on the client's network, and then traffic to them may end up going out the client's default route, unless we mess with their routing tables, etc. provided their router/VPN box is capable of handling this properly

    So is NAT for IPSec in the cards for the 2.0 release, or is that well beyond what's possible, and something that may come in the indefinite future?

    @jimp:

    @rcfa:

    ee does the job, I just wasn't aware of its existence… (which gets back to the man page issue...)

    Man pages wouldn't have helped you there, but apropos(1) might have.

    man -k saves a key stroke ;)


  • Rebel Alliance Developer Netgate

    @rcfa:

    Ok, makes sense, sort of. Is amd64 FreeBSD not able to execute regular i386 architecture binaries, i.e. do all packages have to be recompiled for amd64 first?
    Likely my Mac OS X bias got in the way, because there the 64-bit kernel can execute either 32-bit or 64-bit binaries, so in that context software either works or doesn't work, but being 32-bit doesn't matter on a 64-bit system. Of course, 64-bit binaries won't execute on a 32-bit system, but that's not what I'd be doing either.

    So then lets attack this from a different angle. I'm not hell-bent on running a amd64 installation, although I thought the bigger number of registers, etc. might speed up things a bit (particularly crypto).
    But until some of the packages I'd like to test (freeSwitch!) move over to the amd64 version, I'd be perfectly happy to run the 32-bit version of pfSense.

    That brings up however one key question: are configuration files designed to be portable, i.e. can I save the system config of an amd64 system and load it into an i386 architecture install, and vice-versa?

    Also, is there a page where one can monitor the progress of optional packages 32-bit vs. 64-bit? I'm aware of the one package tracking spreadsheet on google-docs that's somewhere linked to on the pfSense.org site, but that list makes no distinction between 32-bit and 64-bit package status. Something like that would be needed to keep an eye on the 64-bit system status, to allow switching back when critical pieces become available for testing.

    I think it can in some cases, but I'm not sure if all the 32-bit compat stuff is on there. I don't have a 64-bit system or VM to check. The real fact of the matter is that the packages will be enabled eventually, and anyone can grab the package repo code and setup their own if they want to experiment. If you really need them, stick to 32-bit.

    The config will be compatible and can go back and forth without issue. The only thing you can't do with a config is go back to 1.2.x after you upgrade to 2.0.

    I don't think anyone has a spreadsheet for 64-bit packages yet.

    @rcfa:

    It's basically a question of how easy it is to provide an optional install, either on the install DVD/CD or in the package system. Obviously there are higher priority items on the list right now than that, but a few scenarios come to mind: one are things like the geom issue I was dealing with, the second is that sometimes one has a working setup, tries something new, and saws off the branch one's sitting on. In that case it's useful to be able to look something up rather than setting up the system from scratch or restoring a potentially not-very-current backup configuration (Yeah, I know, one should always have a current backup config, but in reality, people forget at times…)

    Another reason why having man pages on the system is sometimes useful: if you have to do some maintenance over a slow link while on the road, then an ssh into the pfSense system is a lot more tolerable than trying to load web pages over something like a shaky GPRS connection; I've been in situations where I had to fix/reboot/etc. a router/vpn/firewall/server while stuck in some airport or train station. An slogin works reasonably well, web access is iffy, which brings up another suggestion:

    an iPhone/smartphone theme to the web interface.

    If you were ever online, you could have installed them from a package. Having an option during the install might be nice, but it may add some unneeded complexity. The installer is in the process of being replaced though so it might be feasible in the near future.

    The last 20-30 backups are held in the config history (Diagnostics > Backup/Restore), in addition to what you keep on your own. You can always roll back an undesirable change. Again, a normal user should never have to touch the shell. Many things can't be changed at the shell, the GUI is necessary.

    The iPhone is already detected and fed a theme that is compatible, even on 1.2.3. Other smartphones are probably possible to do the same way eventually.

    @rcfa:

    @jimp:

    IPsec does not do any NAT at all. Outgoing or incoming. Not yet anyhow.

    Hmpf. That's a fairly huge bummer. Is there any chance of IPSec getting refactored in a way similar to OpenVPN, which allows it to act more like a regular NIC, and thus be able to be routable, NATable, etc.?
    Even if it's not getting that flexible, NAT is fairly key. e.g. I have a remote client LAN that I need to connect to over VPN, but I need to NAT my machines into their address space. On my old ZyWall I could simply use an Alias IP range on the VPN, and my locally used public IPs would be mapped into private IPs as far as the VPN connection was concerned. So my machines never knew that they showed up on the other side of the VPN with a different network address.
    If I can't do that, then my machines, which all have public IP addresses, will show up with the public IP addresses on the client's network, and then traffic to them may end up going out the client's default route, unless we mess with their routing tables, etc. provided their router/VPN box is capable of handling this properly

    So is NAT for IPSec in the cards for the 2.0 release, or is that well beyond what's possible, and something that may come in the indefinite future?

    IPsec cannot ever work the same way as OpenVPN. It's part of the nature of IPsec; It's not meant to be routed in that way. You could setup a GRE tunnel on top of IPsec and route that way if you want, but IMHO it's not worth the trouble and using OpenVPN is the better option.

    Someone is testing IPsec+NAT in 2.0, it may work, but as it stands you can't apply NAT before or after IPsec. I know there are many scenarios where it is needed, but due to the way ipsec-tools works it hasn't been feasible. If it's found to work, you and many others (including me!) will be happy.



  • @jimp:

    @rcfa:

    That brings up however one key question: are configuration files designed to be portable, i.e. can I save the system config of an amd64 system and load it into an i386 architecture install, and vice-versa?

    Also, is there a page where one can monitor the progress of optional packages 32-bit vs. 64-bit? I'm aware of the one package tracking spreadsheet on google-docs that's somewhere linked to on the pfSense.org site, but that list makes no distinction between 32-bit and 64-bit package status. Something like that would be needed to keep an eye on the 64-bit system status, to allow switching back when critical pieces become available for testing.

    The config will be compatible and can go back and forth without issue. The only thing you can't do with a config is go back to 1.2.x after you upgrade to 2.0.

    I don't think anyone has a spreadsheet for 64-bit packages yet.

    Great, that means I'll just save my config, x-grade to the 32-bit version and x-grade back when these things are further along.

    As for the spreadsheet: no need for a separate spreadsheet, a separate column for the 64-bit version within the same spreadsheet would be perfectly fine, and rather little work at this point, since there are only two packages anyway.

    @jimp:

    If you were ever online, you could have installed them [man pages] from a package. Having an option during the install might be nice, but it may add some unneeded complexity. The installer is in the process of being replaced though so it might be feasible in the near future.

    The last 20-30 backups are held in the config history (Diagnostics > Backup/Restore), in addition to what you keep on your own. You can always roll back an undesirable change. Again, a normal user should never have to touch the shell. Many things can't be changed at the shell, the GUI is necessary.

    The iPhone is already detected and fed a theme that is compatible, even on 1.2.3. Other smartphones are probably possible to do the same way eventually.

    Great! Good to know.

    @jimp:

    @rcfa:

    @jimp:

    IPsec does not do any NAT at all. Outgoing or incoming. Not yet anyhow.

    Hmpf. That's a fairly huge bummer. Is there any chance of IPSec getting refactored in a way similar to OpenVPN, which allows it to act more like a regular NIC, and thus be able to be routable, NATable, etc.?
    Even if it's not getting that flexible, NAT is fairly key. e.g. I have a remote client LAN that I need to connect to over VPN, but I need to NAT my machines into their address space. On my old ZyWall I could simply use an Alias IP range on the VPN, and my locally used public IPs would be mapped into private IPs as far as the VPN connection was concerned. So my machines never knew that they showed up on the other side of the VPN with a different network address.
    If I can't do that, then my machines, which all have public IP addresses, will show up with the public IP addresses on the client's network, and then traffic to them may end up going out the client's default route, unless we mess with their routing tables, etc. provided their router/VPN box is capable of handling this properly

    So is NAT for IPSec in the cards for the 2.0 release, or is that well beyond what's possible, and something that may come in the indefinite future?

    IPsec cannot ever work the same way as OpenVPN. It's part of the nature of IPsec; It's not meant to be routed in that way. You could setup a GRE tunnel on top of IPsec and route that way if you want, but IMHO it's not worth the trouble and using OpenVPN is the better option.

    Someone is testing IPsec+NAT in 2.0, it may work, but as it stands you can't apply NAT before or after IPsec. I know there are many scenarios where it is needed, but due to the way ipsec-tools works it hasn't been feasible. If it's found to work, you and many others (including me!) will be happy.

    Hehe, good to know we're on the same page with that wish ;)
    Anyway, more a conceptual question: when you say IPsec can't every work like OpenVPN, is that because of the way FreeBSD implemets IPsec at a basic level, or is there something in the protocol that prevents it? It would seem to me that from a non-expert's point of view IPSec is just "yet another protocol" that could be bound to whatever (virtual) interface, and packages to/from that interface should be possible to filter, route, NAT at will.
    So is this a shortcoming of the raccon/ipsec-tools/FreeBSD implementation choices, or is there something that's fundamentally inherent in the IPSec definition that prevents that from ever happening?
    Of course, I understand that you're all way too busy to re-implement an alternative IPsec stack, just to make this a wee-bit more flexible, but I'm just trying to wrap my head around the matter as to where exactly the problem originates from…

    @jimp:

    @rcfa:

    n) In VPN:IPSec the Pre-Shared Keys tab terminates in a non-existing page

    I thought I fixed that. I'll check it again.

    This works now. But how do I use it? I added to PSKs on that page, but in the various tunnel definitions, there's no way of selecting them. Or do I just leave the PSK field there empty, and if the name of the peer ID matches the name of the PSK defined on the PSK page, it's automatically grabbed from there? Or is that page simply a stub for things to come?



  • 32-bit applications can work with 64-bit kernel but about three years ago I came across a couple of 32-bit applications that didn't work with the 64-bit kernel (I think this was due to type mismatches but can't recall the details).

    I can see considerable complications trying to run 32-bit kernel modules with 64-bit kernels. I have no idea how current package management attempts (or doesn't attempt) to deal with this.


  • Rebel Alliance Developer Netgate

    @rcfa:

    @jimp:

    IPsec cannot ever work the same way as OpenVPN. It's part of the nature of IPsec; It's not meant to be routed in that way. You could setup a GRE tunnel on top of IPsec and route that way if you want, but IMHO it's not worth the trouble and using OpenVPN is the better option.

    Someone is testing IPsec+NAT in 2.0, it may work, but as it stands you can't apply NAT before or after IPsec. I know there are many scenarios where it is needed, but due to the way ipsec-tools works it hasn't been feasible. If it's found to work, you and many others (including me!) will be happy.

    Hehe, good to know we're on the same page with that wish ;)
    Anyway, more a conceptual question: when you say IPsec can't every work like OpenVPN, is that because of the way FreeBSD implemets IPsec at a basic level, or is there something in the protocol that prevents it? It would seem to me that from a non-expert's point of view IPSec is just "yet another protocol" that could be bound to whatever (virtual) interface, and packages to/from that interface should be possible to filter, route, NAT at will.
    So is this a shortcoming of the raccon/ipsec-tools/FreeBSD implementation choices, or is there something that's fundamentally inherent in the IPSec definition that prevents that from ever happening?
    Of course, I understand that you're all way too busy to re-implement an alternative IPsec stack, just to make this a wee-bit more flexible, but I'm just trying to wrap my head around the matter as to where exactly the problem originates from…

    With IPsec you need to have a phase 2 definition for every subnet you push across the tunnel (unless you make one end 0/0) If the traffic matches the SPD, it's dropped into the tunnel and pops out the other side.  There are no IPs in the same subnet at the "endpoints" of the tunnel as point to point links (such as OpenVPN) have. So for example you can't just pick a subnet on the far side and route it to the remote side gateway.

    It's part of how IPsec works in general.

    @rcfa:

    @jimp:

    @rcfa:

    n) In VPN:IPSec the Pre-Shared Keys tab terminates in a non-existing page

    I thought I fixed that. I'll check it again.

    This works now. But how do I use it? I added to PSKs on that page, but in the various tunnel definitions, there's no way of selecting them. Or do I just leave the PSK field there empty, and if the name of the peer ID matches the name of the PSK defined on the PSK page, it's automatically grabbed from there? Or is that page simply a stub for things to come?

    The PSK tab is only for mobile clients. Traditional (i.e. non-mobile) tunnels have a field on them where you put the PSK in directly.



  • @jimp:

    @rcfa:

    @jimp:

    @rcfa:

    n) In VPN:IPSec the Pre-Shared Keys tab terminates in a non-existing page

    I thought I fixed that. I'll check it again.

    This works now. But how do I use it? I added to PSKs on that page, but in the various tunnel definitions, there's no way of selecting them. Or do I just leave the PSK field there empty, and if the name of the peer ID matches the name of the PSK defined on the PSK page, it's automatically grabbed from there? Or is that page simply a stub for things to come?

    The PSK tab is only for mobile clients. Traditional (i.e. non-mobile) tunnels have a field on them where you put the PSK in directly.

    OK, I see. A little enhancement request, provided the underlying tools allow this: make that work also for traditional tunnels. The advantage is, that one quickly take a screen shot and send it someone to show one's setup, without revealing the actual PSK or having to drop into Photoshop to block it or messing around with the key when taking the screen shot and hoping not making a typo when putting it back in.

    Also, if some sites have a policy of regularly changing the PSKs, then it's easier if they can managed on one page rather than having to drill down to the settings page where there is the potential to accidentally change other parameters, too.


  • Rebel Alliance Developer Netgate

    Seems like a lot more work for very little tangible benefit for most users. It's convenient to have them all there in one place, and most people don't have any need to take a screencap of their settings. You have to paste it somewhere to save the picture, and editing that much even in paint is simple.

    Besides, the PSK tab will eventually go away and get merged into the user manager.


Log in to reply