New install observations
a) the WiFi card doesn't seem to be recognized, even though it's a pretty much industry standard chip set (Broadcom 4321 801.11 a/b/g/n)
As others have stated, that is probably not supported yet. Just because you see it a lot doesn't mean it's really common or supported on FreeBSD. Wireless adapters take a while to trickle down to FreeBSD. I would hesitate at this point to still call any single chip that supports N as "common".
It's a card several years old, out of a Mac or AppleTV. So it's no exactly esoteric. But of course, that's no necessarily where most of FreeBSD is used, and lots of the lower-end laptops doesn't have multi-band/MIMO WiFi cards, that's unfortunately true.
b) any significant changes in IPSec setup require a reboot to work. While the tunnel will come up after changes, no traffic will flow until the system is rebooted
Have you tried just going to Status > Services and restarting racoon?
There were some changes in 1.2.x that made it reload only a tunnel that changed. It's possible that no longer works as expected, or a bug/difference in ipsec-tools 0.8 is causing this to fail. Rebooting is rarely necessary, it's more likely that restarting the racoon daemon will suffice.You might also try to go to Diagnostics > Command and flush the SAD/SPD with: setkey -F; setkey -FP
Restarting racoon is a shell level thing, right? Because if it's available on the web interface, I didn't figure out how…
c) there's no way to destroy and properly repartition a disk once a GEOM mirror was attempted. The disk has to be physically removed from the system, and repartitioned in an MBR scheme etc. before it can be properly reused in pfSense. There should be a destroy GEOM option in the installer menues.
That may be nice to have, but you do not have to pull the disk. Just drop to a shell from the installer and issue the command to destory the geom info, or use dd to write zeroes to the beginning and end (or the whole) of the disk.
Actually, I tried the cat /dev/null > /dev/whateverDiskDev approach, but that failed with an error message
The command to destroy the geom info wasn't obvious for the lack of man pages. And while I'm familiar with the basics of UNIX/BSD I'm more of a long-time NeXT -> Mac OS X user so these low level FreeBSD specific things I'm clueless about.
Anyway, I got it done, but particularly novices who may want to do a few trial configurations, etc. may get stuck with this.d) only two packages show up as being available in System:Package Manager. (Varnish and IP-Blocklist) Can an amd64 installation not install the packages that show up in the i386 setup? I did a test install before on a 32-bit CPU and obviously with an i386 architecture installer DVD, and I had dozens of packages listed available for installation.
There are not enough developers using x64 yet to fix/rebuild/approve them all. The only ones enabled are those known to work.
Not trying to be a smart-ass here, but isn't the whole point of a beta release that people test it? When the packages aren't available, there's no chance of testing them…
g) even though traffic flows from the LAN interface out the IPSec (which serves as the default route for the LAN interface), I can't get traffic to flow from the DMZ interface, which should be NATed out the WAN. Still investigating that one (could be an oversight on my side). To clarify my setup: I have a public class-C address block (my LAN) that I need to route to the public internet, but my ISP doesn't offer that service. So I have a colocation service with an IPSec VPN box, which acts as the gateway for my class-C net. So all my traffic is tunneled there, and so my LAN is using the colocation service as the routing gateway. I however also have a separate guest WiFi network, which can go directly to the internet using NAT and my ISP as gateway. No need for all that traffic to be tunneled, since it won't have public IP addresses anyway. Eventually, for performance reasons, there's some traffic out of the LAN that I want to NAT and send through the ISP rather than tunnel, with some policy routes, but that's down the road….
I'm not sure we have enough info to comment on that one. It could be any number of things, you'd have to watch with tcpdump on every interface to see how the traffic is flowing and what it's doing (and to see if it's actually getting NAT applied).
Well, this one is partially solved. While I still have some policy-based routing that I want to get implemented, the basic connectivity works now.
However, it's interesting to see what the problem was: the WAN and the DMZ are on a dual ethernet NIC, the LAN uses the built-in NIC of the motherboard. After lots of testing, it turned out that I had an over 80% packet loss on the DMZ interface! No wonder things didn't work! So I added a USB ethernet interface and assigned the DMZ to that hardware, and instant connectivity as it should be.
So now I'm trying to figure out if I have a damaged card, or if there's a driver issue with this dual ethernet card, which is Marvel/Yukon based.
It's not a cable issue, because two different cables show the same symptoms, and the same cables work fine with the USB Ethernet interface.
i) it would be nice if there were an option to have man pages installed. While I'm familiar with the basics of UNIX/BSD there are always system specific differences, i.e. Linux, FreeBSD, Mac OS X, etc. are all slightly different, so when doing anything at the shell level it would be nice to have man pages available to look up/confirm semantics.
They just take up space for most people, though an add-on package might be nice. They are all on the web on FreeBSD's site too.
Add-on package would be very useful, because particularly as you're trying to get things going, access to the internet is kind of problematic, unless you have an iPad 3G or something floating around which e.g. I do not have.
k) once a virtual interface, like e.g. an IPSec tunnel, is defined, it should show up everywhere where there are NICs defined. Routing should be more explicit, i.e. I should be able to specifically say if the WAN or the VPN is used as the the default route to the rest of the net for any other net (LAN, DMZ, etc.)
In my case both the WAN and the IPSec VPN offer a route to the public internet, but that's not obvious in the GUI.
There should only be a collection of (virtual) NICs, and then the routes between them should have to be explicitly defined. Right now the routes are implied in some non-intuitive way by the way the IPSec VPN is set up, because the VPN isn't a choice in the list of interfaces when setting up Gateways, nor can default gateways be defined on a per-interface basis. i.e. I want the WAN gateway to be the default gateway for the DMZ and the VPN virtual interface, but I want the VPN to be the default gateway for the LAN.
The whole thing should work more like a patch-bay and cables than like some table based system in which not all elements are treated equally. In other words, just because the IPSec VPN requires the WAN to be established shouldn't mean that as far as the LAN and DMZ are concerned, it shouldn't be seen as an equivalent to the WAN when it comes to routing options.IPsec doesn't route the way other interfaces do. It doesn't route at all. Traffic is grabbed as it enters the box and shoved down the tunnel. It's not usable in the same way. If you want a real routed VPN, use OpenVPN and then you can assign it as an interface and do whatever you like. You might be able to fake some things by adding a gateway under System > Routing and using static routes there.
Somewhat of a bummer. I wish there were a platform that treats networking like Moog Modular synthesizer: you have blocks of functionality and "wires" by means of which you connect them.
But I'll make do ;)
Anyway, if IPSec doesn't route, does that mean it also bypasses Advanced Outgoing NAT? Because yesterday I was trying to force outgoing http traffic (from any port in the LAN to port 80 anywhere else using TCP) to use NAT, but it seemed traffic just wasn't affected and went out straight the VPN rather than through NAT-WAN.I guess, this topic I'll have to spawn off in a separate thread.
l) once an interface is (accidentally) MAC address spoofed, clearing the field and saving/applying the new settings does not restore the original MAC address, instead the spoofed address remains in effect. So unless you happen to know the NIC's real MAC address and you enter it manually, you can't get back to it (at least not through the GUI or without removing and re-adding the interface or similar drastic steps). When the spoof field is cleared, the NIC should revert to its hardware MAC address and give up on any previously set addresses.
You'll probably have to reboot to get that done. As Efonne mentioned I don't think we store the original MAC anywhere, and I'm not sure you can query the card to find it again. It may be possible, it might be worth opening a ticket to check out.
I'll try to do that once I have a bit breathing room again and get the critical stuff working.
m) it seems impossible to have NAT apply only to specific FW rules. e.g. I want most of my LAN originated traffic to have no NAT and go out over the VPN tunnel, but web browsing (destination port 80) I'd like to use NAT and go out through the WAN gateway. So while FW rules can specify an alternate gateway, NAT can't be enabled on a per-rule base. Again, I'm a noob, and maybe I'm looking in the wrong place.
You should be able to setup outbound NAT on any WAN-type interface for the LAN subnet, and if you direct traffic out that gateway with policy routes, it will get NAT applied when it leaves.
OK, I'll have to check out if I can make that work…
n) In VPN:IPSec the Pre-Shared Keys tab terminates in a non-existing page
I thought I fixed that. I'll check it again.
o) Without starting yet another vi vs. whatever-editor war, I hate vi, and I'm very prone to screw things up using it. While installing the "emacs-OS" may be a bit overkill, something like nano would be nice if it were part of the standard distribution…
ee is there. You can pkg_add -r nano, or whatever editor you like.
ee does the job, I just wasn't aware of its existence… (which gets back to the man page issue...)
Another potential problem with 64-bit packages is that those requiring compiled code may not have a 64-bit version compiled and uploaded to the package server.
Well, first off, again thanks for all the replies so far…
Likely my Mac OS X bias got in the way, because there the 64-bit kernel can execute either 32-bit or 64-bit binaries, so in that context software either works or doesn't work, but being 32-bit doesn't matter on a 64-bit system. Of course, 64-bit binaries won't execute on a 32-bit system, but that's not what I'd be doing either.So then lets attack this from a different angle. I'm not hell-bent on running a amd64 installation, although I thought the bigger number of registers, etc. might speed up things a bit (particularly crypto).
But until some of the packages I'd like to test (freeSwitch!) move over to the amd64 version, I'd be perfectly happy to run the 32-bit version of pfSense.That brings up however one key question: are configuration files designed to be portable, i.e. can I save the system config of an amd64 system and load it into an i386 architecture install, and vice-versa?
Also, is there a page where one can monitor the progress of optional packages 32-bit vs. 64-bit? I'm aware of the one package tracking spreadsheet on google-docs that's somewhere linked to on the site, but that list makes no distinction between 32-bit and 64-bit package status. Something like that would be needed to keep an eye on the 64-bit system status, to allow switching back when critical pieces become available for testing.
Another reason why having man pages on the system is sometimes useful: if you have to do some maintenance over a slow link while on the road, then an ssh into the pfSense system is a lot more tolerable than trying to load web pages over something like a shaky GPRS connection; I've been in situations where I had to fix/reboot/etc. a router/vpn/firewall/server while stuck in some airport or train station. An slogin works reasonably well, web access is iffy, which brings up another suggestion:
an iPhone/smartphone theme to the web interface.
Great, that means I'll just save my config, x-grade to the 32-bit version and x-grade back when these things are further along.
As for the spreadsheet: no need for a separate spreadsheet, a separate column for the 64-bit version within the same spreadsheet would be perfectly fine, and rather little work at this point, since there are only two packages anyway.
Anyway, more a conceptual question: when you say IPsec can't every work like OpenVPN, is that because of the way FreeBSD implemets IPsec at a basic level, or is there something in the protocol that prevents it? It would seem to me that from a non-expert's point of view IPSec is just "yet another protocol" that could be bound to whatever (virtual) interface, and packages to/from that interface should be possible to filter, route, NAT at will.
So is this a shortcoming of the raccon/ipsec-tools/FreeBSD implementation choices, or is there something that's fundamentally inherent in the IPSec definition that prevents that from ever happening?
32-bit applications can work with 64-bit kernel but about three years ago I came across a couple of 32-bit applications that didn't work with the 64-bit kernel (I think this was due to type mismatches but can't recall the details).
I can see considerable complications trying to run 32-bit kernel modules with 64-bit kernels. I have no idea how current package management attempts (or doesn't attempt) to deal with this.
