Newbie: some questions and report about pfsense…



  • Hello,
    I'm a new user and I've been testing pfsense for 2 weeks: good piece of software! :)
    Now I've some questions to ask you and I write here in only one topic to easily read all answers. I hope it is not a problem for you

    1- I've put in the x86 test machine a wifi PCI card with a Ralink chipset (RT2560). The problem is that pfsense seems to have outdated drivers which support only WPA2-PSK encryption and no encryption. Are wifi drivers being updated in the snapshots? That wifi card worked well also with WPA-PSK under Windows. This was the log when I tried to setup wpa-psk encryption:

    Aug 2 04:32:46 kernel: ral0: promiscuous mode enabled 
    Aug 2 04:32:46 kernel: rl1: promiscuous mode enabled 
    Aug 2 04:32:47 php: /interfaces_opt.php: Creating rrd update script 
    Aug 2 04:32:47 php: /interfaces_opt.php: Creating rrd graph index 
    Aug 2 04:32:52 check_reload_status: reloading filter 
    Aug 2 04:33:39 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated 
    Aug 2 04:33:42 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deauthenticated due to local deauth request 
    Aug 2 04:33:42 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deassociated 
    Aug 2 04:33:54 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated 
    Aug 2 04:33:57 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deauthenticated due to local deauth request 
    Aug 2 04:33:57 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deassociated 
    Aug 2 04:34:06 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated 
    Aug 2 04:34:09 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deauthenticated due to local deauth request 
    Aug 2 04:34:09 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deassociated 
    Aug 2 04:34:15 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated 
    Aug 2 04:34:18 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deauthenticated due to local deauth request 
    Aug 2 04:34:33 hostapd: ral0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deassociated 
    

    …...What does "deauthenticated due to local deauth request" exactly mean? What can I do? It is not so easy find a PCI atheros wifi card :'(

    2- is there a way to switch off 'alerts'? In the webConfigurator the alert marquee takes 100% CPU especially on Linux and Mac machines (sometimes also on Windows, but not always on this latter). Can you implement a way to disable it to avoid this performance issue? Because when the system is under 100% CPU load, it is very slow to carry out any task (mouse/application switch…). I usually surf by using Firefox 2, so I don't refer to Internet Explorer 6 or 7.

    3- Will 'in/out counters' support more than 4 Gbytes without wrapping?

    4- I've a problem with eMule Kademlia network. I've read the forum and I've setup 'Firewall: NAT: Outbound' following the istructions in a topic. Kad status seems to be 'Open', but after 1 hours it becomes firewalled and I need to restart pfsense. Why?

    5- I need to monitor CPU temperature. Is there a way to do it through ssh shell? I am new to FreeBSD and unluckily I don't know all commands.

    6- Is there a plan to implement a MAC FILTER and UPNP in the stable release soon?

    Thank you in advance! ;)



    1. Try setting either "AES" or "TKIP" in the gui for WPA. We default to "both" but I have seen clents having issues with it. For atheros compatible PCI cards see http://madwifi.org/wiki/Compatibility

    2. Click the laerts and the'll go away. It only is a client side issue and won't affect the pfSense system. Alerts are also logged in status>systemlogs, system tab, so you can read them there as well.

    3. No, it's a limitation of the underlaying counter. Have a look at status>rrdgraphs to see how much traffic passed an interface (not absolut exact values though).

    4. Sounds like a statetimeout of some sort though it should not happen if there is traffic going on. Try editing the firewallrules and add a longer statetimeout (hiding behind one of the advanced buttons). You also might want to see if your client application can do upnp and enable it at services>miniupnp.

    5. We offer this feature currently only at the webgui for soekris boards. Other boards use different sensors and it's hard to offer something that will work with every possible board. You have to hack that in on your own depending on your hardware. Search the forum, it has been discussed before.

    6. You could abuse the captive portal to use macfiltering (depending on what you want to do) or use static MAC/IP mappings and then filter by IP. UPNP will be present in the 1.2 release and the 1.2 beta prereleases snapshots are offering that feature already.



  • http://snapshots.pfsense.org/FreeBSD6/RELENG_1_2/

    1. Driver support follows the freebsd release http://www.freebsd.org/releases/6.2R/hardware-i386.html#WLAN

    2. You could add the phpsysinfo packages or just pkg_add -r mbmon in shell for the monitor part (type mbmon in shell )



  • Thank you for your answers! I forgot to ask some things:

    7- I bought a 'CF TO IDE Adapter' to replace the CD-ROM reader with a silent, powersaving CF. I actually use the ISO image burnt on a CDRW. If I'd use the embedded flavour, what kind of limitations are there? For example, I can use pkg_add without problem? Embedded flavour requires at least 128MB of space: do you advice a larger size for future updates, e.g. 512MB or 1GB?

    8- I tried the latest snapshot (1.2-BETA-1-PRERELEASE-SNAPSHOT-04-23-07) and I've noticed this message during the startup-sequence:

    
    Generating RRD graphs...route: writing to routing socket: No such process
    done.
    
    

    …is this an error/bug?

    9- I'd like to build a virtual pfsense test machine with VMWare to make tests without interfering daily activities of the connected PCs, but I don't know how to setup the network setting in webconfiguration. The problem is the following: there is the main real router (pfsense #1) working and I'd like to add the additional virtual pfsense able to surf on the net through the main router (pfsense #1), but from the 'test machine' I experience a "No route to host" with a ping test. They are on the same subnet with the same IP class.

    Real working pfSense #1 router connected to the Internet
    |                                |                              |  (they're all in the same subnet & ip class 192.168.x.x)
    PC 1                         PC 2          pfSense #2 (test machine)

    'pfSense #2 (test machine)' can ping all PCs in my network, but it can't access to the internet. >:(

    What should I do? Excuse me for this newbie question! :-[

    Thank you again! ;)



  • #8  –  Not a BUG.  Your wan connection is down.



  • Which interface is connected to your backbone to setup the test box - LAN?

    Usually pfSense tries to reach the outer world via WAN…  been there, done that.



    1. Embedded images have no video and keyboardsupport, they will have output at the serial console. There is also no package support. No matter how big your cf-card is it will only use 128 mb. Buying a bigger one won't get you any advantages currently.


  • @hoba:

    1. Embedded images have no video and keyboardsupport, they will have output at the serial console. There is also no package support. No matter how big your cf-card is it will only use 128 mb. Buying a bigger one won't get you any advantages currently.

    Instead of the embedded flavour, If I install the livecd onto the CF through the option 99 from the console, would have the CF a short life? Is the main problem the swap partition or what? The installation from livecd requires 2GB or is it recommended? Because I tried on VMWare with a 800MB virtual hard drive and it seems to be no error or performance issue, but I didn't investigate further.

    Hoba, I followed your advice to set a longer statetimeout in the firewall rules and now eMule Kad status stays on 'Open' all the time, yeahh! :) I put 360 seconds. Do you think that can be an issue?

    I still had no luck to build up a working virtual pfsense machine as described in previous point number 9. If somebody can give me some more ideas, I'd happy to try your tips! ;D I need a sandbox to test out in deep pfsense and its latest snapshots keeping the other 24h pfsense machine working.



  • Lifetimes of CF-cards nowadays are not that short but packages that do a lot of logging or caching will wear it out more quickly. We do not recommend running a full install on a flashdrive.

    The longer statetimeout shouldn't be too much of an issue and as this application seems to need it you don't have a choice anyway. You might want to try a lower setting and see if this works as well though.

    For installing pfSense as VM have a look at http://pfsense.org/mirror.php?section=/tutorials/vmware_install/vmware.html



  • Today I've been testing the latest snapshot:

    1.2-BETA-1-TESTING-SNAPSHOT-05-02-07
    built on : Wed May 2 20:06:34 EDT 2007
    Platform: cdrom

    I've been trying to restore the configuration from the .xml configuration file because I had no floppies avaiable nor a USB pen, only the LAN link and this is the unhandled error message shown in the webConfiguration:

    Warning: touch(): Unable to create file /needs_package_sync because Read-only file system in /usr/local/www/diag_backup.php on line 157

    Should be possible restoring from the xml configuration file also for the livecd (platform cdrom)? Isn't the xml directly loaded in RAM? ???



  • Thanks, I just commited a fix for this.  Try a snapshot 2+ hours from now.



  • @sullrich:

    Try a snapshot 2+ hours from now.

    I'm unsure how to update a previous pfsense fully installed on a hd. Have I to boot the fresh iso livecd and choose the option number 99 in the console setup or there is a best way to do it with the latest pfSense.iso.gz? In the docs I've found the steps for embedded systems.

    Thanks :)



  • Download full update from here:
    http://snapshots.pfsense.org/FreeBSD6/RELENG_1_2/updates/

    Go to Firmware page in GUI and choose the file you downloaded.



  • @cmb:

    Download full update from here:
    http://snapshots.pfsense.org/FreeBSD6/RELENG_1_2/updates/
    Go to Firmware page in GUI and choose the file you downloaded.

    I've just tried to upload the latest .tgz snapshot by using the Firmware page in webConfiguration and before carrying out the step it says:

    The digital signature on this image is invalid.
    This means that the image you uploaded is not an official/supported image and may lead to unexpected behavior or security compromises. Only install images that come from sources that you trust, and make sure that the image has not been tampered with.
    Do you want to install this image anyway (on your own risk)?

    10- Have final versions only got that digital signature?

    I did a test with my WLAN equipment and I setup WPA-PSK TKIP instead of WPA2-PSK AES and wifi connection is very instable (I restored the old wireless config). This is the system log:

    hostapd:ral0: STA xx:xx:xx:xx:xx WPA: group key handshake completed (WPA)
    hostapd:ral0: STA xx:xx:xx:xx:xx WPA: received EAPOL-Key Error Request (STA detected Michael MIC failure)
    hostapd:ral0: STA xx:xx:xx:xx:xx WPA: received EAPOL-Key with invalid MIC
    hostapd:ral0: STA xx:xx:xx:xx:xx IEEE 802.11: deassociated
    hostapd:ral0: STA xx:xx:xx:xx:xx IEEE 802.11: associated
    
    

    11- What does 'Michael MIC failure' exactly mean? I think the wifi card I have isn't well supported and I need to put an Atheros based one. I took a look at http://madwifi.org/wiki/Compatibility/TP-Link, but I still have some questions:
    11a- Should Madwifi driver support virtually all PCI wifi cards based on any Atheros chipset or specific ones?
    11b- Do you use an Atheros wifi card and what is your experience?
    11c- Is there no problem using them with WPA/WPA2 encryption (if supported as written in their datasheet) under pfSense, is it right?

    12- Which scripts I have to edit to modify the sequence of beeps coming from the internal speaker (at the boot/shutdown/reboot)?

    Thank you! ;)



  • @firestar:

    10- Have final versions only got that digital signature?

    Yes.

    @firestar:

    I did a test with my WLAN equipment and I setup WPA-PSK TKIP instead of WPA2-PSK AES and wifi connection is very instable (I restored the old wireless config).

    The ral driver seems to be unstable. We don't develop the drivers, we just use what's available, so nothing we can do other than say "yeah, it sucks."

    @firestar:

    11a- Should Madwifi driver support virtually all PCI wifi cards based on any Atheros chipset or specific ones?

    It's not madwifi (this isn't Linux, it's FreeBSD) but virtually all Atheros cards should be supported by the HAL we inherit from FreeBSD.

    @firestar:

    11b- Do you use an Atheros wifi card and what is your experience?

    Yes. Works great.

    @firestar:

    11c- Is there no problem using them with WPA/WPA2 encryption (if supported as written in their datasheet) under pfSense, is it right?

    I use WPA, works great.

    @firestar:

    12- Which scripts I have to edit to modify the sequence of beeps coming from the internal speaker (at the boot/shutdown/reboot)?

    Don't know that one.



  • I've updated the firmware of the testbox to:

    1.2-BETA-1-TESTING-SNAPSHOT-05-11-2007
    built on Mon May 14 11:30:09 EDT 2007

    I noticed these lines in the System logs-OpenVPN:

    openvpn[304]: Use --help for more information.
    openvpn[304]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_client0.conf:14: remote (2.0.6)
    openvpn[300]: Use --help for more information.
    openvpn[300]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:14: lport (2.0.6)
    

    I never used or configured VPN/OpenVPN and in the other pfSense machine running the stable 1.0.1 version, the system log is obviously blank. Maybe a bug in snapshots?

    I've further questions:
    13a- I've seen that new submenu 'OpenNTPD' appeared in 'Services', which has additional options to set this service. Does this new submenu use the 'Time zone' and 'NTP time server' fields from 'System: General Setup'?
    13b- Do you plan to move 'Time zone' and 'NTP time server' from 'System: general setup' to 'OpenNTPD'?
    13c- Why don't add also a button like 'Syncronize time now!' in 'OpenNTPD' section? It can be useful to update without a restart.
    13d- How time is currently managed by OpenNTPD in pfSense? How many time a day is updated or in which circumstances?

    Regards



  • @firestar:

    I've updated the firmware of the testbox to:

    1.2-BETA-1-TESTING-SNAPSHOT-05-11-2007
    built on Mon May 14 11:30:09 EDT 2007

    I noticed these lines in the System logs-OpenVPN:

    openvpn[304]: Use --help for more information.
    openvpn[304]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_client0.conf:14: remote (2.0.6)
    openvpn[300]: Use --help for more information.
    openvpn[300]: Options error: Unrecognized option or missing parameter(s) in /var/etc/openvpn_server0.conf:14: lport (2.0.6)
    

    I never used or configured VPN/OpenVPN and in the other pfSense machine running the stable 1.0.1 version, the system log is obviously blank. Maybe a bug in snapshots?

    This was a previous bug that has been fixed but the only way to fix it is to remove the blank entries from config.xml.

    To do this enter the pfSense PHP shell and run these commands:

    unset($config['installedpackages']["openvpnserver"]['config']);
    unset($config['installedpackages']["openvpnclient"]['config']);
    write_config();
    exit


Log in to reply