GrandStream HT502 BEHIND router



  • hello,

    I have a HARD time getting a Granstream HT502 to work in conjunction with pfsense and since I no longer have a cellphone and VOIP will be my only phone, I am in a rush to get this working.

    Anyone who can coach me, please share!

    Basically, I have tried 2 different configurations:

    Before the pfsense router (i.e. between my cable modem and the opfsense box)
    Phone works (with LOTS of noise and static), and sound is chioppy.  I believe this is because there's no QoS being done since the pfsense box doesnt see the ATA device.

    My 30Mbps/10Mbps connection is throttled to around 15Mbps/5Mbps.  This is not going to happen ;)

    After the pfsense machine (as a LAN device like my computers, printers, etc)
    I have configured the ATA as much as possible (given the crappy firmware in it) for it to get an IP from pfsense, and that works flawlessly.  I can reach the webinetrface and see its status.

    The problem is that the ATA never registers with my service provider.  Im not sure why.

    According to them, my router is causing the problems.  I tried opening ports, doing port forwarding as per my service provider's instructions, to no avail.  The ATA just doesnt reach the outside world.

    I tried setting up WAN rules to direct the outside traffic to the ports 5060, 5061, 10538, etc (as my service provide suggested) but its not working.

    Can someone guide me through setting up pfsense to support a simple ATA )VOIP) device??

    Pfsense is still cryptic for me since Im just a normal home user and not a network expert..

    Thanks!!!!



  • Turns out, I think pfsense is the issue.  I did a thorough troubleshooting along with the service provider and step by step I've isolated the bottleneck.

    Important to mention, between each speed tests, I have unplugged EVERYTHING (modem, ATA, pfsense box, computer) so no residual data (subnet, IP, etc..) from a previous test would stay and cause troubles or screw up the test.

    Here's the results of the speedtests for each network config: (All in Mbps)

    This is a 30Mbps/10Mbps connection

    Test 1: Cable modem -> Computer

    1.  U 23.18 / D 9.44
    2.  U 22.77 / D 9.46
    3.  U 22.16 / D 9.51
    4.  U 24.44 / D 9.53

    Test 2: Cable modem -> ATA device -> Computer

    1.  U 22.82 / D 10.34
    2.  U 20.87 / D 10.30
    3.  U 22.87 / D 10.34
    4.  U 22.60 / D 10.18

    Test 3: Cable modem -> ATA device -> pfSense box -> Computer

    1.  U 16.70 / D 10.06
    2.  U 15.85 / D 1.30
    3.  U 16.93 / D 10.22
    4.  U 17.98 / D 10.25

    Test 4: Cable modem -> pfSense box -> Computer

    1.  U 30.16 / D 10.22
    2.  U 15.57 / D 1.47
    3.  U 31.62 / D 9.94
    4.  U 30.03 / D 10.20

    My thoughts:

    • Results from test 1 and 2 clearly show that the ATA device does not cause bottleneck issues as I previously thought.  The difference between the average speed of approx. 22Mbps versus my nominal speed of 30Mbps IMO are related to cable congestion or other ISP issues (I am close to a large city).

      Result from test 4 also shows that the pfsense box directly connected to the cable modem is not causing bandwidth issues.

    SO I conclude that for whatever reason that I would like to determine, pfsense has a hard time playing with the ATA device. The only configuration that caused severe bandwidth throttle was the config where pfsense was after the ATA device.

    I hope this will be useful to someone to help me pin point the cause..

    EDIT:  Speedtest done using a python CLI utility available at https://github.com/sivel/speedtest-cli
    Thanks for the original devs for this useful tool!



  • Additionally, I tried once again to setup the ATA on the LAN side and setup port forwarding on pfsense

    using http://forum.pfsense.org/index.php?topic=55676.0

    No go.  The ATA doesnt register at all..

    In both configuration, pfsense is the root cause of the issues..

    What kind of configuration do pfsense needs for a simple voip device to work?



  • Another reply….

    I am trying to set a DMZ for the ATA.  All tutorials or documentation I find, you need 3 network cards in the machine running PFS.  DO I really need 3 NIC's???

    Thats pathetic.  My $35 old linksys router could do DMZ in a second.

    Other than DMZ, how could I make this thing work?



  • Its important to note that differnent voip companies do things different. The standard that should be was scared off by the big lawsuit that Vonage lost.

    Can you try the siproxd package? Im not a big fan of Grandstream product due to various issues  but Im sure the double natting that your doing isn't helping the situation.

    My only Grandsteam product is actually behind a pfsense install sharing a network with a Vonage device (linksys) and doing quite well without siproxd. At my home however I have 4 numbers across 2 Linksys devices with the same company as the Grandstream that need Siproxd to work.

    Grandstream will give you problems being the first in line.



  • The only thing I've ever had to do to get my device to register well with a distant SIP server is make my system recheck registration every few seconds vs 3600 seconds.  I have several SIP devices behind pfsense and all work.  Where you have been using more NAT rules and stuff, you probably really should use less.  NAT rules only make sense if the server is behind your firewall and its not.

    I am using manual outbound NAT and I do have a outbound NAT rule that tells anything on port 5060 or 5061 to use STATIC port.

    If you have multiple IPs that can also cause a problem. I've heard that using "sticky connections" fixes that.

    Now - You said something earlier that made little sense to me.  You said you used your phone connected directly to the modem before pfsense and it worked?  Thats really bizarre UNLESS your modem is also a router and your pfsense is double NATed, in which case I'd expect alot of broken functionality.



  • Can you try the siproxd package? Im not a big fan of Grandstream product due to various issues  but Im sure the double natting that your doing isn't helping the situation.

    Of Course I will try the siproxd package with pleasure!  I will report back on that.  I agree 100% with you, GS products seems to be crappy at best.  Double natting?  Like I said, Im a total idiot when it comes to networking.  I can setyp a basic LAN but other than that, no clue!

    One thing I observed.  The ATA in bridge mode (supposedly just acting like a switch), if I connect it to the modem and the router is NOT connected to the ata (in other words modem -> ATA -> Nothing) and I wait for the ATA to sync and initialize, it will register on the supplier's network and the phone will work.  If I connect the ATA to the modem and connect the pfsense router to the ATA, and initialize the ATA, the pfsense router will get an IP but the ATA wont register to the service provider.

    TO me, it looks like the ATA was getting an IP from the supplier but NOT forwarding the IP to the LAN (the router in my case) which I thought should..

    In NAT mode, the ATA gets an IP from the supplier, and gives an IP to the router no problems..

    Grandstream will give you problems being the first in line.

    Agreed.  My network has worked FLAWLESSLY for several months.  At the moment I introduced this Grandstream P-O-S (sorry I tend to lose it) before my pfsense box, it was game over immediately.

    Where you have been using more NAT rules and stuff, you probably really should use less.  NAT rules only make sense if the server is behind your firewall and its not.

    I am using manual outbound NAT and I do have a outbound NAT rule that tells anything on port 5060 or 5061 to use STATIC port.

    Would you care to guide me thru this??? I know nothing about port forwarding and NAT so I know myself, I will end up screwing stuff up instead of fixing it.

    You said you used your phone connected directly to the modem before pfsense and it worked?  Thats really bizarre UNLESS your modem is also a router and your pfsense is double NATed, in which case I'd expect alot of broken functionality.

    Well…. AFAIK the modem is only a cable modem but it is factory set.  I will try to get into the modem config and see that is there.  But yes , the ATA directly after the modem, the phone in the ATA, all is fine (phone wise) but the ATA has to be in NAT mode for the internet access to work.

    Heres a summary to clear things up:

    Config 1

    --> Cable modem --> ATA in NAT mode --> pfSense --> LAN

    Internet works, phone works (ATA registers with supplier), bandwidth is capped to 15Mbps

    Config 2

    --> Cable modem --> ATA in BRIDGE mode --> pfSense --> LAN

    ATA will sync with supplier, phone will work but pfsense wont get a valid public IP.



  • Well - In my case I have several subnets here in the 10.x.x.0 / 24 range.
    So, what I did rather than make a dozen entries in my outbound NAT is to just make one.

    So, first off you would have to be running Manual outbound NAT.

    So, firewall > NAT > Outbound

    click "Manual Outbound NAT rule generation" Then save.

    (Don't worry - You can always re-click the auto setting later if you like)

    Now, you should get a bunch of rules that automatically appear.

    At the very top, I created a rule with interface as WAN and source as 10.50.0.0/16 (to cover all my /24 subnets) with destination port 5060 and static port checked.  That fixed my SIP issues.

    THE RULE HAS TO BE AT TOP OF LIST OR IT WILL NEVER GET PROCESSED.

    Mileage varies per user…



  • lpallard-

    What model cable modem do you have?

    Do you have access to the voip settings on the grandstream?

    also-  did you change the LAN address from default on either pfsense or the grandstream?



  • OK !  Out of nowhere, after I had set my port forwarding and NAT on the pfsense machine, I plugged the ATA in my LAN, it got an IP from pfsense's DHCP server and then after a few minutes, the phone worked..  Not sure why it didnt work the 100 times I tried last week…

    Anyways,

    kejianshi, look at my screenshots to see my config.  DO you spot anything dangerous, out of the ordinary or wrong??

    chpalmer,  my modem is Thomson DCM475.  Apparently, this modem is what they call a plain-Jane modem, no routing functions whatsoever done my the modem.  Its more or less just a device that converts cable signals to Network signals..  Anyways this is what I understand..

    I do have access to the HT502 settings.  They're in the screenshots as well.

    THe HT502 is factory set to get an IP thru DHCO on its WAN port (normally from the service supplier if connected BEFORE the router) but since in my case its connected AFTER the router, its getting an IP from pfsense.  It works perfectly.  As for the LAN port on the HT502, Im not using it (if after router) since I dont need to bridge or NAT throu it to "feed" another device.  That'd be required if the HT502 was placed between my modem & router which is not right now.

    The LAN on pfsense is set to 192.168.0.100 to 110

    Other than that, please ask I will try to find the info or post additional screnshots.

    :)

    NB: I do NOT have access to the HT502's advanced settings page and the FXS Port 1 & 2 since at the moment the ATA is provisioned by the service provider, they block access to these pages...












  • Other screenshots








  • As I expected, this was too good to be true…

    I was talking on the phone and suddenly, everything died.  Now when I pickup the phone I hear "Device not registered".

    The ATA lost connectivity to the outside.  See screenshot:  Not Registered.

    Looking in pfsense logs:

    Aug 25 13:44:11 	snort[12247]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 206.248.144.132 -> 192.0.227.200
    Aug 25 13:44:11 	snort[12247]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 206.248.144.132 -> 192.0.227.200
    Aug 25 13:43:55 	snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060
    Aug 25 13:43:55 	snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060
    Aug 25 13:43:38 	snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060
    Aug 25 13:43:38 	snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060
    

    Could snort cause issues??  I stopped it and rebooted the ATA.  Will post back ASAP if this helped or not.




  • Your device should probably have the "NAT" box checked in its settings and also, I had to change my device to time out every 15 seconds instead of 3600.  Same for UDP time-out.  After that, it stayed registered.  If I set my settings same as yours, I'd be offline also.

    Unless their service will boot you for checking in too often, its better to make those numbers smaller.

    And snort…  Geeze.  Don't get me started on SNORT.



  • Yep, snort WAS the problem.. I think anyways.  I stopped it, cleared the blocked hosts, rebooted the ATA and bingo! got the phone again!

    I'm not sure of the right way to prevent snort from doing that again…



  • Registration time is in the locked advanced pages so not an option without help from his voip providers tech support.

    To bypass some filtering issues here I set up a second subnet to run my voip ata's on. Its all great if you have the room to install a third NIC into your box. Otherwise its VLANs and a managed switch…  :P

    Im not sure if Siproxd will bypass snort or not. I only use it to run multiple ata's to multiple external servers. My provider has a production server and a byod server. Plus they are beta testing a cloud based pbx server which I am playing with.



  • To bypass some filtering issues here I set up a second subnet to run my voip ata's on. Its all great if you have the room to install a third NIC into your box. Otherwise its VLANs and a managed switch…  :P

    Unfortunately, I do not have a second PCI clot on that machine so adding another NIC is impossible.

    I also intend to virtualize pfsense at some point on a shiny new dual socket server with LOTS of RAM….  Im not sure how will this work but I know for sure it wont have 3 NIC's (I will be able to install several NICs as the server's mobo will have 6 PCI-E slots but will I need to??)

    Right now, Snort is down.  Unless I know how to make sure it wont block the ATA again, it will remain down.

    You see this is what Ive done:

    Create an alias including all my internal IP's and some outside servers I want to keep free access to,
    Under Snort's config, I went to white-list, added a white-list, and then used the alias I had created

    I really thought this way snort wouldn't interfere with the hosts listed under this alias..

    Apparently not.
    Anybody knows why?

    I did not have to try Siproxd yet because the ATA works flawlessly with my port forwarding setup and snort down.  If I can clear snort's interference out of the equation, and I have problems again, I will try Siproxd.  I just prefer not to mix too many variables together until I really knows whats going on.

    That has been my recipe with pfsense…



  • THings were too good to be true… Until I added a domain in squidguard target categoriues and suddenly the whole router crawled to a stop.. I knew what it was 1000000%

    See http://forum.pfsense.org/index.php/topic,63025.msg357852.html#msg357852

    Clearly nobody thinks this is a problem.  IMO something is severely broken in pfsense's packages.

    See the result of ps -A:

    20 million havp and squidguard processes running anybody think its normal?!

    $ ps -A
      PID  TT  STAT      TIME COMMAND
        0  ??  DLs  177:38.54 [kernel]
        1  ??  SLs    0:00.05 /sbin/init --
        2  ??  DL     1:50.16 [g_event]
        3  ??  RL     4:25.76 [g_up]
        4  ??  DL     2:53.40 [g_down]
        5  ??  DL     0:00.00 [crypto]
        6  ??  DL     0:00.00 [crypto returns]
        7  ??  DL     0:00.00 [sctp_iterator]
        8  ??  DL     1:03.50 [pfpurge]
        9  ??  DL     0:00.00 [xpt_thrd]
       10  ??  DL     0:00.00 [audit]
       11  ??  RL   23533:39.71 [idle]
       12  ??  WL   483:41.74 [intr]
       13  ??  DL     0:00.00 [ng_queue]
       14  ??  DL     7:57.60 [yarrow]
       15  ??  DL     0:42.49 [usb]
       16  ??  DL     1:39.58 [acpi_thermal]
       17  ??  DL     0:16.16 [pagedaemon]
       18  ??  DL     0:00.36 [vmdaemon]
       19  ??  DL     0:00.04 [pagezero]
       20  ??  DL     0:03.54 [idlepoll]
       21  ??  DL     0:17.68 [bufdaemon]
       22  ??  DL    15:17.22 [syncer]
       23  ??  DL     0:14.00 [vnlru]
       24  ??  DL     0:21.51 [softdepflush]
       40  ??  DL     0:19.84 [md0]
      245  ??  INs    3:21.70 /usr/local/sbin/check_reload_status
      247  ??  IWN    0:00.00 check_reload_status: Monitoring daemon of check_reloa
      257  ??  Is     0:00.02 /sbin/devd
     2396  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     2715  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     2738  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     2845  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     4907  ??  D      0:09.28 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
     5011  ??  D      0:08.78 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
     5319  ??  D      0:09.04 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
     5396  ??  D      0:09.29 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
     5529  ??  Is     0:00.13 /usr/local/sbin/sshlockout_pf 15
     5736  ??  D      0:08.72 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
     6035  ??  Is     0:00.00 /usr/sbin/sshd
     6365  ??  D      0:22.03 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
     6468  ??  D      0:23.23 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
     6515  ??  D      0:21.55 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
     6801  ??  Is     0:00.07 dhclient: re0 [priv] (dhclient)
     6848  ??  D      0:21.44 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
     7114  ??  D      0:21.84 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
     8100  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     8230  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     8480  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     8808  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     9023  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     9289  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     9496  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
     9753  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    10724  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    10778  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    10913  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    12344  ??  Ss     0:20.32 dhclient: re0 (dhclient)
    13208  ??  Ss     0:15.62 /usr/sbin/cron -s
    16871  ??  Ss     4:33.25 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log 
    17328  ??  D      0:17.47 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    17662  ??  D      0:17.63 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    17685  ??  D      0:17.99 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    17777  ??  D      0:17.64 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    17814  ??  D      0:17.42 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    17934  ??  D      0:33.44 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    18190  ??  D      0:33.49 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    18243  ??  D      0:34.27 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    18529  ??  D      0:32.95 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    18705  ??  D      0:33.19 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    20216  ??  S      0:00.67 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    20557  ??  S      0:00.47 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    20578  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    20768  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    20884  ??  Is     0:00.04 /usr/local/sbin/squid -D
    20949  ??  S      0:00.17 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    21239  ??  S      0:00.27 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    21403  ??  S      0:00.02 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    21675  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    21798  ??  I      0:00.30 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    21881  ??  S      0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    22095  ??  Ds   307:46.96 /usr/local/bin/ntop -i re0,re1 -u root -d -4 -M -x 81
    22142  ??  Is     2:19.13 /usr/local/sbin/filterdns -p /tmp/filterdns.pid -i 30
    22209  ??  I      0:00.02 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    22304  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    23045  ??  Ds    71:53.62 /usr/local/sbin/clamd -c /usr/local/etc/clamd.conf
    23741  ??  DL     0:06.21 [md10]
    24125  ??  Ss     7:37.85 /usr/local/sbin/apinger -c /var/etc/apinger.conf
    25631  ??  SN     0:00.00 sleep 60
    25762  ??  R      0:00.01 ps -A
    28072  ??  S      0:59.81 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfig
    28602  ??  IWs    0:00.00 /usr/local/bin/php
    30096  ??  IWs    0:00.00 /usr/local/bin/php
    30530  ??  Ss     0:25.95 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroo
    32419  ??  S      0:06.04 /usr/local/bin/php
    32731  ??  D      0:50.29 /usr/local/bin/php
    38698  ??  S      0:01.39 (squid) -D (squid)
    38859  ??  I      0:00.00 (unlinkd) (unlinkd)
    39204  ??  I      0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    39339  ??  I      0:00.07 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    39437  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    39503  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    39559  ??  Ss     2:04.82 /usr/local/bin/ntpd -g -c /var/etc/ntpd.conf
    39682  ??  S      0:00.07 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    39825  ??  S      0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    39965  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    40116  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    40538  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    40849  ??  I      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    40980  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    41205  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    42829  ??  I      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    42997  ??  D      0:09.75 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    43100  ??  IWs    0:00.00 /usr/local/bin/minicron 240 /var/run/ping_hosts.pid /
    43129  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    43158  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    43186  ??  D      0:09.26 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    43229  ??  R      0:11.26 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    43281  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    43530  ??  I      0:01.81 minicron: helper /usr/local/bin/ping_hosts.sh  (minic
    43541  ??  D      0:09.40 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    43674  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    43677  ??  I      0:09.61 /usr/local/bin/rrdtool -
    43730  ??  D      0:31.64 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    43739  ??  D      0:09.46 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    43767  ??  IWs    0:00.00 /usr/local/bin/minicron 3600 /var/run/expire_accounts
    43771  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    43823  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    44076  ??  R      0:30.82 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    44086  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    44098  ??  I      0:00.10 minicron: helper /etc/rc.expireaccounts  (minicron)
    44167  ??  IWs    0:00.00 /usr/local/bin/minicron 86400 /var/run/update_alias_u
    44226  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    44348  ??  D      0:30.33 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    44389  ??  S      3:08.20 /usr/local/sbin/dnsmasq --local-ttl 1 --all-servers -
    44473  ??  D      0:31.46 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    44562  ??  I      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    44594  ??  I      0:00.01 minicron: helper /etc/rc.update_alias_url_data  (mini
    44657  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    44676  ??  INs    0:00.02 /usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.
    44736  ??  R      0:32.10 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard.
    44811  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    44910  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    45068  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    45118  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    45263  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    45599  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    45796  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    46069  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    46356  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    46702  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    46944  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    47136  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    47311  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    47382  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    47469  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    47705  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    47919  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    48205  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    48545  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    48681  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    48716  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    48874  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    49163  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    49502  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    49515  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    49847  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    50167  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    50227  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    50540  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    50757  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    51098  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    51166  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    51192  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    51209  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    51454  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    51585  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    51676  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    51734  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    51769  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    52037  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    53482  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    53518  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    54795  ??  Ss    17:23.59 /usr/sbin/powerd -b adp -a adp
    56210  ??  I      0:00.00 sleep 55
    59021  ??  Ss     0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    59708  ??  S      0:00.95 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    59959  ??  S      0:00.60 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    59965  ??  S      0:00.82 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    60073  ??  S      0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    60360  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    60528  ??  S      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    61680  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    61798  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    61995  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    62170  ??  I      0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf
    16277  v0- S      1:16.15 /usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog
    16308  v0- S      1:51.49 logger -t pf -p local0.info
    32161  v0- I      0:49.28 /bin/sh /usr/local/pkg/sqpmon.sh
    52753  v0- SN     4:51.06 /bin/sh /var/db/rrd/updaterrd.sh
    52813  v0  Is+    0:00.01 /usr/libexec/getty Pc ttyv0
    53228  v1  Is+    0:00.01 /usr/libexec/getty Pc ttyv1
    

    pfsense is causing me too many issues and headaches.  I think Im gonna find another firewall project or go back to a simple plain Jane router…


  • Banned

    @lpallard:

    pfsense is causing me too many issues and headaches.  I think Im gonna find another firewall project or go back to a simple plain Jane router…

    Sorry, but installing junk and blaming the OS just makes no sense. HAVP sucks, is broken, is not worth it, is not protecting you in any meaningful way. It uses ClamAV with absolutely pathetic detection rate, yet plagued with loads of false positives, which eats tons of resources, makes downloads suck. Any free AV on a workstation makes couple orders of magnitudes better job here. Installing HAVP, squidguard, snort on the same box? Are you mad?

    You are causing all this grief to yourself. " simple plain Jane router…" - yeah, that's what you get with vanilla pfS install - before you go on a resource killing spree with all those things mentioned above. They are NOT required. They are NOT needed. They are harmful in most cases. They make you babysit the firewall 24/7.

    Doctor, it hurts when I do this... Yeah, so don't do that.



  • my tinkering is causing me too many issues and headaches

    There- fixed that for you!

    A plain Jane router is just that. No firewall.  SIP doesn't like NAT. It can be made to work if your patient. Try Vonage. It will work fine. That tells me that there are other underlying factors going on with some SIP providers.

    DO I really need 3 NIC's???

    No. You don't.



  • Well - There is routing, which pfsense does very well.

    Then there is firewalling, which pfsense also does well.

    Then there are add on packages, which do various other things like clamav and caching squid proxy and those things are neither routing nor are they anthing to do with firewall..

    And then there are the UTM features of pfsense.  Not know what you are doing WILL break your install.

    While I don't share the dislike of clamav, I do have a dislike for all AV in general.  They are resource hogs.
    Better to use OSes that don't require you to run it and just load AV on your play/gaming machines.
    Probably nobody who doesn't NEED the last 2 sets of features at the router should touch those.

    Almost no one needs the UTM stuff at home, but if you go there, don't say pfsense is broken.  Some really patient fairly expert people get those features to work just fine.  The key being expert + patient.  Like you really keep an eye on it.

    These systems are not automatically better the more you add to them.



  • Geez!  doktornotor calm down !!! ;)

    While I have shown signs of frustrations, my frustrations really were about the packages not the base platform.  If any of you took 2 seconds to look at my other thread where I EXPLICITELY mentioned that on the base platform I had ZERO problems, but with HAVP, Squid and its crappy guardian, I had issues, you would have understood my POV.

    I have repeatedly said that I was more than willing to give my time for FREE to help troubleshoot and analyze what the hell is going on with these packages because they're not working well.  Is this not what Opensource projects needs in the end?  Contributors and people helping for FREE?

    It is not pfsense that frustrates me, it is NOT even the packages so much , its people attitude.

    You post severe problems you have, you spend the necessary time to document it and write a meaningful thread about it, you explicitly ask developers and other "experts" to at least say a few words, and all you get is:

    13 Replies
    1139 Views

    Which on the 13 replies, 11 are MINE.

    Thats fine.  I get the point.  pfsense is meant to be alone to work properly, no packages added.  Then I suggest pfsense devs add a big fat warning in the package manager:

    Warning!  Adding packages may (will) break your pfsense install


  • Banned

    This is just funny. You need a rather flaky and sensitive VOIP stuff working behind firewall, and instead of setting things up so that it works and calling it a day, you go, overload your box with extremely intrusive, extremely resource intensive and rather horrible to maintain bloat and come back to vent your frustrations about how broken it is. Seriously. Just do not do that! You are causing this whole trouble to yourself!

    Now - yeah, snort does NOT work out of the box, never has, never will. And quite frankly my point of view is that it is just pure evil for any home/SOHO environment, not to mention the effort constant babysitting required. (This thing has been dropped from multiple firewall distros for a damn good reason, your rants being a prime example. The mailing lists and forums basically flooded with complaints from people thinking that IDS/IPS/UTM is a musthave, point-and-click, plug and play stuff.) Getting similar intrusive and complicated setups working does not take hours nor days… Do not have time and patience for that? Well, see above, just don't install such things. And regardless, take as a fact that it may just as well never work properly with things like some buggy flaky VOIP device, depending on the device itself, the SIP provider, the ISP, etc. etc. etc.

    Finally, these issues are nothing pfsense specific. Snort is exact same intrusive and disruptive everywhere else, HAVP (and the ClamAV thing behind it) does not magically become any better, nor does squid/squidguard when run on say Debian or Fedora instead of FreeBSD/pfSense.



  • I understand your frustrations.  Me, being a relative newbie here get your point.
    However, the reason the devs and others are not jumping through whoops to reply is because your issues have actually already been talked to death on the forums and they are really busy people.  (I'd guess that anyway)

    If I were you, I'd run pfsense as vanilla as I could and only add what is needed.
    I'd say the same for all distros.



  • All right, I get the point.  This is really eye opening and changed the way I see the pfsense project forever.

    I still dream that some day, there are some REALLY SOLID packages for pfsense.

    I kept tinkering with this because for a long while, I had success with the pfsense - havp - squid - snort - squidguard combination…  Real success.

    I still think all of this can be somewhow improved or fixed.


  • Banned

    As suggested above - these are NOT pfsense-specific issues for the most part. You need to work with upstream to get those sorted out, improved, polished, more usable, less sucky, more shiny, more out-of-the box experience stuff. Those downstream pfSense guys just package the stuff together and ship it (in addition, providing some added value, such at the GUIs.) Unless the issue is one related to the packaging/customized configuration stuff… this won't get solved here.


Log in to reply