GrandStream HT502 BEHIND router
-
The only thing I've ever had to do to get my device to register well with a distant SIP server is make my system recheck registration every few seconds vs 3600 seconds. I have several SIP devices behind pfsense and all work. Where you have been using more NAT rules and stuff, you probably really should use less. NAT rules only make sense if the server is behind your firewall and its not.
I am using manual outbound NAT and I do have a outbound NAT rule that tells anything on port 5060 or 5061 to use STATIC port.
If you have multiple IPs that can also cause a problem. I've heard that using "sticky connections" fixes that.
Now - You said something earlier that made little sense to me. You said you used your phone connected directly to the modem before pfsense and it worked? Thats really bizarre UNLESS your modem is also a router and your pfsense is double NATed, in which case I'd expect alot of broken functionality.
-
Can you try the siproxd package? Im not a big fan of Grandstream product due to various issues but Im sure the double natting that your doing isn't helping the situation.
Of Course I will try the siproxd package with pleasure! I will report back on that. I agree 100% with you, GS products seems to be crappy at best. Double natting? Like I said, Im a total idiot when it comes to networking. I can setyp a basic LAN but other than that, no clue!
One thing I observed. The ATA in bridge mode (supposedly just acting like a switch), if I connect it to the modem and the router is NOT connected to the ata (in other words modem -> ATA -> Nothing) and I wait for the ATA to sync and initialize, it will register on the supplier's network and the phone will work. If I connect the ATA to the modem and connect the pfsense router to the ATA, and initialize the ATA, the pfsense router will get an IP but the ATA wont register to the service provider.
TO me, it looks like the ATA was getting an IP from the supplier but NOT forwarding the IP to the LAN (the router in my case) which I thought should..
In NAT mode, the ATA gets an IP from the supplier, and gives an IP to the router no problems..
Grandstream will give you problems being the first in line.
Agreed. My network has worked FLAWLESSLY for several months. At the moment I introduced this Grandstream P-O-S (sorry I tend to lose it) before my pfsense box, it was game over immediately.
Where you have been using more NAT rules and stuff, you probably really should use less. NAT rules only make sense if the server is behind your firewall and its not.
I am using manual outbound NAT and I do have a outbound NAT rule that tells anything on port 5060 or 5061 to use STATIC port.
Would you care to guide me thru this??? I know nothing about port forwarding and NAT so I know myself, I will end up screwing stuff up instead of fixing it.
You said you used your phone connected directly to the modem before pfsense and it worked? Thats really bizarre UNLESS your modem is also a router and your pfsense is double NATed, in which case I'd expect alot of broken functionality.
Well…. AFAIK the modem is only a cable modem but it is factory set. I will try to get into the modem config and see that is there. But yes , the ATA directly after the modem, the phone in the ATA, all is fine (phone wise) but the ATA has to be in NAT mode for the internet access to work.
Heres a summary to clear things up:
Config 1
--> Cable modem --> ATA in NAT mode --> pfSense --> LAN
Internet works, phone works (ATA registers with supplier), bandwidth is capped to 15Mbps
Config 2
--> Cable modem --> ATA in BRIDGE mode --> pfSense --> LAN
ATA will sync with supplier, phone will work but pfsense wont get a valid public IP.
-
Well - In my case I have several subnets here in the 10.x.x.0 / 24 range.
So, what I did rather than make a dozen entries in my outbound NAT is to just make one.So, first off you would have to be running Manual outbound NAT.
So, firewall > NAT > Outbound
click "Manual Outbound NAT rule generation" Then save.
(Don't worry - You can always re-click the auto setting later if you like)
Now, you should get a bunch of rules that automatically appear.
At the very top, I created a rule with interface as WAN and source as 10.50.0.0/16 (to cover all my /24 subnets) with destination port 5060 and static port checked. That fixed my SIP issues.
THE RULE HAS TO BE AT TOP OF LIST OR IT WILL NEVER GET PROCESSED.
Mileage varies per user…
-
lpallard-
What model cable modem do you have?
Do you have access to the voip settings on the grandstream?
also- did you change the LAN address from default on either pfsense or the grandstream?
-
OK ! Out of nowhere, after I had set my port forwarding and NAT on the pfsense machine, I plugged the ATA in my LAN, it got an IP from pfsense's DHCP server and then after a few minutes, the phone worked.. Not sure why it didnt work the 100 times I tried last week…
Anyways,
kejianshi, look at my screenshots to see my config. DO you spot anything dangerous, out of the ordinary or wrong??
chpalmer, my modem is Thomson DCM475. Apparently, this modem is what they call a plain-Jane modem, no routing functions whatsoever done my the modem. Its more or less just a device that converts cable signals to Network signals.. Anyways this is what I understand..
I do have access to the HT502 settings. They're in the screenshots as well.
THe HT502 is factory set to get an IP thru DHCO on its WAN port (normally from the service supplier if connected BEFORE the router) but since in my case its connected AFTER the router, its getting an IP from pfsense. It works perfectly. As for the LAN port on the HT502, Im not using it (if after router) since I dont need to bridge or NAT throu it to "feed" another device. That'd be required if the HT502 was placed between my modem & router which is not right now.
The LAN on pfsense is set to 192.168.0.100 to 110
Other than that, please ask I will try to find the info or post additional screnshots.
:)
NB: I do NOT have access to the HT502's advanced settings page and the FXS Port 1 & 2 since at the moment the ATA is provisioned by the service provider, they block access to these pages...
-
Other screenshots
-
As I expected, this was too good to be true…
I was talking on the phone and suddenly, everything died. Now when I pickup the phone I hear "Device not registered".
The ATA lost connectivity to the outside. See screenshot: Not Registered.
Looking in pfsense logs:
Aug 25 13:44:11 snort[12247]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 206.248.144.132 -> 192.0.227.200 Aug 25 13:44:11 snort[12247]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 206.248.144.132 -> 192.0.227.200 Aug 25 13:43:55 snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060 Aug 25 13:43:55 snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060 Aug 25 13:43:38 snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060 Aug 25 13:43:38 snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060
Could snort cause issues?? I stopped it and rebooted the ATA. Will post back ASAP if this helped or not.
-
Your device should probably have the "NAT" box checked in its settings and also, I had to change my device to time out every 15 seconds instead of 3600. Same for UDP time-out. After that, it stayed registered. If I set my settings same as yours, I'd be offline also.
Unless their service will boot you for checking in too often, its better to make those numbers smaller.
And snort… Geeze. Don't get me started on SNORT.
-
Yep, snort WAS the problem.. I think anyways. I stopped it, cleared the blocked hosts, rebooted the ATA and bingo! got the phone again!
I'm not sure of the right way to prevent snort from doing that again…
-
Registration time is in the locked advanced pages so not an option without help from his voip providers tech support.
To bypass some filtering issues here I set up a second subnet to run my voip ata's on. Its all great if you have the room to install a third NIC into your box. Otherwise its VLANs and a managed switch… :P
Im not sure if Siproxd will bypass snort or not. I only use it to run multiple ata's to multiple external servers. My provider has a production server and a byod server. Plus they are beta testing a cloud based pbx server which I am playing with.
-
To bypass some filtering issues here I set up a second subnet to run my voip ata's on. Its all great if you have the room to install a third NIC into your box. Otherwise its VLANs and a managed switch… :P
Unfortunately, I do not have a second PCI clot on that machine so adding another NIC is impossible.
I also intend to virtualize pfsense at some point on a shiny new dual socket server with LOTS of RAM…. Im not sure how will this work but I know for sure it wont have 3 NIC's (I will be able to install several NICs as the server's mobo will have 6 PCI-E slots but will I need to??)
Right now, Snort is down. Unless I know how to make sure it wont block the ATA again, it will remain down.
You see this is what Ive done:
Create an alias including all my internal IP's and some outside servers I want to keep free access to,
Under Snort's config, I went to white-list, added a white-list, and then used the alias I had createdI really thought this way snort wouldn't interfere with the hosts listed under this alias..
Apparently not.
Anybody knows why?I did not have to try Siproxd yet because the ATA works flawlessly with my port forwarding setup and snort down. If I can clear snort's interference out of the equation, and I have problems again, I will try Siproxd. I just prefer not to mix too many variables together until I really knows whats going on.
That has been my recipe with pfsense…
-
THings were too good to be true… Until I added a domain in squidguard target categoriues and suddenly the whole router crawled to a stop.. I knew what it was 1000000%
See http://forum.pfsense.org/index.php/topic,63025.msg357852.html#msg357852
Clearly nobody thinks this is a problem. IMO something is severely broken in pfsense's packages.
See the result of ps -A:
20 million havp and squidguard processes running anybody think its normal?!
$ ps -A PID TT STAT TIME COMMAND 0 ?? DLs 177:38.54 [kernel] 1 ?? SLs 0:00.05 /sbin/init -- 2 ?? DL 1:50.16 [g_event] 3 ?? RL 4:25.76 [g_up] 4 ?? DL 2:53.40 [g_down] 5 ?? DL 0:00.00 [crypto] 6 ?? DL 0:00.00 [crypto returns] 7 ?? DL 0:00.00 [sctp_iterator] 8 ?? DL 1:03.50 [pfpurge] 9 ?? DL 0:00.00 [xpt_thrd] 10 ?? DL 0:00.00 [audit] 11 ?? RL 23533:39.71 [idle] 12 ?? WL 483:41.74 [intr] 13 ?? DL 0:00.00 [ng_queue] 14 ?? DL 7:57.60 [yarrow] 15 ?? DL 0:42.49 [usb] 16 ?? DL 1:39.58 [acpi_thermal] 17 ?? DL 0:16.16 [pagedaemon] 18 ?? DL 0:00.36 [vmdaemon] 19 ?? DL 0:00.04 [pagezero] 20 ?? DL 0:03.54 [idlepoll] 21 ?? DL 0:17.68 [bufdaemon] 22 ?? DL 15:17.22 [syncer] 23 ?? DL 0:14.00 [vnlru] 24 ?? DL 0:21.51 [softdepflush] 40 ?? DL 0:19.84 [md0] 245 ?? INs 3:21.70 /usr/local/sbin/check_reload_status 247 ?? IWN 0:00.00 check_reload_status: Monitoring daemon of check_reloa 257 ?? Is 0:00.02 /sbin/devd 2396 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 2715 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 2738 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 2845 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 4907 ?? D 0:09.28 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 5011 ?? D 0:08.78 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 5319 ?? D 0:09.04 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 5396 ?? D 0:09.29 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 5529 ?? Is 0:00.13 /usr/local/sbin/sshlockout_pf 15 5736 ?? D 0:08.72 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 6035 ?? Is 0:00.00 /usr/sbin/sshd 6365 ?? D 0:22.03 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 6468 ?? D 0:23.23 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 6515 ?? D 0:21.55 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 6801 ?? Is 0:00.07 dhclient: re0 [priv] (dhclient) 6848 ?? D 0:21.44 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 7114 ?? D 0:21.84 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 8100 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 8230 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 8480 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 8808 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 9023 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 9289 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 9496 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 9753 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 10724 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 10778 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 10913 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 12344 ?? Ss 0:20.32 dhclient: re0 (dhclient) 13208 ?? Ss 0:15.62 /usr/sbin/cron -s 16871 ?? Ss 4:33.25 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log 17328 ?? D 0:17.47 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 17662 ?? D 0:17.63 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 17685 ?? D 0:17.99 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 17777 ?? D 0:17.64 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 17814 ?? D 0:17.42 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 17934 ?? D 0:33.44 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 18190 ?? D 0:33.49 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 18243 ?? D 0:34.27 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 18529 ?? D 0:32.95 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 18705 ?? D 0:33.19 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 20216 ?? S 0:00.67 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 20557 ?? S 0:00.47 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 20578 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 20768 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 20884 ?? Is 0:00.04 /usr/local/sbin/squid -D 20949 ?? S 0:00.17 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 21239 ?? S 0:00.27 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 21403 ?? S 0:00.02 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 21675 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 21798 ?? I 0:00.30 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 21881 ?? S 0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 22095 ?? Ds 307:46.96 /usr/local/bin/ntop -i re0,re1 -u root -d -4 -M -x 81 22142 ?? Is 2:19.13 /usr/local/sbin/filterdns -p /tmp/filterdns.pid -i 30 22209 ?? I 0:00.02 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 22304 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 23045 ?? Ds 71:53.62 /usr/local/sbin/clamd -c /usr/local/etc/clamd.conf 23741 ?? DL 0:06.21 [md10] 24125 ?? Ss 7:37.85 /usr/local/sbin/apinger -c /var/etc/apinger.conf 25631 ?? SN 0:00.00 sleep 60 25762 ?? R 0:00.01 ps -A 28072 ?? S 0:59.81 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfig 28602 ?? IWs 0:00.00 /usr/local/bin/php 30096 ?? IWs 0:00.00 /usr/local/bin/php 30530 ?? Ss 0:25.95 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroo 32419 ?? S 0:06.04 /usr/local/bin/php 32731 ?? D 0:50.29 /usr/local/bin/php 38698 ?? S 0:01.39 (squid) -D (squid) 38859 ?? I 0:00.00 (unlinkd) (unlinkd) 39204 ?? I 0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39339 ?? I 0:00.07 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39437 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39503 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39559 ?? Ss 2:04.82 /usr/local/bin/ntpd -g -c /var/etc/ntpd.conf 39682 ?? S 0:00.07 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39825 ?? S 0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39965 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 40116 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 40538 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 40849 ?? I 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 40980 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 41205 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 42829 ?? I 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 42997 ?? D 0:09.75 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43100 ?? IWs 0:00.00 /usr/local/bin/minicron 240 /var/run/ping_hosts.pid / 43129 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 43158 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 43186 ?? D 0:09.26 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43229 ?? R 0:11.26 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43281 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 43530 ?? I 0:01.81 minicron: helper /usr/local/bin/ping_hosts.sh (minic 43541 ?? D 0:09.40 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43674 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 43677 ?? I 0:09.61 /usr/local/bin/rrdtool - 43730 ?? D 0:31.64 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43739 ?? D 0:09.46 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43767 ?? IWs 0:00.00 /usr/local/bin/minicron 3600 /var/run/expire_accounts 43771 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 43823 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44076 ?? R 0:30.82 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 44086 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44098 ?? I 0:00.10 minicron: helper /etc/rc.expireaccounts (minicron) 44167 ?? IWs 0:00.00 /usr/local/bin/minicron 86400 /var/run/update_alias_u 44226 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44348 ?? D 0:30.33 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 44389 ?? S 3:08.20 /usr/local/sbin/dnsmasq --local-ttl 1 --all-servers - 44473 ?? D 0:31.46 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 44562 ?? I 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44594 ?? I 0:00.01 minicron: helper /etc/rc.update_alias_url_data (mini 44657 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44676 ?? INs 0:00.02 /usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd. 44736 ?? R 0:32.10 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 44811 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44910 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 45068 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 45118 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 45263 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 45599 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 45796 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 46069 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 46356 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 46702 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 46944 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47136 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47311 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47382 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47469 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47705 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47919 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 48205 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 48545 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 48681 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 48716 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 48874 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 49163 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 49502 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 49515 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 49847 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 50167 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 50227 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 50540 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 50757 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51098 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51166 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51192 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51209 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51454 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51585 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51676 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51734 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51769 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 52037 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 53482 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 53518 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 54795 ?? Ss 17:23.59 /usr/sbin/powerd -b adp -a adp 56210 ?? I 0:00.00 sleep 55 59021 ?? Ss 0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 59708 ?? S 0:00.95 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 59959 ?? S 0:00.60 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 59965 ?? S 0:00.82 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 60073 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 60360 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 60528 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 61680 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 61798 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 61995 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 62170 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 16277 v0- S 1:16.15 /usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog 16308 v0- S 1:51.49 logger -t pf -p local0.info 32161 v0- I 0:49.28 /bin/sh /usr/local/pkg/sqpmon.sh 52753 v0- SN 4:51.06 /bin/sh /var/db/rrd/updaterrd.sh 52813 v0 Is+ 0:00.01 /usr/libexec/getty Pc ttyv0 53228 v1 Is+ 0:00.01 /usr/libexec/getty Pc ttyv1
pfsense is causing me too many issues and headaches. I think Im gonna find another firewall project or go back to a simple plain Jane router…
-
@lpallard:
pfsense is causing me too many issues and headaches. I think Im gonna find another firewall project or go back to a simple plain Jane router…
Sorry, but installing junk and blaming the OS just makes no sense. HAVP sucks, is broken, is not worth it, is not protecting you in any meaningful way. It uses ClamAV with absolutely pathetic detection rate, yet plagued with loads of false positives, which eats tons of resources, makes downloads suck. Any free AV on a workstation makes couple orders of magnitudes better job here. Installing HAVP, squidguard, snort on the same box? Are you mad?
You are causing all this grief to yourself. " simple plain Jane router…" - yeah, that's what you get with vanilla pfS install - before you go on a resource killing spree with all those things mentioned above. They are NOT required. They are NOT needed. They are harmful in most cases. They make you babysit the firewall 24/7.
Doctor, it hurts when I do this... Yeah, so don't do that.
-
my tinkering is causing me too many issues and headaches
There- fixed that for you!
A plain Jane router is just that. No firewall. SIP doesn't like NAT. It can be made to work if your patient. Try Vonage. It will work fine. That tells me that there are other underlying factors going on with some SIP providers.
DO I really need 3 NIC's???
No. You don't.
-
Well - There is routing, which pfsense does very well.
Then there is firewalling, which pfsense also does well.
Then there are add on packages, which do various other things like clamav and caching squid proxy and those things are neither routing nor are they anthing to do with firewall..
And then there are the UTM features of pfsense. Not know what you are doing WILL break your install.
While I don't share the dislike of clamav, I do have a dislike for all AV in general. They are resource hogs.
Better to use OSes that don't require you to run it and just load AV on your play/gaming machines.
Probably nobody who doesn't NEED the last 2 sets of features at the router should touch those.Almost no one needs the UTM stuff at home, but if you go there, don't say pfsense is broken. Some really patient fairly expert people get those features to work just fine. The key being expert + patient. Like you really keep an eye on it.
These systems are not automatically better the more you add to them.
-
Geez! doktornotor calm down !!! ;)
While I have shown signs of frustrations, my frustrations really were about the packages not the base platform. If any of you took 2 seconds to look at my other thread where I EXPLICITELY mentioned that on the base platform I had ZERO problems, but with HAVP, Squid and its crappy guardian, I had issues, you would have understood my POV.
I have repeatedly said that I was more than willing to give my time for FREE to help troubleshoot and analyze what the hell is going on with these packages because they're not working well. Is this not what Opensource projects needs in the end? Contributors and people helping for FREE?
It is not pfsense that frustrates me, it is NOT even the packages so much , its people attitude.
You post severe problems you have, you spend the necessary time to document it and write a meaningful thread about it, you explicitly ask developers and other "experts" to at least say a few words, and all you get is:
13 Replies
1139 ViewsWhich on the 13 replies, 11 are MINE.
Thats fine. I get the point. pfsense is meant to be alone to work properly, no packages added. Then I suggest pfsense devs add a big fat warning in the package manager:
Warning! Adding packages may (will) break your pfsense install
-
This is just funny. You need a rather flaky and sensitive VOIP stuff working behind firewall, and instead of setting things up so that it works and calling it a day, you go, overload your box with extremely intrusive, extremely resource intensive and rather horrible to maintain bloat and come back to vent your frustrations about how broken it is. Seriously. Just do not do that! You are causing this whole trouble to yourself!
Now - yeah, snort does NOT work out of the box, never has, never will. And quite frankly my point of view is that it is just pure evil for any home/SOHO environment, not to mention the effort constant babysitting required. (This thing has been dropped from multiple firewall distros for a damn good reason, your rants being a prime example. The mailing lists and forums basically flooded with complaints from people thinking that IDS/IPS/UTM is a musthave, point-and-click, plug and play stuff.) Getting similar intrusive and complicated setups working does not take hours nor days… Do not have time and patience for that? Well, see above, just don't install such things. And regardless, take as a fact that it may just as well never work properly with things like some buggy flaky VOIP device, depending on the device itself, the SIP provider, the ISP, etc. etc. etc.
Finally, these issues are nothing pfsense specific. Snort is exact same intrusive and disruptive everywhere else, HAVP (and the ClamAV thing behind it) does not magically become any better, nor does squid/squidguard when run on say Debian or Fedora instead of FreeBSD/pfSense.
-
I understand your frustrations. Me, being a relative newbie here get your point.
However, the reason the devs and others are not jumping through whoops to reply is because your issues have actually already been talked to death on the forums and they are really busy people. (I'd guess that anyway)If I were you, I'd run pfsense as vanilla as I could and only add what is needed.
I'd say the same for all distros. -
All right, I get the point. This is really eye opening and changed the way I see the pfsense project forever.
I still dream that some day, there are some REALLY SOLID packages for pfsense.
I kept tinkering with this because for a long while, I had success with the pfsense - havp - squid - snort - squidguard combination… Real success.
I still think all of this can be somewhow improved or fixed.
-
As suggested above - these are NOT pfsense-specific issues for the most part. You need to work with upstream to get those sorted out, improved, polished, more usable, less sucky, more shiny, more out-of-the box experience stuff. Those downstream pfSense guys just package the stuff together and ship it (in addition, providing some added value, such at the GUIs.) Unless the issue is one related to the packaging/customized configuration stuff… this won't get solved here.