GrandStream HT502 BEHIND router
-
hello,
I have a HARD time getting a Granstream HT502 to work in conjunction with pfsense and since I no longer have a cellphone and VOIP will be my only phone, I am in a rush to get this working.
Anyone who can coach me, please share!
Basically, I have tried 2 different configurations:
Before the pfsense router (i.e. between my cable modem and the opfsense box)
Phone works (with LOTS of noise and static), and sound is chioppy. I believe this is because there's no QoS being done since the pfsense box doesnt see the ATA device.My 30Mbps/10Mbps connection is throttled to around 15Mbps/5Mbps. This is not going to happen ;)
After the pfsense machine (as a LAN device like my computers, printers, etc)
I have configured the ATA as much as possible (given the crappy firmware in it) for it to get an IP from pfsense, and that works flawlessly. I can reach the webinetrface and see its status.The problem is that the ATA never registers with my service provider. Im not sure why.
According to them, my router is causing the problems. I tried opening ports, doing port forwarding as per my service provider's instructions, to no avail. The ATA just doesnt reach the outside world.
I tried setting up WAN rules to direct the outside traffic to the ports 5060, 5061, 10538, etc (as my service provide suggested) but its not working.
Can someone guide me through setting up pfsense to support a simple ATA )VOIP) device??
Pfsense is still cryptic for me since Im just a normal home user and not a network expert..
Thanks!!!!
-
Turns out, I think pfsense is the issue. I did a thorough troubleshooting along with the service provider and step by step I've isolated the bottleneck.
Important to mention, between each speed tests, I have unplugged EVERYTHING (modem, ATA, pfsense box, computer) so no residual data (subnet, IP, etc..) from a previous test would stay and cause troubles or screw up the test.
Here's the results of the speedtests for each network config: (All in Mbps)
This is a 30Mbps/10Mbps connection
Test 1: Cable modem -> Computer
1. U 23.18 / D 9.44
2. U 22.77 / D 9.46
3. U 22.16 / D 9.51
4. U 24.44 / D 9.53Test 2: Cable modem -> ATA device -> Computer
1. U 22.82 / D 10.34
2. U 20.87 / D 10.30
3. U 22.87 / D 10.34
4. U 22.60 / D 10.18Test 3: Cable modem -> ATA device -> pfSense box -> Computer
1. U 16.70 / D 10.06
2. U 15.85 / D 1.30
3. U 16.93 / D 10.22
4. U 17.98 / D 10.25Test 4: Cable modem -> pfSense box -> Computer
1. U 30.16 / D 10.22
2. U 15.57 / D 1.47
3. U 31.62 / D 9.94
4. U 30.03 / D 10.20My thoughts:
-
Results from test 1 and 2 clearly show that the ATA device does not cause bottleneck issues as I previously thought. The difference between the average speed of approx. 22Mbps versus my nominal speed of 30Mbps IMO are related to cable congestion or other ISP issues (I am close to a large city).
Result from test 4 also shows that the pfsense box directly connected to the cable modem is not causing bandwidth issues.
SO I conclude that for whatever reason that I would like to determine, pfsense has a hard time playing with the ATA device. The only configuration that caused severe bandwidth throttle was the config where pfsense was after the ATA device.
I hope this will be useful to someone to help me pin point the cause..
EDIT: Speedtest done using a python CLI utility available at https://github.com/sivel/speedtest-cli
Thanks for the original devs for this useful tool! -
-
Additionally, I tried once again to setup the ATA on the LAN side and setup port forwarding on pfsense
using http://forum.pfsense.org/index.php?topic=55676.0
No go. The ATA doesnt register at all..
In both configuration, pfsense is the root cause of the issues..
What kind of configuration do pfsense needs for a simple voip device to work?
-
Another reply….
I am trying to set a DMZ for the ATA. All tutorials or documentation I find, you need 3 network cards in the machine running PFS. DO I really need 3 NIC's???
Thats pathetic. My $35 old linksys router could do DMZ in a second.
Other than DMZ, how could I make this thing work?
-
Its important to note that differnent voip companies do things different. The standard that should be was scared off by the big lawsuit that Vonage lost.
Can you try the siproxd package? Im not a big fan of Grandstream product due to various issues but Im sure the double natting that your doing isn't helping the situation.
My only Grandsteam product is actually behind a pfsense install sharing a network with a Vonage device (linksys) and doing quite well without siproxd. At my home however I have 4 numbers across 2 Linksys devices with the same company as the Grandstream that need Siproxd to work.
Grandstream will give you problems being the first in line.
-
The only thing I've ever had to do to get my device to register well with a distant SIP server is make my system recheck registration every few seconds vs 3600 seconds. I have several SIP devices behind pfsense and all work. Where you have been using more NAT rules and stuff, you probably really should use less. NAT rules only make sense if the server is behind your firewall and its not.
I am using manual outbound NAT and I do have a outbound NAT rule that tells anything on port 5060 or 5061 to use STATIC port.
If you have multiple IPs that can also cause a problem. I've heard that using "sticky connections" fixes that.
Now - You said something earlier that made little sense to me. You said you used your phone connected directly to the modem before pfsense and it worked? Thats really bizarre UNLESS your modem is also a router and your pfsense is double NATed, in which case I'd expect alot of broken functionality.
-
Can you try the siproxd package? Im not a big fan of Grandstream product due to various issues but Im sure the double natting that your doing isn't helping the situation.
Of Course I will try the siproxd package with pleasure! I will report back on that. I agree 100% with you, GS products seems to be crappy at best. Double natting? Like I said, Im a total idiot when it comes to networking. I can setyp a basic LAN but other than that, no clue!
One thing I observed. The ATA in bridge mode (supposedly just acting like a switch), if I connect it to the modem and the router is NOT connected to the ata (in other words modem -> ATA -> Nothing) and I wait for the ATA to sync and initialize, it will register on the supplier's network and the phone will work. If I connect the ATA to the modem and connect the pfsense router to the ATA, and initialize the ATA, the pfsense router will get an IP but the ATA wont register to the service provider.
TO me, it looks like the ATA was getting an IP from the supplier but NOT forwarding the IP to the LAN (the router in my case) which I thought should..
In NAT mode, the ATA gets an IP from the supplier, and gives an IP to the router no problems..
Grandstream will give you problems being the first in line.
Agreed. My network has worked FLAWLESSLY for several months. At the moment I introduced this Grandstream P-O-S (sorry I tend to lose it) before my pfsense box, it was game over immediately.
Where you have been using more NAT rules and stuff, you probably really should use less. NAT rules only make sense if the server is behind your firewall and its not.
I am using manual outbound NAT and I do have a outbound NAT rule that tells anything on port 5060 or 5061 to use STATIC port.
Would you care to guide me thru this??? I know nothing about port forwarding and NAT so I know myself, I will end up screwing stuff up instead of fixing it.
You said you used your phone connected directly to the modem before pfsense and it worked? Thats really bizarre UNLESS your modem is also a router and your pfsense is double NATed, in which case I'd expect alot of broken functionality.
Well…. AFAIK the modem is only a cable modem but it is factory set. I will try to get into the modem config and see that is there. But yes , the ATA directly after the modem, the phone in the ATA, all is fine (phone wise) but the ATA has to be in NAT mode for the internet access to work.
Heres a summary to clear things up:
Config 1
--> Cable modem --> ATA in NAT mode --> pfSense --> LAN
Internet works, phone works (ATA registers with supplier), bandwidth is capped to 15Mbps
Config 2
--> Cable modem --> ATA in BRIDGE mode --> pfSense --> LAN
ATA will sync with supplier, phone will work but pfsense wont get a valid public IP.
-
Well - In my case I have several subnets here in the 10.x.x.0 / 24 range.
So, what I did rather than make a dozen entries in my outbound NAT is to just make one.So, first off you would have to be running Manual outbound NAT.
So, firewall > NAT > Outbound
click "Manual Outbound NAT rule generation" Then save.
(Don't worry - You can always re-click the auto setting later if you like)
Now, you should get a bunch of rules that automatically appear.
At the very top, I created a rule with interface as WAN and source as 10.50.0.0/16 (to cover all my /24 subnets) with destination port 5060 and static port checked. That fixed my SIP issues.
THE RULE HAS TO BE AT TOP OF LIST OR IT WILL NEVER GET PROCESSED.
Mileage varies per user…
-
lpallard-
What model cable modem do you have?
Do you have access to the voip settings on the grandstream?
also- did you change the LAN address from default on either pfsense or the grandstream?
-
OK ! Out of nowhere, after I had set my port forwarding and NAT on the pfsense machine, I plugged the ATA in my LAN, it got an IP from pfsense's DHCP server and then after a few minutes, the phone worked.. Not sure why it didnt work the 100 times I tried last week…
Anyways,
kejianshi, look at my screenshots to see my config. DO you spot anything dangerous, out of the ordinary or wrong??
chpalmer, my modem is Thomson DCM475. Apparently, this modem is what they call a plain-Jane modem, no routing functions whatsoever done my the modem. Its more or less just a device that converts cable signals to Network signals.. Anyways this is what I understand..
I do have access to the HT502 settings. They're in the screenshots as well.
THe HT502 is factory set to get an IP thru DHCO on its WAN port (normally from the service supplier if connected BEFORE the router) but since in my case its connected AFTER the router, its getting an IP from pfsense. It works perfectly. As for the LAN port on the HT502, Im not using it (if after router) since I dont need to bridge or NAT throu it to "feed" another device. That'd be required if the HT502 was placed between my modem & router which is not right now.
The LAN on pfsense is set to 192.168.0.100 to 110
Other than that, please ask I will try to find the info or post additional screnshots.
:)
NB: I do NOT have access to the HT502's advanced settings page and the FXS Port 1 & 2 since at the moment the ATA is provisioned by the service provider, they block access to these pages...
-
Other screenshots
-
As I expected, this was too good to be true…
I was talking on the phone and suddenly, everything died. Now when I pickup the phone I hear "Device not registered".
The ATA lost connectivity to the outside. See screenshot: Not Registered.
Looking in pfsense logs:
Aug 25 13:44:11 snort[12247]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 206.248.144.132 -> 192.0.227.200 Aug 25 13:44:11 snort[12247]: [122:21:1] (portscan) UDP Filtered Portscan [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 206.248.144.132 -> 192.0.227.200 Aug 25 13:43:55 snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060 Aug 25 13:43:55 snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060 Aug 25 13:43:38 snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060 Aug 25 13:43:38 snort[35706]: [140:20:1] (spp_sip) Invite replay attack [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 192.168.0.109:5060 -> 206.248.144.132:5060
Could snort cause issues?? I stopped it and rebooted the ATA. Will post back ASAP if this helped or not.
-
Your device should probably have the "NAT" box checked in its settings and also, I had to change my device to time out every 15 seconds instead of 3600. Same for UDP time-out. After that, it stayed registered. If I set my settings same as yours, I'd be offline also.
Unless their service will boot you for checking in too often, its better to make those numbers smaller.
And snort… Geeze. Don't get me started on SNORT.
-
Yep, snort WAS the problem.. I think anyways. I stopped it, cleared the blocked hosts, rebooted the ATA and bingo! got the phone again!
I'm not sure of the right way to prevent snort from doing that again…
-
Registration time is in the locked advanced pages so not an option without help from his voip providers tech support.
To bypass some filtering issues here I set up a second subnet to run my voip ata's on. Its all great if you have the room to install a third NIC into your box. Otherwise its VLANs and a managed switch… :P
Im not sure if Siproxd will bypass snort or not. I only use it to run multiple ata's to multiple external servers. My provider has a production server and a byod server. Plus they are beta testing a cloud based pbx server which I am playing with.
-
To bypass some filtering issues here I set up a second subnet to run my voip ata's on. Its all great if you have the room to install a third NIC into your box. Otherwise its VLANs and a managed switch… :P
Unfortunately, I do not have a second PCI clot on that machine so adding another NIC is impossible.
I also intend to virtualize pfsense at some point on a shiny new dual socket server with LOTS of RAM…. Im not sure how will this work but I know for sure it wont have 3 NIC's (I will be able to install several NICs as the server's mobo will have 6 PCI-E slots but will I need to??)
Right now, Snort is down. Unless I know how to make sure it wont block the ATA again, it will remain down.
You see this is what Ive done:
Create an alias including all my internal IP's and some outside servers I want to keep free access to,
Under Snort's config, I went to white-list, added a white-list, and then used the alias I had createdI really thought this way snort wouldn't interfere with the hosts listed under this alias..
Apparently not.
Anybody knows why?I did not have to try Siproxd yet because the ATA works flawlessly with my port forwarding setup and snort down. If I can clear snort's interference out of the equation, and I have problems again, I will try Siproxd. I just prefer not to mix too many variables together until I really knows whats going on.
That has been my recipe with pfsense…
-
THings were too good to be true… Until I added a domain in squidguard target categoriues and suddenly the whole router crawled to a stop.. I knew what it was 1000000%
See http://forum.pfsense.org/index.php/topic,63025.msg357852.html#msg357852
Clearly nobody thinks this is a problem. IMO something is severely broken in pfsense's packages.
See the result of ps -A:
20 million havp and squidguard processes running anybody think its normal?!
$ ps -A PID TT STAT TIME COMMAND 0 ?? DLs 177:38.54 [kernel] 1 ?? SLs 0:00.05 /sbin/init -- 2 ?? DL 1:50.16 [g_event] 3 ?? RL 4:25.76 [g_up] 4 ?? DL 2:53.40 [g_down] 5 ?? DL 0:00.00 [crypto] 6 ?? DL 0:00.00 [crypto returns] 7 ?? DL 0:00.00 [sctp_iterator] 8 ?? DL 1:03.50 [pfpurge] 9 ?? DL 0:00.00 [xpt_thrd] 10 ?? DL 0:00.00 [audit] 11 ?? RL 23533:39.71 [idle] 12 ?? WL 483:41.74 [intr] 13 ?? DL 0:00.00 [ng_queue] 14 ?? DL 7:57.60 [yarrow] 15 ?? DL 0:42.49 [usb] 16 ?? DL 1:39.58 [acpi_thermal] 17 ?? DL 0:16.16 [pagedaemon] 18 ?? DL 0:00.36 [vmdaemon] 19 ?? DL 0:00.04 [pagezero] 20 ?? DL 0:03.54 [idlepoll] 21 ?? DL 0:17.68 [bufdaemon] 22 ?? DL 15:17.22 [syncer] 23 ?? DL 0:14.00 [vnlru] 24 ?? DL 0:21.51 [softdepflush] 40 ?? DL 0:19.84 [md0] 245 ?? INs 3:21.70 /usr/local/sbin/check_reload_status 247 ?? IWN 0:00.00 check_reload_status: Monitoring daemon of check_reloa 257 ?? Is 0:00.02 /sbin/devd 2396 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 2715 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 2738 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 2845 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 4907 ?? D 0:09.28 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 5011 ?? D 0:08.78 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 5319 ?? D 0:09.04 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 5396 ?? D 0:09.29 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 5529 ?? Is 0:00.13 /usr/local/sbin/sshlockout_pf 15 5736 ?? D 0:08.72 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 6035 ?? Is 0:00.00 /usr/sbin/sshd 6365 ?? D 0:22.03 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 6468 ?? D 0:23.23 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 6515 ?? D 0:21.55 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 6801 ?? Is 0:00.07 dhclient: re0 [priv] (dhclient) 6848 ?? D 0:21.44 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 7114 ?? D 0:21.84 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 8100 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 8230 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 8480 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 8808 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 9023 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 9289 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 9496 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 9753 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 10724 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 10778 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 10913 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 12344 ?? Ss 0:20.32 dhclient: re0 (dhclient) 13208 ?? Ss 0:15.62 /usr/sbin/cron -s 16871 ?? Ss 4:33.25 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log 17328 ?? D 0:17.47 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 17662 ?? D 0:17.63 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 17685 ?? D 0:17.99 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 17777 ?? D 0:17.64 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 17814 ?? D 0:17.42 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 17934 ?? D 0:33.44 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 18190 ?? D 0:33.49 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 18243 ?? D 0:34.27 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 18529 ?? D 0:32.95 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 18705 ?? D 0:33.19 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 20216 ?? S 0:00.67 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 20557 ?? S 0:00.47 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 20578 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 20768 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 20884 ?? Is 0:00.04 /usr/local/sbin/squid -D 20949 ?? S 0:00.17 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 21239 ?? S 0:00.27 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 21403 ?? S 0:00.02 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 21675 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 21798 ?? I 0:00.30 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 21881 ?? S 0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 22095 ?? Ds 307:46.96 /usr/local/bin/ntop -i re0,re1 -u root -d -4 -M -x 81 22142 ?? Is 2:19.13 /usr/local/sbin/filterdns -p /tmp/filterdns.pid -i 30 22209 ?? I 0:00.02 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 22304 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 23045 ?? Ds 71:53.62 /usr/local/sbin/clamd -c /usr/local/etc/clamd.conf 23741 ?? DL 0:06.21 [md10] 24125 ?? Ss 7:37.85 /usr/local/sbin/apinger -c /var/etc/apinger.conf 25631 ?? SN 0:00.00 sleep 60 25762 ?? R 0:00.01 ps -A 28072 ?? S 0:59.81 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfig 28602 ?? IWs 0:00.00 /usr/local/bin/php 30096 ?? IWs 0:00.00 /usr/local/bin/php 30530 ?? Ss 0:25.95 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroo 32419 ?? S 0:06.04 /usr/local/bin/php 32731 ?? D 0:50.29 /usr/local/bin/php 38698 ?? S 0:01.39 (squid) -D (squid) 38859 ?? I 0:00.00 (unlinkd) (unlinkd) 39204 ?? I 0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39339 ?? I 0:00.07 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39437 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39503 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39559 ?? Ss 2:04.82 /usr/local/bin/ntpd -g -c /var/etc/ntpd.conf 39682 ?? S 0:00.07 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39825 ?? S 0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 39965 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 40116 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 40538 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 40849 ?? I 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 40980 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 41205 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 42829 ?? I 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 42997 ?? D 0:09.75 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43100 ?? IWs 0:00.00 /usr/local/bin/minicron 240 /var/run/ping_hosts.pid / 43129 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 43158 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 43186 ?? D 0:09.26 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43229 ?? R 0:11.26 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43281 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 43530 ?? I 0:01.81 minicron: helper /usr/local/bin/ping_hosts.sh (minic 43541 ?? D 0:09.40 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43674 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 43677 ?? I 0:09.61 /usr/local/bin/rrdtool - 43730 ?? D 0:31.64 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43739 ?? D 0:09.46 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 43767 ?? IWs 0:00.00 /usr/local/bin/minicron 3600 /var/run/expire_accounts 43771 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 43823 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44076 ?? R 0:30.82 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 44086 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44098 ?? I 0:00.10 minicron: helper /etc/rc.expireaccounts (minicron) 44167 ?? IWs 0:00.00 /usr/local/bin/minicron 86400 /var/run/update_alias_u 44226 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44348 ?? D 0:30.33 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 44389 ?? S 3:08.20 /usr/local/sbin/dnsmasq --local-ttl 1 --all-servers - 44473 ?? D 0:31.46 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 44562 ?? I 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44594 ?? I 0:00.01 minicron: helper /etc/rc.update_alias_url_data (mini 44657 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44676 ?? INs 0:00.02 /usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd. 44736 ?? R 0:32.10 (squidGuard) -c /usr/local/etc/squidGuard/squidGuard. 44811 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 44910 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 45068 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 45118 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 45263 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 45599 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 45796 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 46069 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 46356 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 46702 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 46944 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47136 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47311 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47382 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47469 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47705 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 47919 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 48205 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 48545 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 48681 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 48716 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 48874 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 49163 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 49502 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 49515 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 49847 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 50167 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 50227 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 50540 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 50757 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51098 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51166 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51192 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51209 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51454 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51585 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51676 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51734 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 51769 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 52037 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 53482 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 53518 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 54795 ?? Ss 17:23.59 /usr/sbin/powerd -b adp -a adp 56210 ?? I 0:00.00 sleep 55 59021 ?? Ss 0:00.09 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 59708 ?? S 0:00.95 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 59959 ?? S 0:00.60 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 59965 ?? S 0:00.82 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 60073 ?? S 0:00.01 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 60360 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 60528 ?? S 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 61680 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 61798 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 61995 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 62170 ?? I 0:00.00 /usr/local/sbin/havp -c /usr/local/etc/havp/havp.conf 16277 v0- S 1:16.15 /usr/sbin/tcpdump -s 256 -v -S -l -n -e -ttt -i pflog 16308 v0- S 1:51.49 logger -t pf -p local0.info 32161 v0- I 0:49.28 /bin/sh /usr/local/pkg/sqpmon.sh 52753 v0- SN 4:51.06 /bin/sh /var/db/rrd/updaterrd.sh 52813 v0 Is+ 0:00.01 /usr/libexec/getty Pc ttyv0 53228 v1 Is+ 0:00.01 /usr/libexec/getty Pc ttyv1
pfsense is causing me too many issues and headaches. I think Im gonna find another firewall project or go back to a simple plain Jane router…
-
@lpallard:
pfsense is causing me too many issues and headaches. I think Im gonna find another firewall project or go back to a simple plain Jane router…
Sorry, but installing junk and blaming the OS just makes no sense. HAVP sucks, is broken, is not worth it, is not protecting you in any meaningful way. It uses ClamAV with absolutely pathetic detection rate, yet plagued with loads of false positives, which eats tons of resources, makes downloads suck. Any free AV on a workstation makes couple orders of magnitudes better job here. Installing HAVP, squidguard, snort on the same box? Are you mad?
You are causing all this grief to yourself. " simple plain Jane router…" - yeah, that's what you get with vanilla pfS install - before you go on a resource killing spree with all those things mentioned above. They are NOT required. They are NOT needed. They are harmful in most cases. They make you babysit the firewall 24/7.
Doctor, it hurts when I do this... Yeah, so don't do that.
-
my tinkering is causing me too many issues and headaches
There- fixed that for you!
A plain Jane router is just that. No firewall. SIP doesn't like NAT. It can be made to work if your patient. Try Vonage. It will work fine. That tells me that there are other underlying factors going on with some SIP providers.
DO I really need 3 NIC's???
No. You don't.
-
Well - There is routing, which pfsense does very well.
Then there is firewalling, which pfsense also does well.
Then there are add on packages, which do various other things like clamav and caching squid proxy and those things are neither routing nor are they anthing to do with firewall..
And then there are the UTM features of pfsense. Not know what you are doing WILL break your install.
While I don't share the dislike of clamav, I do have a dislike for all AV in general. They are resource hogs.
Better to use OSes that don't require you to run it and just load AV on your play/gaming machines.
Probably nobody who doesn't NEED the last 2 sets of features at the router should touch those.Almost no one needs the UTM stuff at home, but if you go there, don't say pfsense is broken. Some really patient fairly expert people get those features to work just fine. The key being expert + patient. Like you really keep an eye on it.
These systems are not automatically better the more you add to them.