tech stuff.

Posts Tagged ‘pfsense

pfsense, dnsmasq & source interfaces

with one comment

I’m having issues with dnsmasq on my pfsense router being unable to contact an overridden nameserver because they’re not being sourced from an interface that has an ipsec policy. For example, I have the following config:

Main Office Router A:
LAN address:
WAN address:

Remote Office Router B:
LAN address:
WAN address:

The two sites are connected by an ipsec tunnel. My internal nameserver serving the domain “company.local” is at

Since the remote office is on the other side of the world, I want to use the ISP nameservers for internet resolution, but send all resolutions for company.local through the tunnel to

When dnsmasq sends the packet to, however, it uses the default route and sends the packet out of the WAN interface and not through the tunnel. My first thought was to instruct dnsmasq to use the LAN interface as its source address, such as:

/usr/local/sbin/dnsmasq -l /var/dhcpd/var/db/dhcpd.leases -s –server=/company.local/

Indeed that works, but web UI doesn’t allow for that sort of syntax, afaik.

Failing that, I tried adding a bogus route on Router B in hopes that the packet will be redirected through the ipsec tunnel before actually being transmitted on the LAN interface. I added a static route for to the gateway This appears to work, so my problem is resolved for now. It doesn’t seem to be a particularly elegant solution, however.


Written by Lee Verberne

2009/01/16 at 18:00

Posted in pfsense

Tagged with

pfSense documentation recap

leave a comment »

This is in response to my previous post about pfSense documentation in which I chastised pfSense for poor documentation…

As I was browsing around looking for the details of contributing to the project, I found the found the following on the About -> Helping Out page:

We can always use help with creating documentation. If you would like to assist, please email [ … ] for an account on our documentation wiki. Unfortunately spam bots have forced us to close open editing and registration and we have not had a chance to implement a captcha or similar measures to allow this while keeping out the relentless spammers.

That’s fair enough.  Fair enough to make me feel like an asshat for my previous derision.  Indeed, I e-mailed the wiki admin, and they created my account within the day.  My only excuse is that I could not (and still cannot) find anything to this effect on the pfSense wiki itself.  There’s only the page that suggests e-mailing your contribution.

Excuses aren’t enough, though, so apologies to the pfSense community and a big F– to me for blathering on without all of the facts.

Written by Lee Verberne

2008/09/09 at 02:19

Posted in Rants

Tagged with

Server load balancing in pfSense 1.3

with 2 comments

I was poking around at the 1.3-ALPHA-ALPHA pfSense, and it looks like slbd is going to be replaced with OpenBSD’s relayd!  I can’t tell you how happy I am about this development.  Not only will relayd increase pfSense’s feature set by some order of magnitude, I have hope that it will make pfSense a viable load balancer.

Though pfSense has load balancing features right now, its limitations make it mostly unusable for my applications.  The way that slbd operates breaks session stickiness.  I’m not sure why, but I suspect that slbd is updating its pf anchor unconditionally per polling period which causes pf to reset its session state.  In addition to breaking stickiness, this causes load to be balanced unfairly.

I’ll have to do some testing to see if relayd has this say behavior.  If nothing else, though, I’m excited about a whole new host of features, some of which I haven’t seen since I last touched a NetScaler:

  • Layer 7 (in addition to Layer 3) load balancing
  • Layer 7 health monitoring (http request/response checking)
  • In-Flight HTTP request/response modifications (such as appending Remote-Host header)
  • Additional balancing algorithms, including one that can be sticky on HTTP headers/cookies

All-in-All pretty fantastic.  I don’t imagine we’ll see 1.3 until Q2 of 2009, though, so it may be worth back-porting it as a package for 1.2.1.

Written by Lee Verberne

2008/09/06 at 21:52

Posted in Internet, pfsense

Tagged with ,

No wonder pfSense’s documentation sucks

leave a comment »

Update: See pfSense documentation recap for the full story and why the following is mostly good ole-fashioned nonsense-spoutin’.

I started digging into pfSense’s ftp-proxy support with the best of intentions.  Really I did.  I was going to figure out what was going on then update the documentation on the pfSense wiki like a good community member.  Except that when the time came to post my document into the wiki I found out that I’m not allowed to update the wiki directly.  I have to e-mail my changes to some guy.  Boo.  That’s no wiki.

That made it seem like I’d have to argue my case for getting documentation put into the wiki.  So I set my document aside until I’d have time to polish it up some more and write an e-mail begging pfSense to accept my meager contribution.  That was 2 months ago.

pfSense, you get a big F– for placing hurdles in the way of community documentation and completely missing the point of a wiki.

Written by Lee Verberne

2008/08/31 at 22:35

Posted in pfsense, Rants

Tagged with

pfSense’s poorly documented ftp proxy

leave a comment »

It turns out that when you (a) disable the “disable ftp-proxy” on the WAN interface and (b) create a NAT rule that uses port 21, the ftp proxy will be automatically (and silently) started in the background.  If you then modify that NAT rule, the ftp proxy application will not be updated (presumably until a reboot), but if you delete and create the rule again the ftp proxy will be started anew with the updated information.

Written by Lee Verberne

2008/08/31 at 22:16

Posted in pfsense

Tagged with

Forcing CARP failover using pfSense

leave a comment »

Anything that has a master/slave cluster should have some sort of mechanism for failing from the master to the slave, right?  We’ll see…

pfSense provides HA via OpenBSD’s (very excellent) CARP.  Of course I could just increment the advskew on all of the interfaces to fail them over individually, but that doesn’t really work for me.  That involves spending some amount of time in a partially failed-over state.  Having quite a bit of experience with OpenBSD, I expected there to be a more elegant solution and I certainly wasn’t disappointed.  It looks like OpenBSD provides interface groups and a setting called “carpdemote”.  Incrementing carpdemote on the master’s “carp” group would cause all carp interfaces to fail over to the next-in-line.  nice.

I guess I was just expecting FreeBSD to have the same functionality.  FreeBSD 7.0 does have interface groups, but I can’t find carpdemote in the documentation.  Still, maybe pfSense 1.2.1 will be worth the upgrade afterall.

All-in-all, forcing the failover one at a time wasn’t so bad.  Upping the advskew on all interfaces to 200 from a shell loop like the following got the job done, but that race condition just doesn’t sit well.

for i in 0 1 2 3; do 
    ifconfig carp$i advskew 200

Then I did my work and rebooted the master.  When the master came up, all of the interfaces were reset to an advskew of 0, which is less-than-ideal-but-still-expected.  Strangely, this didn’t cause the interfaces to fail back to the master.  For about 5 minutes the master interfaces remained BACKUP even though the master interfaces had an advskew of 0 and the backup had an advskew of 100.

After about 5 minutes all of the interfaces failed back to the master.  I expect this is just a relic of how the advskew parameter actually works by tuning carp announcement intervals.

Written by Lee Verberne

2008/08/31 at 06:11

Posted in pfsense, Unix-type stuff

Tagged with , ,