Re: [pfSense Support] traffic shaper queues scheduler options
Use the EZ-Shaper wizard. It will do exactly what you want. --Bill On 7/24/05, Xtian [EMAIL PROTECTED] wrote: Hi, I have done my best to read the FAQs, documentation, and mailing list archives for both pfSense and Monowall, and have not found any information on this, hence I am asking here. If I overlooked something, please point me to the information. Thanks! pfSense has no documentation for the traffic shaper. Since the traffic shaper is significantly different than that of Monowall's, the Monowall documentation (which is also non-existent, but there is one example in their mailing list archives on how to prioritize ACKs) doesn't directlu apply. Specifically, in Firewall: Shaper: Queues: Edit, what do the following fields or check boxes in the Scheduler options section mean: This is a parent queue of HFSC/CBQ Upperlimit: [field] [field] [field] Real time: [field] [field] [field] Link share: [field] [field] [field] How are they to be set? If I were to be more specific: I wish to prioritize interactive SSH traffic above all else (such that FTP, bittorrent, etc., do not create such massive lag in my SSH sessions.) If you tell me about the Scheduler options I am sure I can figure it out on my own, but if you want I would also be glad for information specific to the SSH question. Perhaps this could be added to the pfSense documentation? Or tutorials? I think that besides firewalling and routing, traffic shaping must be the most used feature in pfSense. Documentation would be highly welcome. Thanks, -Christian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] traffic shaper queues scheduler options
Hi Bill, I haven't found that to be true. It doesn't create any rules for SSH. pfSense has a wide selection of games and P2P software that it will make rules and queues for, but not SSH, unless I overlooked something. Certainly trying to SSH whilst FTPing a large suffered from the same massive lag as always. I would still like to know what the 6 fields in the traffic shaper scheduler are for though! Thanks, -Christian Use the EZ-Shaper wizard. It will do exactly what you want. --Bill On 7/24/05, Xtian [EMAIL PROTECTED] wrote: Hi, I have done my best to read the FAQs, documentation, and mailing list archives for both pfSense and Monowall, and have not found any information on this, hence I am asking here. If I overlooked something, please point me to the information. Thanks! pfSense has no documentation for the traffic shaper. Since the traffic shaper is significantly different than that of Monowall's, the Monowall documentation (which is also non-existent, but there is one example in their mailing list archives on how to prioritize ACKs) doesn't directlu apply. Specifically, in Firewall: Shaper: Queues: Edit, what do the following fields or check boxes in the Scheduler options section mean: This is a parent queue of HFSC/CBQ Upperlimit: [field] [field] [field] Real time: [field] [field] [field] Link share: [field] [field] [field] How are they to be set? If I were to be more specific: I wish to prioritize interactive SSH traffic above all else (such that FTP, bittorrent, etc., do not create such massive lag in my SSH sessions.) If you tell me about the Scheduler options I am sure I can figure it out on my own, but if you want I would also be glad for information specific to the SSH question. Perhaps this could be added to the pfSense documentation? Or tutorials? I think that besides firewalling and routing, traffic shaping must be the most used feature in pfSense. Documentation would be highly welcome. Thanks, -Christian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP and backup firewall
I have 2 boxes at home, both on carp. Works fine. You sure your outbound rules are setup correctly? Scott On 7/25/05, alan walters [EMAIL PROTECTED] wrote: On version 0.70.8 I had sync working and backup lan operational when the master was down. On veriosn 0.71 the sync works great all the rules are being syncronised and the backup becomes master in the status of carp but?? It does not seem to have a route to the internet any more. A traceroute shows it going to the backup and timing out. When the master comes back up the traceroute changes to the master and all is fine. Regards alan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] round robin on inbound nat
On 7/25/05, alan walters [EMAIL PROTECTED] wrote: I know this discussion is going on a bit. But I was wondering If we really think it is practical using the method we are trying. With a basic round robin configured on the firewall. The web servers can be configured to use there own software to manage there own Virtual ipaddresses. This complicates matters. I dont like. That will allow anyone to use simple or complicated setups and be os independent. The example would be where we use ucarp on our web servers to manage there Virtual IP's then if one goes down the other IP just gets migrated to another server. We manage this ucarp on an management network so there is no traffic on our dmz zone other than the required traffic. If pfsense can round robin to this vip pool then all is fine in a failure. Unless there is some flashy cunning thing that bsd can do that I am missing. We will have a monitoring daemon that checks a servers heartbeat. If the server goes down for some reason its taken out of the pf rules table that controls load balancing. Its quite simple, elegant and doesnt require more stuff running on the server that we are redirecting to. Requring a operator to manage another setup of virtual ip's is not necessary for this task. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] traffic shaper queues scheduler options
On 7/25/05, Christian Rohrmeier [EMAIL PROTECTED] wrote: I haven't found that to be true. It doesn't create any rules for SSH. pfSense has a wide selection of games and P2P software that it will make rules and queues for, but not SSH, unless I overlooked something. Certainly trying to SSH whilst FTPing a large suffered from the same massive lag as always. SSH sets the TOS lowdelay bit on all it's ACKs, so non-bulk SSH should by default go into the ACK queue. Any chance you were saturating your downstream with ACKs, which would force SSH and FTP to then compete within the same queue? I would still like to know what the 6 fields in the traffic shaper scheduler are for though! I'll update the code with comments, in the meantime, from the pf.conf man page: The hfsc scheduler supports some additional options: realtime _sc_ The minimum required bandwidth for the queue. upperlimit _sc_ The maximum allowed bandwidth for the queue. linkshare _sc_ The bandwidth share of a backlogged queue. sc is an acronym for service curve. The format for service curve specifications is (m1, d, m2). m2 controls the bandwidth assigned to the queue. m1 and d are optional and can be used to control the initial bandwidth assignment. For the first d mil- liseconds the queue gets the bandwidth given as m1, afterwards the value given in m2. The boxes correspond to m1, d, m2 in that order (except m1 and d are not optional with pfsense). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 0.71.x WARP Version
David Strout ha scritto: yes, It works :-) but... ssh doesn't work with 0.70.x I wasn't able to restore a saved configuration nat: outbound load balance, does it work? regards Everyone, Has anyone tried the new 0.71.x WARP version on a Soekris 4801 yet? If so could you provide any findings / gotchas? Regards, -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] squid diskd 70.10
I will look into using the sysctl.conf infrastructure that we have. I have a feeling that some of these values need to be passed from the boot loader, however. We'll see. Scott On 7/25/05, Bill Marquette [EMAIL PROTECTED] wrote: Uhhh, what's that gonna do to the rest of us that don't use squid? Is this going to make the kernel use more memory? --Bill On 7/24/05, Scott Ullrich [EMAIL PROTECTED] wrote: Alright, I'll recompile the kernel with: options MSGMNB=8192 # max # of bytes in a queue options MSGMNI=40 # number of message queue identifiers options MSGSEG=512 # number of message segments per queue options MSGSSZ=64 # size of a message segment options MSGTQL=2048 # max messages in system Any objections? Speak now or forever have a modified kernel pfSense users! Scott On 7/24/05, Bachman Kharazmi [EMAIL PROTECTED] wrote: from what I can read in the squid faq your kernel need to get rebuilt. http://www.squid-cache.org/Doc/FAQ/FAQ-22.html#ss22.6 The messages between Squid and diskd are 32 bytes for 32-bit CPUs and 40 bytes for 64-bit CPUs. Thus, MSGSSZ should be 32 or greater. You may want to set it to a larger value, just to be safe. your vaule is set to kern.ipc.msgssz: 8 which is whey too low. please read http://ezine.daemonnews.org/200209/squid.html that also gives good suggestions gl /bk On 7/24/05, William David Armstrong [EMAIL PROTECTED] wrote: I have upgrade 70.8 to 70.10 and I get this error try usind a diskd in squid a squid try restart but continues not work. I version 70.8 diskd work ok. not get any this errors, I try in a another machine. I belive is a diskd options is not include or not correct configured in kernel. option MSGMNI=41 option MSGMNB=16384 option MSGSEG=2049 option MSGSSZ=64 option MSGTQL=512 option MHMSEG=16 option MHMMNI=32 option MHMMAX=2097152 option SHMALL=4096 option MAXFILES=8192 option NMBCLUSTERS=32768 I found this in a 70.10 $ sysctl -a kern.ipc.msgmni: 40 kern.ipc.msgmnb: 2048 kern.ipc.msgseg: 2048 kern.ipc.msgssz: 8 kern.ipc.msgtql: 40 MHMSEG not found MHMMNI not found MHMMAX not found kern.ipc.shmall: 8192 kern.maxfiles: 16384 kern.maxfilesperproc: 16384 kern.ipc.nmbclusters: 4800 it´s confirm ??? I send a log off errors $cat /usr/loca/suiqd/log/cache.log 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily unavailable 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily unavailable 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily unavailable 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily unavailable 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily unavailable 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily unavailable 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily unavailable 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily unavailable 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily unavailable 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily unavailable 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily unavailable 2005/07/24 03:54:07| storeDiskdSend: msgsnd: (35) Resource temporarily unavailable 2005/07/24 03:54:07| storeDiskdSend OPEN: (35) Resource temporarily unavailable 2005/07/24 03:54:07| storeDiskdSend: msgsnd: (35) Resource temporarily unavailable 2005/07/24 03:54:07| storeDiskdSend OPEN: (35) Resource temporarily unavailable 2005/07/24 03:54:07| storeDiskdSend: msgsnd: (35) Resource temporarily unavailable 2005/07/24 03:54:07| assertion failed: diskd/store_io_diskd.c:494: ++send_errors 100 2005/07/24 03:54:10| Starting Squid Cache version 2.5.STABLE10 for i386-portbld-freebsd6.0... 2005/07/24 03:54:10| Process ID 2670 2005/07/24 03:54:10| With 1735 file descriptors available 2005/07/24 03:54:10| DNS Socket created at 0.0.0.0, port 60294, FD 7 2005/07/24 03:54:10| Adding nameserver 201.10.120.2 from /etc/resolv.conf 2005/07/24 03:54:10| Adding nameserver 201.10.128.3 from /etc/resolv.conf 2005/07/24 03:54:10| Unlinkd pipe opened on FD 12 2005/07/24 03:54:10| Swap maxSize 307200 KB, estimated 23630 objects 2005/07/24 03:54:10| Target number of buckets: 1181 2005/07/24 03:54:10| Using 8192 Store buckets 2005/07/24 03:54:10| Max Mem size: 8192 KB 2005/07/24 03:54:10| Max Swap size:
Re: [pfSense Support] 0.71.x WARP Version
On 7/25/05, Scott Ullrich [EMAIL PROTECTED] wrote: This package is no longer available via freebsd's ftp servers and we've never had a confirmation that it works so I am deactivating this package. upnp is junk anyway. Whoever decided it was a good idea to let some application on your network dynamically open ports on your firewall needs to share some of what they were smoking. Ok, if it's not abused, it's better than having necessary ports open all the time... but the possibilities for abuse are just endless. -cmb - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]