Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
Hi, Thanks a lot to everybody for coming in this discussion and for sharing their experiences that convinced me to traslate into a production environment with no problems! Anyway i still have some little doubts on implementing a DMZ containing all the servers, behind NAT. This because i don't know how pfsense's NAT implementation can handle the new internet applications/protocols like AJAX or WEB-SERVICES or others that could make use of mechanisms like dynamic allocation of port. Don't you think pfsense (actually NAT) can suffer this? Again thanks to everybody! Bye Paolo
[pfSense-discussion] Is there SMTP Forward in PFSENSE
Dear friends, 1. I use my PFsense for a hotspot. 2. As you know every laptops has their own configuation of SMTP, 3. How to enable any smtp address runs on our hotspot using pfsense? Thank alot for your help. ASROFI
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
On Dec 22, 2007 2:22 AM, Paolo Gentili [EMAIL PROTECTED] wrote: Anyway i still have some little doubts on implementing a DMZ containing all the servers, behind NAT. This because i don't know how pfsense's NAT implementation can handle the new internet applications/protocols like AJAX or WEB-SERVICES This is simple HTTP on port 80 (or wherever your web server lives). Nothing new other than it's use of the existing TCP port for transit here. What might be useful is describing how your previous firewall was going to handle this. or others that could make use of mechanisms like dynamic allocation of port. That could cause you problems potentially. But would be no different in any other firewall that didn't already understand your protocol. I regularly force vendors to redesign their applications to not use dynamic ports at work, it's a stupid design and really, there's zero reason to do it (other than sheer laziness on the developers side - or pissy legacy reasons when it comes to FTP, which is still not a good excuse IMO). Don't you think pfsense (actually NAT) can suffer this? 1:1 NAT (if you have enough IP space) and then it's just rules you have to add. Inbound, I don't expect you'll run into many of these. Most applications you are likely to run on your server will stick to a single inbound port. --Bill
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
I'm in full agreement with Chris. The CD burning issue is not unique to pfSense. It will happen with any system if you have bad compatibility between your CD/DVD burner, media, and your drive reading the result. I've seen it with certain media with many other OSes given the wrong combination. This is not an issue with the OS, pfSense or any other system that has issues with booting from the CD/DVD media after it is burned. I have some media that will repeat this problem almost every time and the same ISO burnt to some other media is rock solid every time. I bet if you verify the md5sum of the media you're having trouble booting from it will show the burn was bad when compared to the original ISO. It's not pfSense. Ron On Friday 21 December 2007 8:19:40 pm Chris Buechler wrote: Jure Pečar wrote: Since everyone is just singing praises, I'll add some things to look for ;) Besides running it at home we run it on three production locations, which are two server rooms and one fast growing wireless lan. First bad expirience: it is really touchy about the quality of your cd burner and blank CDs. This mostly shows as misterious crashes and kernel panics during boot or later during install. It took us some time to figure that out. I know a very small percentage of people have issues of this nature. On dozens of different systems I have used, I've never personally seen it, and the vast majority of users have never seen it. Second bad expirience: 1.0.1 leaves hw.ata.wc enabled by default (didn't check 1.2), which ended up with one toasted fs after a power failure. Fortunately config.xml was backed up :) 1.2 has that disabled, and also fixed some other issues that caused file system and/or configuration corruption. 1.2 beta/RC has been the recommended version for months now for this reason and others. Unfortunately we can't release 1.0 bug fix updates because we didn't tag that release in CVS, 1.2 will receive interim bug fix updates as necessary to address issues of this nature. Third bad expirience: once it's up it works rock solid, but there is a kernel panic every now and then during boot or during shutdown. Again, this is 1.0.1, haven't looked at 1.2. 1.2 should be better in that area, but those are likely FreeBSD issues specific to your hardware. If it's something you can replicate with 1.2, it might be worthwhile to install the developer kernel with debugging tools (an option during the install now), and get a back trace. Start a new thread if you want to investigate in the future. For the original poster: The only really common issue going from a test environment into production, when replacing an existing firewall (which is common to any network device, not pfsense-specific) is ARP caches - your perimeter router, or your ISP's router (depending on the type of connection you have) has an ARP cache with your existing firewall's MAC address. When you change the firewall, it can take several hours for that cache to timeout and recognize the new system. On Cisco routers, the ARP cache is 4 hours by default. You may need cooperation from your ISP if you don't have access to that router. If you do have access to the router, you can just power cycle it. Cable and DSL modems commonly require a power cycle to pick up a replaced system. Aside from that, which is common to any firewall migration regardless of software, we haven't seen any widespread issues with going from testing to production.
Re: [pfSense-discussion] HOW MUCH TRUST ON PFSENSE ?
I have follow the thread but i don´t understand it, not reallly., i have many pfs 1.2rcx firewalls up and running around the world, what is your mission critical needed feature? Sorry! Greetings Heiko Ron Lockard schrieb: I'm in full agreement with Chris. The CD burning issue is not unique to pfSense. It will happen with any system if you have bad compatibility between your CD/DVD burner, media, and your drive reading the result. I've seen it with certain media with many other OSes given the wrong combination. This is not an issue with the OS, pfSense or any other system that has issues with booting from the CD/DVD media after it is burned. I have some media that will repeat this problem almost every time and the same ISO burnt to some other media is rock solid every time. I bet if you verify the md5sum of the media you're having trouble booting from it will show the burn was bad when compared to the original ISO. It's not pfSense. Ron On Friday 21 December 2007 8:19:40 pm Chris Buechler wrote: Jure Pečar wrote: Since everyone is just singing praises, I'll add some things to look for ;) Besides running it at home we run it on three production locations, which are two server rooms and one fast growing wireless lan. First bad expirience: it is really touchy about the quality of your cd burner and blank CDs. This mostly shows as misterious crashes and kernel panics during boot or later during install. It took us some time to figure that out. I know a very small percentage of people have issues of this nature. On dozens of different systems I have used, I've never personally seen it, and the vast majority of users have never seen it. Second bad expirience: 1.0.1 leaves hw.ata.wc enabled by default (didn't check 1.2), which ended up with one toasted fs after a power failure. Fortunately config.xml was backed up :) 1.2 has that disabled, and also fixed some other issues that caused file system and/or configuration corruption. 1.2 beta/RC has been the recommended version for months now for this reason and others. Unfortunately we can't release 1.0 bug fix updates because we didn't tag that release in CVS, 1.2 will receive interim bug fix updates as necessary to address issues of this nature. Third bad expirience: once it's up it works rock solid, but there is a kernel panic every now and then during boot or during shutdown. Again, this is 1.0.1, haven't looked at 1.2. 1.2 should be better in that area, but those are likely FreeBSD issues specific to your hardware. If it's something you can replicate with 1.2, it might be worthwhile to install the developer kernel with debugging tools (an option during the install now), and get a back trace. Start a new thread if you want to investigate in the future. For the original poster: The only really common issue going from a test environment into production, when replacing an existing firewall (which is common to any network device, not pfsense-specific) is ARP caches - your perimeter router, or your ISP's router (depending on the type of connection you have) has an ARP cache with your existing firewall's MAC address. When you change the firewall, it can take several hours for that cache to timeout and recognize the new system. On Cisco routers, the ARP cache is 4 hours by default. You may need cooperation from your ISP if you don't have access to that router. If you do have access to the router, you can just power cycle it. Cable and DSL modems commonly require a power cycle to pick up a replaced system. Aside from that, which is common to any firewall migration regardless of software, we haven't seen any widespread issues with going from testing to production.
