Re: [pfSense-discussion] modified nanoBSD 1.2.3 image for WRAP?
On Mon, Mar 8, 2010 at 2:59 PM, Jim Pingle wrote: > On 3/8/2010 5:51 PM, David Rees wrote: >> I've seen same or similar behavior on an ALIX box with a fairly large >> ruleset and decent number of VPNs. >> >> We could never get all the VPNs to come up properly and we eventually >> ended up with a corrupted configuration file while we were trying to >> disable/enable various VPNs (which takes a LONG time on ALIX hardware >> and is very tedious). >> >> Ended up dropping the config file into a more powerful machine and it >> works fine. >> >> I'm guessing that there is some sort of race condition somewhere in at >> least a couple places. > > How many VPNs? I've had as many as 9 IPsec tunnels going between ALIX > boxes on 1.2.3 and never had any issues. Only a few more - 12. 6 VLANs connected to a T1 and a DSL line. About 250 different firewall rules across 8 interfaces, PPTP and IPsec interfaces. Does't seem like much, but we couldn't get more than a couple VPNs to come online using the ALIX box, but had no issues once we swapped in an old Pentuin 4 desktop and is actually running a 1.8GHz Pentium M now. Editing any IPsec VPN would take a LONG time. Probably about 10 seconds per VPN. Even on faster hardware it's slow. The config corrupted when we started editing multiple IPsec definitions at the same time to save time. Didn't have time to debug it much further. We were using the ALIX box previously to just load balance/failover the DSL/T1 line and it worked great for that. -Dave - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] modified nanoBSD 1.2.3 image for WRAP?
On Mon, Mar 8, 2010 at 5:59 PM, Jim Pingle wrote: > On 3/8/2010 5:51 PM, David Rees wrote: >> I've seen same or similar behavior on an ALIX box with a fairly large >> ruleset and decent number of VPNs. >> >> We could never get all the VPNs to come up properly and we eventually >> ended up with a corrupted configuration file while we were trying to >> disable/enable various VPNs (which takes a LONG time on ALIX hardware >> and is very tedious). >> >> Ended up dropping the config file into a more powerful machine and it >> works fine. >> >> I'm guessing that there is some sort of race condition somewhere in at >> least a couple places. > > How many VPNs? I've had as many as 9 IPsec tunnels going between ALIX > boxes on 1.2.3 and never had any issues. > I know of one embedded box that's running 200+ OpenVPN servers (making for a very large config), on a VIA that's only marginally faster than an ALIX, and performs great. Most very large configs are running on much, much faster hardware than an ALIX though, just by the nature of what those boxes have to push. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] modified nanoBSD 1.2.3 image for WRAP?
On 3/8/2010 5:51 PM, David Rees wrote: > I've seen same or similar behavior on an ALIX box with a fairly large > ruleset and decent number of VPNs. > > We could never get all the VPNs to come up properly and we eventually > ended up with a corrupted configuration file while we were trying to > disable/enable various VPNs (which takes a LONG time on ALIX hardware > and is very tedious). > > Ended up dropping the config file into a more powerful machine and it > works fine. > > I'm guessing that there is some sort of race condition somewhere in at > least a couple places. How many VPNs? I've had as many as 9 IPsec tunnels going between ALIX boxes on 1.2.3 and never had any issues. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] modified nanoBSD 1.2.3 image for WRAP?
On Mon, Mar 8, 2010 at 12:25 PM, Christoph Hanle wrote: > On 07.03.2010 18:23 Eugen Leitl wrote: >> >> Does anyone have the 1 GByte 1.2.3 image modified for WRAP >> around? Thanks. > > Hi Eugen, > please be carefull with production usage of pfSense 1.2.3 on WRAP, > I have more troubles with this combiniation on my "home" system than on > my regular production system which have started with monowall 0.x . > The worst thing I had two times was a not successfull filter reload > after adding a rule, only an emergency power off and power on did the job. > I have still now no ALIX board to compare this behaviour and have more > repetable results. I've seen same or similar behavior on an ALIX box with a fairly large ruleset and decent number of VPNs. We could never get all the VPNs to come up properly and we eventually ended up with a corrupted configuration file while we were trying to disable/enable various VPNs (which takes a LONG time on ALIX hardware and is very tedious). Ended up dropping the config file into a more powerful machine and it works fine. I'm guessing that there is some sort of race condition somewhere in at least a couple places. -Dave - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] pf and altq for many machines
hail, I have a vanilla FreeBSD 7.1 and it works as a filtering bridge for QoS purposes. I have 60+ remote sites and for each one I have a queue where I say voip packets are to go first (hfsc based). as I have too many queues, I need to change HFSC_MAX_CLASSES to 1024. I'm now trying pfsense 1.2.3 and bridge as far is doing what I want it to, but I can't figure out how to do this per remote site queue ... is this doable ? thanks, matheus -- We will call you cygnus, The God of balance you shall be A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? http://en.wikipedia.org/wiki/Posting_style - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] modified nanoBSD 1.2.3 image for WRAP?
On 3/8/2010 3:25 PM, Christoph Hanle wrote: > On 07.03.2010 18:23 Eugen Leitl wrote: >> >> Does anyone have the 1 GByte 1.2.3 image modified for WRAP >> around? Thanks. >> > Hi Eugen, > please be carefull with production usage of pfSense 1.2.3 on WRAP, > I have more troubles with this combiniation on my "home" system than on > my regular production system which have started with monowall 0.x . > The worst thing I had two times was a not successfull filter reload > after adding a rule, only an emergency power off and power on did the job. > I have still now no ALIX board to compare this behaviour and have more > repetable results. I'm not sure where your errors came from, but my home network has been running on a WRAP with 1.2.3 using NanoBSD since shortly after the release, and it's been rock solid. I'm even using a small package or two (Avahi, Dashboard) and both IPsec and OpenVPN, as well as running a wireless interface in hostap mode for a netbook. It's been very good for me, even given its speed, since my home DSL is only 3Mbit. Jim - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] modified nanoBSD 1.2.3 image for WRAP?
On 07.03.2010 18:23 Eugen Leitl wrote: > > Does anyone have the 1 GByte 1.2.3 image modified for WRAP > around? Thanks. > Hi Eugen, please be carefull with production usage of pfSense 1.2.3 on WRAP, I have more troubles with this combiniation on my "home" system than on my regular production system which have started with monowall 0.x . The worst thing I had two times was a not successfull filter reload after adding a rule, only an emergency power off and power on did the job. I have still now no ALIX board to compare this behaviour and have more repetable results. bye Christoph - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] modified nanoBSD 1.2.3 image for WRAP?
On Mon, Mar 08, 2010 at 01:30:08PM +0100, Matthias May wrote: > You can download a pre-moddified 1 Gbyte version here: > https://home.zhaw.ch/~maym/pfSense-1.2.3-RELEASE-1g-nanobsd_WRAP.img.gz Thanks! Much appreciated. > Greetings > Matthias May > Eugen Leitl wrote: > >Does anyone have the 1 GByte 1.2.3 image modified for WRAP > >around? Thanks. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] modified nanoBSD 1.2.3 image for WRAP?
You can download a pre-moddified 1 Gbyte version here: https://home.zhaw.ch/~maym/pfSense-1.2.3-RELEASE-1g-nanobsd_WRAP.img.gz Greetings Matthias May Eugen Leitl wrote: Does anyone have the 1 GByte 1.2.3 image modified for WRAP around? Thanks. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
