[pfSense] 2 LANs and time based limits
Hi, We've got a pfSense 2.0.1 box with a single WAN (in fact it's behind a load balancer with 6 ADSL modems) and currently a single set of client machines which are students' computers in their appartments. We are planning to add a second set of client machines to this pfSense box, which are computers in our classrooms. Actually, and for several years now, we used 2 separate pfSense boxes, with 2 separate sets of modems, but we'd like to consolidate this onto a single box (with the future option of having a second box acting as an instant failover) So in the setup we envision all machines must share the single WAN interface for Internet access. But... Our classrooms computers must have dedicated bandwidth from 7 a.m. to 6 p.m., for example they could have the bandwidth equivalent of 5 (of our 6) ADSL modems, guaranteed, during this period of time, each day from Monday to Friday. The remaining bandwidth should be dedicated to the appartments' computers. Outside of these periods of time, the total available bandwidth should be available for both sets of computers, with an equal share of it, i.e. just as if we don't do anything special. Is this possible with pfSense and if yes please could someone tell me how to proceed ? Thanks in advance -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
Hi again, From: Ermal Luçi e...@pfsense.org Sent: Fri May 11 21:29:17 NCT 2012 To: jerome alet jerome.a...@univ-nc.nc, pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] 2 LANs and time based limits On Fri, May 11, 2012 at 4:11 AM, jerome alet jerome.a...@univ-nc.nc wrote: Our classrooms computers must have dedicated bandwidth from 7 a.m. to 6 p.m., for example they could have the bandwidth equivalent of 5 (of our 6) ADSL modems, guaranteed, during this period of time, each day from Monday to Friday. The remaining bandwidth should be dedicated to the appartments' computers. Outside of these periods of time, the total available bandwidth should be available for both sets of computers, with an equal share of it, i.e. just as if we don't do anything special. Is this possible with pfSense and if yes please could someone tell me how to proceed ? It is possible through time based rules and limiters. You just set up limiters with the limits you want guaranteed during weekdays and use those limiters in time based rules. So am I correct with this scenario : 1 - Create the 7a.m. to 6p.m. schedule 2 - Create a single limiter, say 20 Mbits/s, with no other option, to dedicate 20 Mbits/s to classrooms (so appartments will use the remaining bandwidth that is still available when this limiter applies) 3 - When creating a rule, I add this rule only to the classrooms interface, and use the single limiter's name in both the IN and OUT drop down lists in the Advanced features of rule creation. Then I put this rule with PASS mode at the top for it to be evaluated first (or is it important at all where I put it wrt other rules) ? Am I correct ? Thanks for your feedback, I've never used limiters before and since I'll do this on the production system I'd like to not make too much mistakes. Thanks in advance for your help -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
So am I correct with this scenario : 1 - Create the 7a.m. to 6p.m. schedule 2 - Create a single limiter, say 20 Mbits/s, with no other option, to dedicate 20 Mbits/s to classrooms (so appartments will use the remaining bandwidth that is still available when this limiter applies) 3 - When creating a rule, I add this rule only to the classrooms interface, and use the single limiter's name in both the IN and OUT drop down lists in the Advanced features of rule creation. Then I put this rule with PASS mode at the top for it to be evaluated first (or is it important at all where I put it wrt other rules) ? Am I correct ? Thanks for your feedback, I've never used limiters before and since I'll do this on the production system I'd like to not make too much mistakes. Thanks in advance for your help That looks right, BUT... QoS on ADSL is notoriously difficult, and does not usually work quite as expected. There are implementation issues to blame, as well as a theoretical/logical problem. When you configure your system as described, you will rarely - if ever - get exactly the results you expected. Aim for good enough, instead of perfect and you will likely succeed. First and foremost: you do not directly control what data is being transmitted to you. You have indirect control over it, at most. To fully control the downstream (i.e. towards you) traffic flow, you would need to have a device sitting at the ISP end of the connection implementing your policies. I have this problem as an ISP; the best traffic shaper in the world can only *indirectly* affect what comes back down the pipe towards me. I can easily drop packets once they arrive at my network (and artificially limit what each client receives), but at that point, why bother, because they've already consumed the scarce resource: incoming bandwidth. You *will* be able to control outgoing bandwidth - as long as you never saturate the ADSL modems' buffers. This means capping the outbound bandwidth at around 95% of your theoretical upstream; this needs to be done on the last device before the modem, so I hope your load-balancer can do this! Depending on how your load-balancer works, the bandwidth you need to limit to at the pfSense gateway might not be obvious - some experimentation may be required. (BTW: for a more detailed explanation of why you need to cap outbound bandwidth, read http://www.bufferbloat.net/projects/bloat/wiki/Introduction.) Assuming you aren't hosting publicly-available services (e.g. a public webserver or FTP site) standard traffic-shaping tools like what pfSense provides will probably be good enough for your purposes. -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Error powerd: lookup freq: No such file or directory
Hi, I am trying to have PowerD tuned correctly with a Lanner device that I am resaling. By default sysctl dev.cpu gives the following : # sysctl dev.cpu dev.cpu.0.%desc: ACPI CPU dev.cpu.0.%driver: cpu dev.cpu.0.%location: handle=\_PR_.P001 dev.cpu.0.%pnpinfo: _HID=none _UID=0 dev.cpu.0.%parent: acpi0 dev.cpu.0.cx_supported: C1/0 dev.cpu.0.cx_lowest: C1 dev.cpu.0.cx_usage: 100.00% last 5000us dev.cpu.1.%desc: ACPI CPU dev.cpu.1.%driver: cpu dev.cpu.1.%location: handle=\_PR_.P002 dev.cpu.1.%pnpinfo: _HID=none _UID=0 dev.cpu.1.%parent: acpi0 dev.cpu.1.cx_supported: C1/0 dev.cpu.1.cx_lowest: C1 dev.cpu.1.cx_usage: 100.00% last 5000us I need to load the cpufreq using kldload to have It taken into account in the kernel : # kldload cpufreq # sysctl dev.cpu dev.cpu.0.%desc: ACPI CPU dev.cpu.0.%driver: cpu dev.cpu.0.%location: handle=\_PR_.P001 dev.cpu.0.%pnpinfo: _HID=none _UID=0 dev.cpu.0.%parent: acpi0 dev.cpu.0.cx_supported: C1/0 dev.cpu.0.cx_lowest: C1 dev.cpu.0.cx_usage: 100.00% last 5000us dev.cpu.0.freq: 1658 dev.cpu.0.freq_levels: 1658/-1 1450/-1 1243/-1 1036/-1 829/-1 621/-1 414/-1 207/ -1 dev.cpu.1.%desc: ACPI CPU dev.cpu.1.%driver: cpu dev.cpu.1.%location: handle=\_PR_.P002 dev.cpu.1.%pnpinfo: _HID=none _UID=0 dev.cpu.1.%parent: acpi0 dev.cpu.1.cx_supported: C1/0 dev.cpu.1.cx_lowest: C1 dev.cpu.1.cx_usage: 100.00% last 5000us How can I had this so that the loadable module cpufreq will be taken into account at boot time ? And PowerD will be optimized for my platform. Thanks. –– - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense on sun v100 server
2012/5/11 Scott Ullrich sullr...@gmail.com On Thu, May 10, 2012 at 9:16 PM, Michael Schuh michael.sc...@gmail.com wrote: Hi@list i am not sure if somebody else mentioned that before: ...may be a different approach to get pfsense running on UltraSparc: get the developer version/sources, put it on a FreeBSD 8.x ( iirc 8.2) and try to cross-compile the entire architectire to UltraSparc. At the best point you have a Ulstrasparc running with FreeBSD, where you can put the sources on it, so no need to cross-compile. The SunFire V100 Hardware is fully supported according to the HW-Notes of FreeBSD8.2. I am just not really sure what packages/functionality isn't supported on Ultrasparc in compare to i386/amd64. So that would be my first try, i think thats the easiest way While I applaud everyone for trying to go this route I have some experiences I would like to share. Building pfSense and all of it's dependencies on a slower speed box will take a long time. For example when I was working on the MIPS port that we never where able to complete came down to time. Building ports and the base system on a 150 mhz box is SOW! You will kick off a build and come back 10 hours later to see silly platform specific C bugs that you will have to tackle in many cases. It's not necessarily FreeBSD's fault but our 'additional patches' that we maintain to keep pfSense as awesome as it is now. I really don't want to discourage anyone from helping us port to different platforms but I wanted to try and convey how much time is involved in such a endeavor. Just make sure you know what you are getting into. Will be happy to answer any questions if you are serious about this platform but if I where in your shoes I would install OpenBSD 5.1 on the 100 and use it and consider getting an alix or soekris down the road to run pfSense. It will ultimately save you a lot of time and money from a power usage perspective. Scott ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Hi Scott, Hi@ List, LAMO - SCNR :8~) The Question was: ...is it possible not: ... makes that sense ... ... is that a good idea ... Yes i agree with that, totally. I think it makes not much sense to dig out the old Ultra10 HW and try to build and put pfSense on it. Just if he likes to get pfSense running on his V100, i think we should at least pointout that way. ( even if that way looks masochistic :8~) ) Of course (cross) building an entire operating system and some specially designed software needs to have an experienced person in font of the console. Just saying. :8~) @Hugo: is your time that worth? what do you gain by thus? how many money can you make in the same amount of time? how many money (time) do you loose if you go the scetched way? right question. yep. i think too. so only for completeness or the real hard bones :8~). i can spend a complete Ultra10, i think 400MHZ and 256/512MB Memory and still the original sawgate harddisk running on FreeBSD, i guess 7 or so no Keyboard/monitor/mice.the receiver has to pay the transport/shipping. :-) ( is it worth so much? lol ) i can put another 10 Gig IBM DNAS SCSI-Drive into it/on top NO WARRANTIES - LMAO greetings m. -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Error powerd: lookup freq: No such file or directory
2012/5/11 bsd b...@todoo.biz Hi, I am trying to have PowerD tuned correctly with a Lanner device that I am resaling. By default sysctl dev.cpu gives the following : # sysctl dev.cpu dev.cpu.0.%desc: ACPI CPU dev.cpu.0.%driver: cpu dev.cpu.0.%location: handle=\_PR_.P001 dev.cpu.0.%pnpinfo: _HID=none _UID=0 dev.cpu.0.%parent: acpi0 dev.cpu.0.cx_supported: C1/0 dev.cpu.0.cx_lowest: C1 dev.cpu.0.cx_usage: 100.00% last 5000us dev.cpu.1.%desc: ACPI CPU dev.cpu.1.%driver: cpu dev.cpu.1.%location: handle=\_PR_.P002 dev.cpu.1.%pnpinfo: _HID=none _UID=0 dev.cpu.1.%parent: acpi0 dev.cpu.1.cx_supported: C1/0 dev.cpu.1.cx_lowest: C1 dev.cpu.1.cx_usage: 100.00% last 5000us I need to load the cpufreq using kldload to have It taken into account in the kernel : # kldload cpufreq # sysctl dev.cpu dev.cpu.0.%desc: ACPI CPU dev.cpu.0.%driver: cpu dev.cpu.0.%location: handle=\_PR_.P001 dev.cpu.0.%pnpinfo: _HID=none _UID=0 dev.cpu.0.%parent: acpi0 dev.cpu.0.cx_supported: C1/0 dev.cpu.0.cx_lowest: C1 dev.cpu.0.cx_usage: 100.00% last 5000us dev.cpu.0.freq: 1658 dev.cpu.0.freq_levels: 1658/-1 1450/-1 1243/-1 1036/-1 829/-1 621/-1 414/-1 207/ -1 dev.cpu.1.%desc: ACPI CPU dev.cpu.1.%driver: cpu dev.cpu.1.%location: handle=\_PR_.P002 dev.cpu.1.%pnpinfo: _HID=none _UID=0 dev.cpu.1.%parent: acpi0 dev.cpu.1.cx_supported: C1/0 dev.cpu.1.cx_lowest: C1 dev.cpu.1.cx_usage: 100.00% last 5000us How can I had this so that the loadable module cpufreq will be taken into account at boot time ? And PowerD will be optimized for my platform. Thanks. –– - Grégory Bernard Director - --- www.osnet.eu --- -- Your provider of OpenSource appliances -- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Hi, the clean way http://doc.pfsense.org/index.php/Executing_commands_at_boot_time hth greetings m. -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Multiple port ranges in alias
Hi, I want to create a rule for an application that uses 2 ranges of destination ports. I created an alias with 2 port ranges, but when I add it in the rule it says: _Ports_xxx is not a valid start destination port. It must be a port alias or integer between 1 and 65535. _Ports_xxx is not a valid end destination port. It must be a port alias or integer between 1 and 65535. Do I have to make 2 separate rules? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] NFS through pfSense
Hi, I'd need to have an NFS client access an NFS server. Both are on a different network segment, so I need to have the traffic go through the pfSense firewall. Does anyone has the list of ports that must be allowed for NFSv3? Client is RHEL5, server is a SUN NAS. No NAT involved. Also, is it really required to disable scrubbing for the whole firewall? Can't it be disabled by a rule? Thanks, Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2 LANs and time based limits
Hi, From: Adam Thompson athom...@athompso.net Sent: Fri May 11 22:51:08 NCT 2012 To: 'jerome alet' jerome.a...@univ-nc.nc, 'pfSense support and discussion' list@lists.pfsense.org Subject: RE: [pfSense] 2 LANs and time based limits QoS on ADSL is notoriously difficult, and does not usually work quite as expected. There are implementation issues to blame, as well as a theoretical/logical problem. I understand (thanks to your explanations) but what I was thinking was not playing with the WAN side of the pipe which is shared, but with the interfaces between pfSense and the two sets of clients, which are not ADSL but traditional Ethernet links. What I'm in doubt about now, is where to put the limiter rule ? Should the limiter be seen by me as a way to guarantee bandwidth, in which case I should set it high an apply it on the classrooms interface, or should it be seen by me as a bandwidh limiter, in which case I set it low and apply it on the appartments interface ? When you configure your system as described, you will rarely - if ever - get exactly the results you expected. Aim for good enough, instead of perfect and you will likely succeed. good enough is good enough for us : up until now there was only a single ADSL line for each set of clients, needless to say students will be happy whatever the solution. right now there's no limiter in use, so they ENJOY pfSense ;-) thanks for your help. -- Jerome Alet ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NFS through pfSense
2012/5/11 Ian Levesque i...@crystal.harvard.edu On May 11, 2012, at 2:52 PM, Ugo Bellavance wrote: I'd need to have an NFS client access an NFS server. Both are on a different network segment, so I need to have the traffic go through the pfSense firewall. Does anyone has the list of ports that must be allowed for NFSv3? If your client is on the LAN and the server the WAN, you should be fine with the built-in state management. If the NFSv3 server is behind a firewall, good luck... :) (basically, you'd need to configure your server to use static ports, which may not be possible with your NAS). ~irl ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Hi Ugo, Hi @List, i would do the following if: Client - router - wan - your pfSense - your nfs server scenario is given then: put the client into a vpn, connect from there to the NFS-Server. which kind of vpn is most useful for you, depends on the given scenario. be sure to adjust the access allowed only to your NFS-Server and you will go. regards m. -- = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NFS through pfSense
On 2012-05-11 16:14, Michael Schuh wrote: 2012/5/11 Ian Levesque i...@crystal.harvard.edu mailto:i...@crystal.harvard.edu On May 11, 2012, at 2:52 PM, Ugo Bellavance wrote: I'd need to have an NFS client access an NFS server. Both are on a different network segment, so I need to have the traffic go through the pfSense firewall. Does anyone has the list of ports that must be allowed for NFSv3? If your client is on the LAN and the server the WAN, you should be fine with the built-in state management. If the NFSv3 server is behind a firewall, good luck... :) (basically, you'd need to configure your server to use static ports, which may not be possible with your NAS). My client is in LAN and the server is on OPT1 (another internal network). I could do that with my current CheckPoint FW-1, but I needed to allow all ports. Ugo ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list