Re: [pfSense] pfsense crash dump
On 13/10/2014 17:09, Aaron C. de Bruyn wrote: To me, it looks like a disk issue: mfi0: 35354 (465709273s/0x0002/info) - Patrol Read corrected medium error on PD 02(e0x20/s2) at 1692f3e4 mfi0: 35355 (465709275s/0x0002/info) - Unexpected sense: PD 02(e0x20/s2) Path 539358c92146, CDB: 2f 00 16 92 f3 e5 00 10 00 00, Sense: 1/00/00 You might want to download something like The Ultimate Boot CD and use the manufacturers test tools on your drive. I've seen these Unexpected sense on LSI controllers and Seagate SAS drives - it always turned out to be an impending drive failure (drive completely fails within a week or so). I would work to get Physical Disk #2 replaced - if under warranty you might be able to get a replacement shipped now, on the basis of the error message. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7584 634135 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
In general HP servers work really well with FreeBSD. When you say looking are you in possession of one and need to make it work, or are you about to buy one? Is there some specific requirement about that hardware that makes you want to get it over anything else? I personally have found that the C2758 sold by both netgate and pfsense directly to be a spectacularly capable device and it is fairly priced and includes support. I would recommend that based on what you've described above unless there's some other special need you have. I know that: - Blistering fast Intel® AtomT Rangeley C2758 8 core SoC This is not your father's Atom! Probably is a beast compared to what we normally expect form the Atom range, but to compare it with an up to date Dual Xeon Platform is just not going to make a lot of sense. Hardware quality on the two boxes is also almost incomparable, both are general-purpose platforms, but from different ends of the scale. Will A SMB without L3 capable switches, that needs routing between 3-4 local subnets (LAN, SERVERS, WIRELESS/GUEST, OTHER/DMZ) as close to wirespeed as possible, be happy with a C2758. ? Med venlig hilsen, Best regards Ulrik Lunddahl Sales Manager - Salgschef PROconsult Data A/S - Landbrugsvej 2 - 5260 Odense S Tel: +45 6311 - Tel dir: +45 63113341 - Mobil: +45 26363341 E-mail: u...@proconsult.dk - Web site: www.proconsult.dk VSP - Infrastructure Optimization Solutions + VSP - Business Continuity VTSP - VMware Infrastructure Virtualization + vExpert - 2009, 2010, 2012 VMSP - Veeam Sales Professional + VMTSP - Veeam Technical Sales Professional ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help with OpenVPN interface rules
On 10/13/2014 10:46 AM, Paul Beriswill wrote: Now, when I create rules for the OpenVPN_Ops interface, using 'OPEN_VPN_OPS net' as 'Source' the rule never hits. It doesn't appear that the 'net' and 'address' aliases are being populated when the connection is established. Is this correct? I don't believe that macro works for OpenVPN interfaces. Remember, when you assign the interface you must set it to an IP type of None which is what that macro would have used to fill that macro. Manually specify the source of the traffic in the rules and you'll be OK. You could use aliases to define specific subnet(s) or groups of people based on the addresses you intend to assign via client-specific overrides. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
Will A SMB without L3 capable switches, that needs routing between 3-4 local subnets (LAN, SERVERS, WIRELESS/GUEST, OTHER/DMZ) as close to wirespeed as possible, be happy with a C2758. ? Very. Is a dual socket Xeon a bit faster? Yes. Does your application need that speed? Unlikely. Really depends on what you mean by wirespeed. -- Jim On Oct 14, 2014, at 2:48 AM, Ulrik Lunddahl u...@proconsult.dk wrote: In general HP servers work really well with FreeBSD. When you say looking are you in possession of one and need to make it work, or are you about to buy one? Is there some specific requirement about that hardware that makes you want to get it over anything else? I personally have found that the C2758 sold by both netgate and pfsense directly to be a spectacularly capable device and it is fairly priced and includes support. I would recommend that based on what you've described above unless there's some other special need you have. I know that: - Blistering fast Intel® AtomT Rangeley C2758 8 core SoC This is not your father's Atom! Probably is a beast compared to what we normally expect form the Atom range, but to compare it with an up to date Dual Xeon Platform is just not going to make a lot of sense. Hardware quality on the two boxes is also almost incomparable, both are general-purpose platforms, but from different ends of the scale. Will A SMB without L3 capable switches, that needs routing between 3-4 local subnets (LAN, SERVERS, WIRELESS/GUEST, OTHER/DMZ) as close to wirespeed as possible, be happy with a C2758. ? Med venlig hilsen, Best regards Ulrik Lunddahl Sales Manager - Salgschef PROconsult Data A/S - Landbrugsvej 2 - 5260 Odense S Tel: +45 6311 - Tel dir: +45 63113341 - Mobil: +45 26363341 E-mail: u...@proconsult.dk - Web site: www.proconsult.dk VSP - Infrastructure Optimization Solutions + VSP - Business Continuity VTSP - VMware Infrastructure Virtualization + vExpert - 2009, 2010, 2012 VMSP - Veeam Sales Professional + VMTSP - Veeam Technical Sales Professional ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Help with OpenVPN interface rules
Jim Thanks for the response. That is what I suspected, that the values were populated at config time rather than connect time. The main reason that I wanted to be able to use those values is because I couldn't find a way to use an alias when defining a 'Client Specific Override'. I wanted to avoid needing to enter the same values more than one place in order to reduce the chance of error when defining CSO's and their related rules. Am I missing something? It seems like an oversight to not allow alias substitution when defining CSO's ... or is there a technical reason why substitution is not possible with the OpenVPN package? Is there a way to define both the client specific network and associated FW rules from a single input; using aliases, radius, AD, other. From what I have gleaned from the docs, forums, etc that I have perused, local DB + CSO's seem to be the closest I can get to this type of 'policy based routing/security' Basically, what we want to do is define a set of policies that can be applied to a group of users and allow fine tuning of the policy for individual users if necessary. I had envisioned using a different OpenVPN interface for each group; assigning rules to each interface then fine tuning using CSO's. Is there a better way to do this? Paul On 10/14/2014 07:08 AM, Jim Pingle wrote: On 10/13/2014 10:46 AM, Paul Beriswill wrote: Now, when I create rules for the OpenVPN_Ops interface, using 'OPEN_VPN_OPS net' as 'Source' the rule never hits. It doesn't appear that the 'net' and 'address' aliases are being populated when the connection is established. Is this correct? I don't believe that macro works for OpenVPN interfaces. Remember, when you assign the interface you must set it to an IP type of None which is what that macro would have used to fill that macro. Manually specify the source of the traffic in the rules and you'll be OK. You could use aliases to define specific subnet(s) or groups of people based on the addresses you intend to assign via client-specific overrides. Jim ___ List mailing list List@lists.pfsense.orgmailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Paul Beriswill PDF Complete Inc | www.pdfcomplete.comhttp://www.pdfcomplete.com/ 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 direct | paul.berisw...@pdfcomplete.commailto:paul.berisw...@pdfcomplete.com [cid:part4.07050903.03090103@pdfcomplete.com]http://www.pdfcomplete.com/ ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
as close to wirespeed as possible, be happy with a C2758. ? Very That C2758 has nice specs and should be able to keep up, however there seems to be a throughput problem on at least one brand of board running the C2758. (I think it’s more a problem with the nics than the cpu) I recently tested various nics and cpus to see if the systems I was building could reach Gigabit Ethernet's max throughput of 1.488Mpps on one port. Tests were run on AMD FM1+ and AM1 APUs, an FX-4100, and an Intel i5-2400 Sandy Bridge. Tests used the BSD Router Project (BSDRP) OS, and a program named 'pkt-gen'. During routing tests, I found that an AMD A8-7600 Kaveri was the only cpu I had that was equal in performance to the Intel i5-2400. (the routing tests involved a 3rd test machine, and aren't covered in the scores below) Anyway, I hope you find this helpful... In these tests, I used the two fastest test machines connected to each other. One sends, and one receives: Realtek 8169sc 32-bit PCI card 266935 pps (283752 pkts in 1063001 usec) Speed: 267.19 Kpps Bandwidth: 128.25 Mbps (raw 179.55 Mbps) Realtek RTL8111DL, Onboard 405708 pps (406113 pkts in 1000998 usec) Speed: 404.78 Kpps Bandwidth: 194.29 Mbps (raw 272.01 Mbps) Intel pro 1000 32-bit PCI card 307102 pps (307586 pkts in 1001577 usec) Speed: 276.49 Kpps Bandwidth: 132.72 Mbps (raw 185.80 Mbps) Intel Pro 1000, x1 PCI-e card (no heatsink) 1367299 pps (1453440 pkts in 1063001 usec) Speed: 1.36 Mpps Bandwidth: 654.85 Mbps (raw 916.79 Mbps) Intel Pro 1000, x1 PCI-e card, server version (with heatsink) 1488012 pps (1490981 pkts in 1001995 usec) Speed: 1.49 Mpps Bandwidth: 714.23 Mbps (raw 999.92 Mbps) Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter (with heatsink) 1488012 pps (1490981 pkts in 1001995 usec) Speed: 1.49 Mpps Bandwidth: 714.23 Mbps (raw 999.92 Mbps) *** These tests were using the lowest TDP(watt) APUs I had. The Intel server nics were the fastest nics tested, and used the least cpu time, so I used those in these tests: AMD 5150 quad core APU @ 1.6GHz Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter (with heatsink) 1179367 pps (1180530 pkts in 1000986 usec) Speed: 1.17 Mpps Bandwidth: 562.85 Mbps (raw 787.99 Mbps) AMD 5350 quad core APU @ 2GHz Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter (with heatsink) 1488106 pps (1489615 pkts in 1001014 usec) Speed: 1.48 Mpps Bandwidth: 709.33 Mbps (raw 993.07 Mbps) AMD 5350 quad APU @ 2GHz Onboard RTL8111/8168B PCI Express Gigabit Ethernet controller 560938 pps (561565 pkts in 1001117 usec) Speed: 558.35 Kpps Bandwidth: 268.01 Mbps (raw 375.21 Mbps) AMD A4-6300 dual core APU @ 3.7GHz Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter (with heatsink) 1129784 pps (1130961 pkts in 1001042 usec) Speed: 1.09 Mpps Bandwidth: 521.00 Mbps (raw 729.39 Mbps) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
