[pfSense] Problem with new Unit

2016-02-18 Thread David Ross 

Current device is an xxx running pfSense 2.0.1-RELEASE

New device is an SG-2440 running pfSense 2.2.6-RELEASE

I decided that trying to reload the configuration file with that big of 
a gap in versions was asking for trouble so I built the new 
configuration by hand. It wasn't that complicated.


But no luck. We have a bock of 15 static IPs. with 5 of them currently 
mapped via NAT1:1 to 4 internal systems. Everything seemed to work 
except for DNS. Our mail server could receive and send as long as the 
DNS lookups were not required for new items.


We have a DNS server in house for all of the machines on our LAN to use. 
I really don't want the pfSense device to do anything but pass DNS 
queries out and get the responses back to our in house server.


DNS seems to have changed a lot in the release gap I'm crossing. Any 
quick thoughts before I dig in deeper.


I have disabled the DNS forwarder.

I have also disabled the DNS resolver.

I have looked at the various rules (not that many) and interface 
settings and don't see anything obvious.


Any pointers on what to check out.

Thanks
David Ross
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] recover vnstat data

2016-02-18 Thread Nenhum_de_Nos 
Hi,

I just installed a new pfsense here as a test, it worked well so far, so now I 
would like to take there the vnstat database files. I can't write them, the fs 
os RO. I would not like to open the case and shut them both down. Is there a 
way for it ?

thanks,

matheus

-- 
"We will call you Cygnus,
the God of balance you shall be."
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] openvpn site to site clients not communicating ??

2016-02-18 Thread Richard Lussier 

Hi, This option is not available on a site to site ssl/tls server

If it's a fully routed network, my next step would be to use traceroute on both 
ends to see where it's getting hung up at.

Doug


Got it Doug
On the server side, the rule on openvpn destination had to be to "any" 
instead of "lan net" !!!

Thank you

Richard


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] openvpn site to site clients not communicating ??

2016-02-18 Thread Doug Lytle 
>>> Hi, This option is not available on a site to site ssl/tls server

If it's a fully routed network, my next step would be to use traceroute on both 
ends to see where it's getting hung up at.

Doug

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] openvpn site to site clients not communicating ??

2016-02-18 Thread Richard Lussier 

Hi,
This option is not available on a site to site ssl/tls server

On 2016-02-18 13:15, Doug Lytle wrote:

On Feb 18, 2016, at 1:01 PM, Richard Lussier richard.luss...@inter-node.com 
wrote:
each client connects well to server but wont reach other clients..
any ideas ?

On the OpenVPN Server did you check the option:

Allow communication between clients connected to this server

Doug
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


--

Richard Lussier
*inter-node.com*
réseaux numériques évolutifs
cuivre – sans-fil – fibre optique
t. 514.316.1623
c. 514.574.5111

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

2016-02-18 Thread Rainer Duffner 

> Am 18.02.2016 um 19:13 schrieb Walter Parker :
> 
> There is an optimization coming for pfsense. There is a new user space
> routing daemon. netmap I think, that can reach line rate on 10G NICs (14.88
> Mpps). There was a BSDCon that talked about a future version of pfsense
> using this system. It uses ipfw, so there a bit a work to adapt it to
> pfsense.




Also, AFAIK, chelsio NICs are better in the 10G space.

ESF uses them in some of their appliances (see the shop).
Netflix uses them, too, in their FreeBSD cache-boxes.

They aren’t really that much more expensive than Intel NICs.

I have no experience using them myself.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] openvpn site to site clients not communicating ??

2016-02-18 Thread Doug Lytle 
>>> On Feb 18, 2016, at 1:01 PM, Richard Lussier richard.luss...@inter-node.com 
>>> wrote:

>>> each client connects well to server but wont reach other clients..
>>> any ideas ?

On the OpenVPN Server did you check the option:

Allow communication between clients connected to this server

Doug
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

2016-02-18 Thread Walter Parker 
There is an optimization coming for pfsense. There is a new user space
routing daemon. netmap I think, that can reach line rate on 10G NICs (14.88
Mpps). There was a BSDCon that talked about a future version of pfsense
using this system. It uses ipfw, so there a bit a work to adapt it to
pfsense.


Walter

On Thu, Feb 18, 2016 at 9:26 AM, Giles Davis  wrote:

> Hello PFSense Collective,
>
> At the risk of sounding slightly 'cheap', does anyone (else) on this
> list have experience of 'good combinations' of hardware for PFSense
> appliances that will handle high-traffic levels and comments on
> reasonable max-levels of throughput to expect from it?
>
> We've been using PFSense for quite some time for large events and these
> days are pushing up to 4Gbit/sec to the internet via our PFSense boxes,
> to 2-3k clients - with expectation of bigger events in the reasonably
> near future.
>
> Using Intel E3-1270s and Intel 10G NICs (forget the exact model, but
> they use the BSD ix driver) we start seeing packet loss and a general
> maximum throughput at around 1-1.2Gbit. Our 'solution' so far of just
> adding more appliances and splitting the load really won't scale
> forever, so if anyone has any suggestions of 'better hardware' or BSD
> optimizations that would let us push more through a single appliances,
> i'd love to hear it. We've got a reasonable set of BSD networking tweaks
> and optimizations that certainly help, but we still can't manage to push
> more than our little-over-a-gigabit maximum before things start wobbling.
>
> We're not asking a huge amount of traffic inspection from our
> envrironment (used to do a fair bit of traffic shaping, but have managed
> to provide sufficient bandwidth to meet natural demand for a while now)
> - but historically PFSense has been a great appliance to have in the
> network for firewalling and monitoring.
>
> Thanks in advance for any suggestions and thanks to the maintainers for
> such a great firewall implementation. :)
>
> Cheers,
> Giles.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pf/ipv6/RFC1323: Problem?

2016-02-18 Thread Larry Rosenman 

Can someone on the pfSense team look at:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207215

Thanks!

--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 214-642-9640 E-Mail: l...@lerctr.org
US Mail: 7011 W Parmer Ln, Apt 1115, Austin, TX 78729-6961
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] openvpn site to site clients not communicating ??

2016-02-18 Thread Richard Lussier 

Hi,
I have a multi site setup with 1 server and 4 clients. v 2.2.6 release
The clients have to reach each other.
Clients cannot see each others.
My wans are set to 1.1.1.2 thru 1.1.1.6 in a simple switch

The server is set as described in the pfsense book 21draft :
- Local and remote networks identified
- routes added for each client with a push in advanced configuration
- firewall rules for each client on wan - firewall rule for tunnel to 
lan net on openvpn Clients specific override for each client

- common name, local and remote networks set
- iroute in advanced box

Clients set to
- list of remote networks set
- firewall rule on openvpn: any pass to lan net

each client connects well to server but wont reach other clients..
any ideas ?
Thank you

Richard
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

2016-02-18 Thread compdoc 
> Using Intel E3-1270s and Intel 10G Nics

I can't point to a specific setup, but something to look at...

Your xeon is a sandy bridge with a max transfer rate of 5 GT/s, which is
very nice but the new Skylake cpus are 8 GT/s.

Also, there's always a possibility of equipment failure/setup problems... 



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] PFSense for high-bandwith environments

2016-02-18 Thread Giles Davis 
Hello PFSense Collective,

At the risk of sounding slightly 'cheap', does anyone (else) on this
list have experience of 'good combinations' of hardware for PFSense
appliances that will handle high-traffic levels and comments on
reasonable max-levels of throughput to expect from it?

We've been using PFSense for quite some time for large events and these
days are pushing up to 4Gbit/sec to the internet via our PFSense boxes,
to 2-3k clients - with expectation of bigger events in the reasonably
near future.

Using Intel E3-1270s and Intel 10G NICs (forget the exact model, but
they use the BSD ix driver) we start seeing packet loss and a general
maximum throughput at around 1-1.2Gbit. Our 'solution' so far of just
adding more appliances and splitting the load really won't scale
forever, so if anyone has any suggestions of 'better hardware' or BSD
optimizations that would let us push more through a single appliances,
i'd love to hear it. We've got a reasonable set of BSD networking tweaks
and optimizations that certainly help, but we still can't manage to push
more than our little-over-a-gigabit maximum before things start wobbling.

We're not asking a huge amount of traffic inspection from our
envrironment (used to do a fair bit of traffic shaping, but have managed
to provide sufficient bandwidth to meet natural demand for a while now)
- but historically PFSense has been a great appliance to have in the
network for firewalling and monitoring.

Thanks in advance for any suggestions and thanks to the maintainers for
such a great firewall implementation. :)

Cheers,
Giles.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold