Re: [pfSense] fast CF cards?
On 6 Nov 2012, at 19:24, David Burgess apt@gmail.com wrote: With that in mind, can anybody recommend a CF card with good write speed and good reliability? We've used a mix of Sandisk, Transcend and Kingston cards over the years. Of those: - nearly all the Kingston cards have failed sooner or later - some after just a few months, some after several years - we've only had 1 Transcend card fail (out of a few dozen) - none of the Sandisk cards have failed It's difficult to give an accurate view regarding speed, as many of the cards in our sample have been bought over several years, and CF cards have tended to get faster in recent years (so comparing a 5 year old Sandisk with a brand new Transcend isn't really fair). I will say that Sandisk cards are much 'truer' to their rated speed than the other two. I did some tests a few months ago (admittedly for photography rather than pfSense) and I found that the Transcend and Duracell 600x cards were less than half their rated speeds. On the other hand, Transcend cards are usually available for less than 10 GBP, which if you're ordering lots of them, is a consideration. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] fast CF cards?
On Nov 7, 2012, at 1:59 AM, Chris Bagnall pfse...@lists.minotaur.cc wrote: On the other hand, Transcend cards are usually available for less than 10 GBP, which if you're ordering lots of them, is a consideration. We order a lot of CF (1,000 at a time), we don't buy Transcend or on price alone. We've also never had a Kingston CF fail that I know of. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] fast CF cards?
On Wed, Nov 7, 2012 at 9:46 AM, Jim Thompson j...@netgate.com wrote: We've also never had a Kingston CF fail that I know of. Thanks, everybody, for the feedback. I settled on a Sandisk 200x 8GB. There were some Kingston's available with much faster ratings, but after reading some reviews of them, it seems the Kingston are often much slower than they claim. I've also read that Kingston has a reputation for buying whatever flash happens to be available, resulting in poor consistency. I'd just rather stick to something with consistently good reviews, and Sandisk appears to fit that bill. For the record, my current CF is a Lexar Pro 2GB. Reliability has been impeccable in the current build, but not so much in a net5501. I have a Lexar Pro 4GB in the net5501 currently, and it seems to be fine after a few years. I can't comment on the speed of either of these, as I've never done any objective testing; all I can say is that anything less than an instant firmware update is too slow. ;) db ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Question about accessing two pfSense boxes in Fail-over mode
Hello, I know this is a bit short on details but... I have 4 pfSense boxes in two fail-over sets, one set is my edge firewall and the other is inside of the first between LAN and a DB zone. I have remote access through OpenVPN that puts me in the LAN where I can get to interface IP's of either set of pfSense boxes. On the boxes between the LAN and the DB zone I can connect to either box using what would normally be either of the WAN interface IP's. The problem is that on the edge boxes I can only get to the primary, the slave is inaccessible. The only difference I can see is which zone the interface I am trying to access is in, WAN vs LAN. The access rules are the same on both sets. Is there some reason that would prevent me from accessing both pfSense boxes while they are in fail over mode from the LAN side as I have described? I am wondering if it is because while a master is up the slave just doesn't respond to traffic on the LAN side but does on the WAN side? Has anyone else run into a situation like this? If so could you share your solution if you found one? I know I could create a vpn to both of the WAN IP's of the Edge FW's but I would like to limit access to just the one Carp IP into the LAN Zone. Thanks, JohnM ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about accessing two pfSense boxes in Fail-over mode
On 11/7/2012 12:33 PM, j...@millican.us wrote: The problem is that on the edge boxes I can only get to the primary, the slave is inaccessible. In this case, it's likely that your slave box has a route or IPsec phase 2 defined that covers your client subnet, so the slave thinks it knows the way back to the client directly and the traffic dies because it really doesn't. Easiest way around it is manual outbound NAT on the LAN interface to make traffic going to the secondary appear to originate from the primary's LAN IP (on LAN, source = VPN subnet, destination = secondary's IP, translated to Interface address -- NOT the CARP VIP) If it's OpenVPN, on 2.0.2 and 2.1, binding the VPN to the CARP VIP will make the server process stop on the backup unit, so the route wouldn't be maintained in this case, so it should work fine there, so long as the VPN is bound to a CARP VIP. When the VIP transitions to master it starts the VPN processes. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about accessing two pfSense boxes in Fail-over mode
On 11/7/2012 1:23 PM, Jim Pingle wrote: On 11/7/2012 12:33 PM, j...@millican.us wrote: The problem is that on the edge boxes I can only get to the primary, the slave is inaccessible. In this case, it's likely that your slave box has a route or IPsec phase 2 defined that covers your client subnet, so the slave thinks it knows the way back to the client directly and the traffic dies because it really doesn't. Easiest way around it is manual outbound NAT on the LAN interface to make traffic going to the secondary appear to originate from the primary's LAN IP (on LAN, source = VPN subnet, destination = secondary's IP, translated to Interface address -- NOT the CARP VIP) If it's OpenVPN, on 2.0.2 and 2.1, binding the VPN to the CARP VIP will make the server process stop on the backup unit, so the route wouldn't be maintained in this case, so it should work fine there, so long as the VPN is bound to a CARP VIP. When the VIP transitions to master it starts the VPN processes. Jim Jim, Thanks for the response. I am using OpenVPN with pfSense 2.0.1-RELEASE** (amd64). I have both boxes using public IPs on the WAN. I VPN into the private address space of the LAN (call it 192.168.0.0/24) via a public CARP IP which gets my Laptop an address of say 192.168.10 5 and an address of 192.168.0.1 at the OpenVPN end of the tunnel. OpenVPN then routing to the 192.168.0.0/24 network at both ends(added all this just for clarity of my statements). When I open a browser to 192.168.0.1 (LAN ip of the master FW) all is good. When I try to browse to 192.168.0.2(LAN IP of the slave FW) I get nothing. I guess I am being a bit thick here but I do not understand your last paragraph. When you say binding the VPN to the CARP VIP will make the server process stop on the backup unit are you referring to the OpenVPN Server process? If so, that should not effect my ability to connect to the 192.168.0.2 IP, correct? Unfortunately though I can not connect to that IP. I am probably missing something simple but I am at a loss as to what. The two DB firewalls have their WAN interface in the 192.168.0.0/24 net (I.E 192.168.0.253 and 192.168.0.254) with a CARP IP (192.168.0.252) that is used to connect from the LAN servers to the DB servers. I can get to the web configuration page on both 192.168.0.254 and 192.168.0.253 all the time. I am only having trouble connecting to the 192.168.0.2 address for the web configuration page of the backup/slave edge FW unit. Thanks again for that last response, JohnM ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Bug in pfSense v2.1
Hi all, I've found a bug in the latest development version v2.1 If you use a carp device a NAT rule is generated which source nats any outgoing packet to the carp IP. You can do that if the device is in master mode but you shouldn't do this if the device is in the backup mode. The rule is active in both cases. This results in a wrong return path for all outgoing packets on the backup device (which returns all to the master device). In my opinion this shouldn't happen and is a bug. Regards Oli signature.asc Description: PGP signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] IPv6-Bug in pfSense v2.1
Hi all, if I use CARP-Devices with IPv6 I see the following notice: [ There were error(s) loading the rules: no IP address found for 2001:abcd:abcd:201::1...0/64/tmp/rules.debug:153: could not parse host specificationno IP address found for 2001:abcd:abcd:200::2...0/64/tmp/rules.debug:154: could not parse host specificationpfctl: Syntax error in config file: pf rules not loaded - The line in question reads [8]: loopback = { lo0 }] I think this is a bug. Do you agree? Regards Oli signature.asc Description: PGP signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list