[pfSense] Running into some very basic problems: can't seem to get port forwarding working ...
Hi folks: Have pfSense 2.0.1 stable installed on a machine we are using for testing. 2x em network ports. Have em0 configured as WAN with IP 10.100.241.121/16, and em1 configured as LAN with IP 192.168.3.1/16. I can reach the LAN port with ssh/others easily. No issues. I turned on ICMP response on the WAN, and can ping that as well. Ok. Want to set up a simple external port forward from WAN->LAN (specific IP on LAN). Logged in through GUI, and set this up WAN TCP * * WAN net 22 (SSH)192.168.1.171 22 (SSH) This host uses a different default gateway ... 192.168.1.1/16 . I can (and have) set up a virtual machine on the 192.168.3.0/16 net using the 3.1 machine as a gateway, and redirected ssh there. This works, fine as it turns out. My question is, how (if at all) can I configure pfSense to handle the case where it isn't the primary gateway? That is, its being used as a router for external traffic, but the primary gateway is on a different router. Do I need to add a specific route back on the client side, or is this something pfSense can automagically handle? -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com http://scalableinformatics.com/sicluster phone: +1 734 786 8423 x121 fax : +1 866 888 3112 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Running into some very basic problems: can't seem to get port forwarding working ...
On 04/15/2012 03:57 PM, Ernst den Broeder wrote: The host sees the packet as coming from !192.168.0.0/16 and will route to its default gateway. If your just playing around, you could add a route for 10.100.0.0/16 on your host to 192.168.3.1. I did try this, but I don't think it worked. The way you refer to 193.168.1.1/16 and 192.168.3.1/16 make me wonder if you understand that they are both in the same subnet. (just Yes ... this is something specific a customer wants, with their internal gateway as a primary, and various sites routed through the pfSense firewall. I didn't add any specific NAT rule entries beyond the basic entry I had done. I am sure I am missing something obvious (and pilot error is strongly suspected on my part). -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com http://scalableinformatics.com/sicluster phone: +1 734 786 8423 x121 fax : +1 866 888 3112 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Question on how to install a build environment for drivers
Hi folks I need to compile a driver for pfSense (specifically the Solarflare 10GbE driver, but possibly others). I tried with a VM of FreeBSD 8.1 on a different machine, but I couldn't see the driver after pkg_add ... and a kldload sfxge . Is there a way to pull a full build environment, specifically for drivers, into an install of pfSense? I am running 2.0.1-STABLE. Thanks! Joe -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com http://scalableinformatics.com/sicluster phone: +1 734 786 8423 x121 fax : +1 866 888 3112 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] question on NAT capabilities/methods and VPN setup
Here's what we are trying to do . I've got pfSense up and I've got 5 WAN IP addresses in the WAN subnet. a.b.c.d a.b.c.d+1 a.b.c.d+2 a.b.c.d+3 a.c.d.d+4 I would like to NAT by specific address, and add VPN functionality to only specific IPs. So d is our primary for most traffic, d+1 should get OpenVPN traffic, d+2 to d+4 should NAT to specific machines. A few ports on each are fine, though we could do a full on 1:1 NAT if needed. My question is how, precisely to go about this. That is, I have the major functions (ssh, web, mail) traversing the d address, and NATting to a specific set of machines handling those functions. That works well. How do I get the NATting working on the other IPs? IP Aliasing the WAN address and then mapping to that alias? I ask as I've tried quite a few things that seem sensible, and none of them work. Now I want to set OpenVPN on d+1. Should I IP Alias the d+1 and give it a name? And while I am at it, is there a way to debug the OpenVPN setup? I've set OpenVPN up many a time by hand, without problems. My first attempts now ... I can't even get it to start negotiating. OpenVPN is quite finicky, but I think this is repeated pilot error on my part, and its mostly with the user interface. Do I need to build the CA, then the server certs, then the user certs for this (this is what I've done). I am assuming pfSense can handle what I want here, both on the NATting and OpenVPN side. But I seem to be lost on this. I've set up many such systems (using different appliances and software stacks) in the past ... not a complete noob ... but I did get stuck here. Any hints are welcome, and I'm going to keep pouring over the book. Thanks! -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com http://scalableinformatics.com/sicluster phone: +1 734 786 8423 x121 fax : +1 866 888 3112 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] High interrupt load on LAGG with LACP
On 06/04/2012 09:38 PM, Glenn Kelley wrote: Chris That is good to know. I have some wireless backhauls pushing well over 100mbps So better to know now vs later any suggestions on hardware for the sky in that case? We've built some boxen for customers for pfSense with up to 8x 1GbE ports, and several with dual 10GbE ports. Building the 10GbE driver for 2.0.1 was a bear, and it doesn't load correctly on some of the units*, but these are fairly capable units, and we were pushing about 1Gb/s through a unit at a customer site. People are inclined to skimp on these designs ... its a mistake if you have lots of traffic to move. * a request for the next pfSense release would be driver building environment installable package (much like the other packages) with the minimum subset of tools we need to compile drivers for pfSense. We can usually fix/port drivers for alternative versions of FreeBSD, but sometimes, its very helpful to have the exact version of the kernel headers/compilers used. -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com http://scalableinformatics.com/sicluster phone: +1 734 786 8423 x121 fax : +1 866 888 3112 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] 2.1 timeline?
Hi folks ... any guidance on the 2.1 timeline? Is it considered stable for end user use yet? I'd prefer to deploy things actually marked as stable (we have 2.0.1 in use at customer sites, and are playing with it internally). I'd like to get 2.1 up for better driver support (and ease of building drivers). Thanks! Joe -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com http://scalableinformatics.com/sicluster phone: +1 734 786 8423 x121 fax : +1 866 888 3112 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] [Filters engaged]
I just worked out setting up new filters for the recent S/N destroying, high tin-foil-hat content, on gmail. Since people pleading for this to go away hasn't worked, technological measures to restore S/N for my inbox on this list have been engaged. Please folks, take the tin foil hat discussion elsewhere. Please? -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com http://scalableinformatics.com/siflash phone: +1 734 786 8423 x121 fax : +1 866 888 3112 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Multi-Wan config question(s)
Hi folks We are replacing a black box multi-wan FW appliance with 2.1 running on one of our boxen. Our config is multi-wan (ipv4 only), and we want to do load balancing (asymmetric, by the bandwidth ratio). We'll have standard desktop and server machines running behind it, as well as SIP phones. I'd set up non-load balanced units before with CARP and VIPs for failover. This is a single unit for the moment, though we might do the CARP with VIP for failover here as well at some point (I might just set up one side, so I can do the other side later on). I looked at the multi-wan docs https://doc.pfsense.org/index.php/Multi-WAN_2.0 https://doc.pfsense.org/index.php/2.1_New_Features_and_Changes#Multi-WAN https://doc.pfsense.org/index.php/MultiWanVersion1.2 http://www.netlife.co.za/tech-guides/46-linuxoss-and-networking/34-bsd-dual-wan-router-using-pfsense.html http://www.netlife.co.za/tech-guides/46-linuxoss-and-networking/47-advantagesdisadvantages-of-dual-wan-routing.html Basically my questions are on the setup side for a single box in the CARP scenario. I am assuming that the following is the right path, based upon the documentation 1) setup a gateway group using both WANs. The documentation sometimes refers to setting up 3 gateway groups for failover and load balance. Is this still recommended? 2) when we create the WAN connections, is it necessary to provide a default gateway for a port? That is, I have 2 WANs, call them WANa, and WANb. During setup WANa is the initial default WAN, and it requires a gateway to be setup. During config of WANb (one of the OPT interfaces), a gateway is not required per se, but may be configured. This question boils down to this. Should I configure a WANa and WANb default gateway (thats default for the WAN connection)? It seems that both should have it, but I am not entirely sure. 3) SIP and related configuration: Do we need to do anything special with outbound NAT (maybe point to the gateway group rather than the default GW), and have the states be sticky for a particular path (so if they start going out WANb, that session remains going out WANb so as not to break things, absent a failure of WANb)? 4) are there any updated tutorials on this, or should I use the 2.0 doc from above? Thanks in advance! Regards Joe -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com http://scalableinformatics.com/siflash phone: +1 734 786 8423 x121 fax : +1 866 888 3112 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Multi Wan via gateway groups breaking some websites
Hi folks I've run into an issue that has me somewhat confused. Our multiwan router is up and "working". This is 2.1 release. I've got 2 ports to two different network providers (different technologies at that). Following the directions ( https://doc.pfsense.org/index.php/Multi-WAN_2.0), I 1) set up a Gateway group called MultiWANGW which has both gateways. Both were originally set as tier 1. More on this in a moment. 2) set up outbound LAN->any mapping to use the MultiWANGW in the Gateway of the LAN rule governing outbound traffic. 3) I have two distinct DNS servers set up per gateway under Systems->General. I've verified that gateway monitor reports them working. Actually everything appears to be working ... except ... One or two sites (Ariba http://www.ariba.com and a few others) seem to have some significant problems if I leave both gateways at tier 1. Once I change it so that one (the slower backup one) is tier 2, it works. This has the impact of not doing an explicit load balance from what I have read on it. So ... my question is, what diagnostics should I try to be able to identify the issue (some sites not working when the system is set in load balanced mode)? I did try setting the sticky mode (System->Advanced->Miscellaneous), though I am not sure this is correct for outbound load balanced multi-wan. Overall, its working nicely, with a few strange things like this, with one larger exception that I have a work-around for. More in next email. -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com twtr : @scalableinfo phone: +1 734 786 8423 x121 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] 1:1 NAT not working, but the equivalent port forward everything coming into a VIP to the internal unit is ...
Hi folks: Trying to figure this one out. Very simple concept, I want to take one virtual IP (VIP), and tie it to an internal (isolated) machine for customer/partner use. I've done this before using other firewall appliances, and it works pretty well for its use case. I just tried to do the same thing here. External IP: a.b.c.d Internal IP: e.f.g.h Internal Machine: i.j.k.l I started at Firewall->NAT->1:1 Added the rule: External subnet IP:a.b.c.d Internal IP: e.f.g.h Destination: i.j.k.l Made sure I had a VIP setup with a.b.c.d. I've got ping set up for testing, and it worked nicely. Next I tried sshing to that box ssh -vvv user@a.b.c.d Nothing. No negotiation, which usually means it can't reach it. So I logged into the pfsense box, and did a tcpdump -i em5 # the private NIC going to the isolated machine at the shell. I did not see the ssh traffic, or the pings. Ok, I tried a few other combinations (changed internal IP to destination IP, and the converse of that). Still nothing. So I deleted that rule, and did a simple multi-port forward. All TCP/UDP showing up for any port 1-65000 on a.b.c.d is port forwarded to the destination starting at port 1. That worked. I see the traffic with tcpdump, I can ssh in, etc. But I don't like that, as it seems ... hack-ish. I would think the 1:1 would be cleaner (and use fewer states?), but I am not sure about this. Is there any magic incantation, burn offerings, or typing one can do to diagnose this? The tcpdump on the internal port on the pfsense box is a good indicator if packets are getting through. Is there somewhere else to look on the system to watch the decision processes it makes during the pf filter pipeline? Or should I simply be happy that it works, and not worry about it? I am happy to file a bug report if it makes sense, I figured I'd ask first to see if someone thinks this is pilot error (very well could be). Thanks! Joe -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com twtr : @scalableinfo phone: +1 734 786 8423 x121 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 1:1 NAT not working, but the equivalent port forward everything coming into a VIP to the internal unit is ...
On 12/11/2013 02:38 PM, Justin Edmands wrote: Monitor blocked attempts under Status --> System Logs --> Firewall ... filter for the IP you want. If you see the block, click the small grey arrow with a plus sign next to the destination IP. This will create a rule and allow you to go to Firewall --> Rules to indentify the proper rule setup to pass these SSH attempts. Next, notice that these rules are in order...top to bottom. Here is the sentence at the bottom of all firewall rule pages: *Hint: * * Rules are evaluated on a first-match basis (i.e. the action of the first rule to match a packet will be executed). This means that if you use block rules, you'll have to pay attention to the rule order. Everything that isn't explicitly passed is blocked by default. PS: By default, all blocked attempts are logged. After creating a rule, you can also turn on logging for the rules that pass. This will allow you to see the source/destination that is using the rule. Thanks! -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com twtr : @scalableinfo phone: +1 734 786 8423 x121 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Multi Wan via gateway groups breaking some websites
On 12/12/2013 04:41 PM, Benjamin Swatek wrote: On 11, Dec2013, at 15:14 , Joe Landman <mailto:land...@scalableinformatics.com>> wrote: [...] So ... my question is, what diagnostics should I try to be able to identify the issue (some sites not working when the system is set in load balanced mode)? I did try setting the sticky mode (System->Advanced->Miscellaneous), though I am not sure this is correct for outbound load balanced multi-wan. Maybe an issue with HTTPS? https://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x#Setting_up_for_protocols_that_don.27t_like_load_balancing Ben Could be ... Is there a way to make specific protocols sticky with respect to the gateway beyond what I did above? I would imagine that SIP has to be (and our phones are working fine). -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com twtr : @scalableinfo phone: +1 734 786 8423 x121 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] is it possible to rename gateways in 2.1 release AMD64?
Hi folks: I am trying to match a spec we've been given as precisely as possible. I can't rename the gateways from the web interface. Is it possible to rename them from hand editing the config.xml file? or some other method? Thanks! Joe -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com twtr : @scalableinfo phone: +1 734 786 8423 x121 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] is it possible to rename gateways in 2.1 release AMD64?
On 01/07/2014 03:09 PM, Walter Parker wrote: Once you create a gateway, you can not rename it from the GUI. I had to delete and re-create my gateway in order to rename it. Got it. Thanks! -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com twtr : @scalableinfo phone: +1 734 786 8423 x121 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] is it possible to rename gateways in 2.1 release AMD64?
On 01/07/2014 03:02 PM, Matthias May wrote: Am 07.01.2014 20:52, schrieb Joe Landman: Hi folks: I am trying to match a spec we've been given as precisely as possible. I can't rename the gateways from the web interface. Is it possible to rename them from hand editing the config.xml file? or some other method? Thanks! Joe Not sure i follow. What is not working with: Click on the "System --> Routing --> Gateways" on the "e" button next to the gateway you want to change the name of. Set the name you want in the "Name" field. It doesn't allow you to change names of gateways once they are set. I am not sure precisely why, but it simply does not work. Regards Matthias May ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com twtr : @scalableinfo phone: +1 734 786 8423 x121 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Unbound
On 02/15/2014 01:33 PM, Brian Caouette wrote: CACHING dnsmasq caches quite nicely. On 2/15/2014 1:29 PM, Chris Bagnall wrote: On 15/2/14 6:22 pm, Brian Caouette wrote: I've been trying to use unbound with poor results. Currently it resolves very very slowly. About 4 times longer then the default dns forwarder. Once the site is found and loaded however browsing the site is incredibly fast. Curious what might be the cause of the slow down on initial lookup and how I might correct it? OOI, what does Unbound offer you that the default DNS forwarder doesn't? Kind regards, Chris ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com twtr : @scalableinfo phone: +1 734 786 8423 x121 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] problems running pfSense 2.1.5 running in a kvm session
Hi folks: We are working on running pfSense in a VM on a machine for a trade show. The installation went fine, then I rebooted. The attached image shows where it died. Any thoughts on this? Is this known not to work? I am using two bridges on a linux host, one each for internal/external network. Using the virtio network device. I'll try others, but would welcome any thoughts on this. VM config is: 2x virtual cores 4GB ram 8GB disk 2 nets, one WAN, one LAN, both virtio based Used the pfSense LiveCD 2.1.5 to install Thanks! -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. email: land...@scalableinformatics.com web : http://scalableinformatics.com twtr : @scalableinfo phone: +1 734 786 8423 x121 cell : +1 734 612 4615 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] serial port sadness
On 2/27/15 2:55 PM, Sean wrote: You also need a real NULL modem cable. Actually there's probably nothing wrong with your USB to Serial. The blue Cisco cables are rollover cables. They are not NULL modem cables. Welcome to serial cable pinout hell. ;-) Some of us have been here a long time. I'm no expert but i've got 3 different serial cables and converters in my toolbag having learned the hard way the variety of devices and requirements. +1 Not that I recommend this specific thing, but you could get the http://www.amazon.com/StarTech-com-10-Feet-RS232-Serial-SCNM9FF/dp/B6B8BJ or similar cable. We've got a box full of them in the lab. But really, we do most of our stuff as SOL on IPMI. I don't know if the Alix units have that capability, though its highly recommended for remote lights out operations. -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. e: land...@scalableinformatics.com w: http://scalableinformatics.com t: @scalableinfo p: +1 734 786 8423 x121 c: +1 734 612 4615 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] testing email
On 04/08/2015 03:09 PM, Jeppe Øland wrote: Same here ... hard to believe Gmail is bouncing... They've been black holing some of my email (to and from) on this and my personal account. Not going to SPAM either. I also got the re-enable bit. On Wed, Apr 8, 2015 at 11:58 AM, Mike Montgomery wrote: I got the same re-enable email to my gmail account. On Wed, Apr 8, 2015 at 2:48 PM, WebDawg wrote: Same here, Viruses being detected by my ASSP spam filter coming in from the list and denying delivery. Had to re-enable my account this AM. Doug -- Ben Franklin quote: "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." I am on gmail and I received an email to follow to re enable my account. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. e: land...@scalableinformatics.com w: http://scalableinformatics.com t: @scalableinfo p: +1 734 786 8423 x121 c: +1 734 612 4615 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Hardware and usage opinion
On 08/09/2016 09:53 PM, Joseph L. Casale wrote: I have a site that has grown significantly over time and the role pfsense plays went from only providing internet and vpn connectivity to routing between 2 dozen vlans at gig speeds. We are considering replacing the hardware and aren't sure if the site is at the point where dedicated equipment is in order or possibly a pair of pfsense units in a cluster. Truth is, managed switches that route with acls are significantly more money that what a pfsense box can do. How many of you guys have implementations which route lan traffic at these speeds and high volumes? Anyone doing this with lags and a cluster? A few years ago, we built a number of such units for customers, and for our own use. 4x 10GbE NIC ports on 2 NICs, 4x 1GbE NIC ports on 2 NICs. LAGed (actually multiple LAGs, typically ~4 per unit). Units handled multiple gigabit inbound speeds without issue for a long time (customers site). We've built a number of others for other customers. They usually come in much less expensive and often significantly more performant than the managed network/routers/firewalls from other places. Thanks, jlc ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics, Inc. e: land...@scalableinformatics.com w: http://scalableinformatics.com t: @scalableinfo p: +1 734 786 8423 x121 c: +1 734 612 4615 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Configs or hardware?
On 02/15/2018 09:14 AM, Michael Munger wrote: TL; DR. On 1Gbps downloads, our pfSense firewalls are performing poorly with speed tests of ~400Mbps. It's either pfSense configs (not likely) or the hardware (more likely). I do not want to buy a commercial box. For our corporate network, we use HP DL360s, so zero problem there.I need something that is the size of a router, but can do 1Gbps with pfSense. Who's got working configs / hardware combos that do 1Gbps easily? My home pfSense system is a 16GB ram, 4 core Intel E3-1220 with a quad port i350-t4 card. I moved over to it yesterday from the VM I had been using. Performance difference is striking. Best effort out of the VM was about 44Mb/s for download on a 1Gb line. Raw port was about 660 Mb/s. "New" (old from Ebay) unit is about 800 Mb/s +/- some. As you get to higher bit rates, you need a) sufficient processor power, b) sufficiently powerful NIC hardware to offload the CPU for things the CPU doesn't do as well as the NIC. I expect to keep this combo going until we get multi Gigabit service in our area. Background. I've been using Alix boards (APU1D4 as of late). The problem is: these boards seem to top out at 400Mbps download. I have several clients who have gigabit fiber connections, and they have been complaining to the ISP that their service is slow. When they connect to the modem directly, they get 1G download. When they go through the pfSense firewall we put together using these Alix boards from PC engines, it drops to ~400Mbps. There are several competing "router boards" (Microtik and the like), but I have zero experience with them, I don't know if they will run pfSense or if they will do the speed. The Alix + pfSense combo has been GREAT for many years. If I change to something else, I don't want to go through growing pains since I figure this is a solved problem, and someone on this list knows / has a recommendation. This unit is a cheap version of the small 1U boxen I used at my previous $dayjob for compute cluster/file system clients. They were testing boxes, not too powerful for the high end of compute/networking (40Gb Infiniband), but able to drive load. Lower spec boxes can't generally hack high data rates for any number of reasons. -- Joe Landman t: @hpcjoe g: https://github.com/joelandman ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold