Re: [pfSense Support] multi-wan / ha
its support muli- wan traffic shaping version 1.3 On Thu, Sep 18, 2008 at 12:31 AM, JJB [EMAIL PROTECTED] wrote: On Sep 17, 2008, at 6:11 PM, cassio lima wrote: you using version 1.3 ? On Wed, Sep 17, 2008 at 7:41 PM, JJB [EMAIL PROTECTED] wrote: Any issues to look out for when configuring dual redundant pf firewalls load balancing to multiple wan connections? In our case a 3mb line and a 3mb dsl line. We have LAN, WAN and DMZ interfaces on the pf firewall. We were attempting to use QOS until someone on the list hipped us that QOS doesn't work with more than two interfaces. Just wondering if anything is waiting to bite us when we go live with the config. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Hi Cassio, we are using 1.2 - Joel
Re: [pfSense Support] multi-wan / ha
JJB wrote: Any issues to look out for when configuring dual redundant pf firewalls load balancing to multiple wan connections? In our case a 3mb line and a 3mb dsl line. We have LAN, WAN and DMZ interfaces on the pf firewall. We were attempting to use QOS until someone on the list hipped us that QOS doesn't work with more than two interfaces. Just wondering if anything is waiting to bite us when we go live with the config. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Joel, Excepting that the traffic shaper doesn't work with a multi-wan configuration in the 1.2 series, you should have no difficulty with the rest of your setup. CARP clustering works fine with multi-WAN. I would encourage you to set up your primary firewall first, configure your multi-WAN and load balanced setup before bringing in the secondary CARP member. -Gary - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] VPN to two interfaces
On Wed, 17 Sep 2008, Jeppe �~Xland wrote: Oh and I forgot to say that you have to enable: Manual Outbound NAT rule generation (Advanced Outbound NAT (AON)) This was what I needed. Thanks! -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer Imaging | - St. Louis, MO | Show Reel http://LAFFEY.tv/?e11793 USA | - . |-*- Digital Fusion Plugins -*- -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DHCP server problem
upgrade version 1.2.1 On Thu, Sep 18, 2008 at 12:02 AM, Ugo Bellavance [EMAIL PROTECTED] wrote: Hi, The DHCP server on my pfsense seems to be working intermittently, especialy over WLAN. In the logs, I can see the DHCPDISCOVER, the DHCPOFFER, but no REQUEST nor ACK. The wireless antenna is working with other access points. With a static IP address, the wireless network works flawlessly. Nothing in the firewall logs. 1.2-RELEASE, embeded version, on a WRAP. Memory Usage 57%, disk usage 62% cpu ~15% States 100/1 MBUF 187/525. Any ideas? Restarting services or the unit doesn't really help. Re-flash and restore config? Upgrade? Please let me know if you need more info. Regards, Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: Multiple gateways on the same network interface
Chris Buechler escribió: On Wed, Sep 17, 2008 at 5:43 PM, Matias Surdi [EMAIL PROTECTED] wrote: If I've more than one IP address on each of my internet connections (now each one on his own interface), Will I be able to do Port Forwardings for all the IPs? yes Finally, we've managed to do what we were trying to do (multiple DSL routers on the same physical interface) by using VLANS on the WAN side (connecting the pfSense to a trunk switch interface and every DSL router to it's own VLAN did the job) Thanks you all. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] OpenVPN Tunnel Quality with VoIP Applications
I've noticed that using OpenVPN for Voice over IP connectivity severely impacts performance. I have a box sitting on my LAN that I can connect directly to, or through a pfSense box via OpenVPN. When connecting direct, call quality is perfect and asterisk reports perfect connectivity via 'sip show peers' as follows: Name/username HostDyn Nat ACL Port Status 105/105xxx.xx.xx.71 D N 54238OK (3 ms) However, when I connect via the OpenVPN tunnel, I'm getting horrible call quality (choppiness, garbling, etc). Running the same command I see this: Name/username HostDyn Nat ACL Port Status 105/105172.30.30.6 D N 54238OK (123 ms) OpenVPN added 120ms of latency and quite a bit of jitter as well. Connectivity through the pfSense box without using OpenVPN shows no interference so I'm comfortable saying it isn't a bad NIC, cable, etc... I've tried both UDP and TCP tunnels with the same result. The setup is nothing special, just plain old SIP to an Asterisk box using G.711u codec. Any ideas on what I can do to decrease the effect OpenVPN is having on the traffic? All suggestions welcome and appreciated! --- Tim Nelson RockBochs Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DHCP server problem
Ugo Bellavance wrote: The DHCP server on my pfsense seems to be working intermittently, especialy over WLAN. In the logs, I can see the DHCPDISCOVER, the DHCPOFFER, but no REQUEST nor ACK. The wireless antenna is working with do you mean that if you run tcpdump on the pfsense box you see the dhcp request and response, or are you talking about the client? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] multi-wan / ha
cassio lima wrote: its support muli- wan traffic shaping version 1.3 On Thu, Sep 18, 2008 at 12:31 AM, JJB [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: On Sep 17, 2008, at 6:11 PM, cassio lima wrote: you using version 1.3 ? On Wed, Sep 17, 2008 at 7:41 PM, JJB [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Any issues to look out for when configuring dual redundant pf firewalls load balancing to multiple wan connections? In our case a 3mb line and a 3mb dsl line. We have LAN, WAN and DMZ interfaces on the pf firewall. We were attempting to use QOS until someone on the list hipped us that QOS doesn't work with more than two interfaces. Just wondering if anything is waiting to bite us when we go live with the config. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Hi Cassio, we are using 1.2 - Joel 1.3 isn't expected to be released till 2009 as I understand it - this is production environment. - Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN Tunnel Quality with VoIP Applications
I've tried both UDP and TCP tunnels with the same result. The setup is nothing special, just plain old SIP to an Asterisk box using G.711u codec. Any ideas on what I can do to decrease the effect OpenVPN is having on the traffic? All suggestions welcome and appreciated! Is the CPU capable of keeping up the OpenVPN encrypting? Perhaps you need more CPU or RAM for your firewall(s). Another thing to try is a better codec. I personally use G.729 on all non-local SIP clients. It works extremely well on slow long-haul links, and the G.729 codec license for Asterisk is pretty cheap from Digium.
Re: [pfSense Support] OpenVPN Tunnel Quality with VoIP Applications
CPU usage during calls never reaches higher than 2% and our memory usage is quite low as well: CPU states: 1.9% user, 0.0% nice, 0.0% system, 0.0% interrupt, 98.1% idle Mem: 43M Active, 10M Inact, 24M Wired, 13M Buf, 400M Free Depending on bandwidth requirements, we may eventually use G.729 but we're currently testing in our lab on a completely unloaded 100mbit network. --- Tim Nelson RockBochs Inc. - Vivek Khera wrote: I've tried both UDP and TCP tunnels with the same result. The setup is nothing special, just plain old SIP to an Asterisk box using G.711u codec. Any ideas on what I can do to decrease the effect OpenVPN is having on the traffic? All suggestions welcome and appreciated! Is the CPU capable of keeping up the OpenVPN encrypting? Perhaps you need more CPU or RAM for your firewall(s). Another thing to try is a better codec. I personally use G.729 on all non-local SIP clients. It works extremely well on slow long-haul links, and the G.729 codec license for Asterisk is pretty cheap from Digium.
Re: [pfSense Support] OpenVPN Tunnel Quality with VoIP Applications
Depending on bandwidth requirements, we may eventually use G.729 but we're currently testing in our lab on a completely unloaded 100mbit network. G.729 also handles higher latency well. But still, your latency is under 150, which shouldn't affect G.711u so much.
Re: [pfSense Support] OpenVPN Tunnel Quality with VoIP Applications
Ping times are normal at anywhere between 1ms to 2ms. Using DD, I created a 1GB file to download via HTTP through the tunnel. It started at about 2.2mbit and slowly ramped up. The peak speed was around 3.4mbit. I kept an eye on the CPU and memory usage during the transfer. OpenVPN definitely used more CPU time but still didn't max out the box: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 10815 root 1 1110 2424K 2136K RUN 0:58 47.01% openvpn Memory usage stayed about the same. Even during the transfer, my constant ping was within sub 6ms times. One of the nics is an intel pro/100 desktop adapter in a PCI slot, the other is an onboard VIA Rhine adapter. I know the Rhine adapters aren't exactly good :-/ so I may try another NIC instead. It would not explain why SIP traffic is funky while everything else is fine, but at least it's something to try. --- Tim Nelson RockBochs Inc. - David Rees [EMAIL PROTECTED] wrote: On Thu, Sep 18, 2008 at 12:25 PM, Vivek Khera [EMAIL PROTECTED] wrote: Depending on bandwidth requirements, we may eventually use G.729 but we're currently testing in our lab on a completely unloaded 100mbit network. G.729 also handles higher latency well. But still, your latency is under 150, which shouldn't affect G.711u so much. I think the point is that there should only be a couple ms of latency introduced by using an openvpn connection. Tim, how are ping times across the tunnel? How fast can you copy files across it? I'm using some openvpn tunnels and haven't had any weird latency issues with them. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Re: DHCP server problem
Paul Mansfield wrote: Ugo Bellavance wrote: The DHCP server on my pfsense seems to be working intermittently, especialy over WLAN. In the logs, I can see the DHCPDISCOVER, the DHCPOFFER, but no REQUEST nor ACK. The wireless antenna is working with do you mean that if you run tcpdump on the pfsense box you see the dhcp request and response, or are you talking about the client? I see them in the pfsense logs, so I guess it would be seen in a tcpdump session as well. Ugo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN Tunnel Quality with VoIP Applications
hi tim nelson The quality depends on the networking speed|latency. With the G.723 codec even a rather slowish VPN connection is very usable On Thu, Sep 18, 2008 at 6:31 PM, Tim Nelson [EMAIL PROTECTED] wrote: Ping times are normal at anywhere between 1ms to 2ms. Using DD, I created a 1GB file to download via HTTP through the tunnel. It started at about 2.2mbit and slowly ramped up. The peak speed was around 3.4mbit. I kept an eye on the CPU and memory usage during the transfer. OpenVPN definitely used more CPU time but still didn't max out the box: PID USERNAME THR PRI NICE SIZERES STATETIME WCPU COMMAND 10815 root 1 1110 2424K 2136K RUN 0:58 47.01% openvpn Memory usage stayed about the same. Even during the transfer, my constant ping was within sub 6ms times. One of the nics is an intel pro/100 desktop adapter in a PCI slot, the other is an onboard VIA Rhine adapter. I know the Rhine adapters aren't exactly good :-/ so I may try another NIC instead. It would not explain why SIP traffic is funky while everything else is fine, but at least it's something to try. --- Tim Nelson RockBochs Inc. - David Rees [EMAIL PROTECTED] wrote: On Thu, Sep 18, 2008 at 12:25 PM, Vivek Khera [EMAIL PROTECTED] wrote: Depending on bandwidth requirements, we may eventually use G.729 but we're currently testing in our lab on a completely unloaded 100mbit network. G.729 also handles higher latency well. But still, your latency is under 150, which shouldn't affect G.711u so much. I think the point is that there should only be a couple ms of latency introduced by using an openvpn connection. Tim, how are ping times across the tunnel? How fast can you copy files across it? I'm using some openvpn tunnels and haven't had any weird latency issues with them. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] ftpesame short capture
Hi, I am all of a sudden seeing a bunch of these in my log: ftpsesame[2376]: drop: short capture Any thoughts? Goggle didn't reveal much. Thanks, -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer Imaging | - St. Louis, MO | Show Reel http://LAFFEY.tv/?e11809 USA | - . |-*- Digital Fusion Plugins -*- -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] CARP not working...
Hello, we just brought up a secondary pfsense firewall, fw02. We are getting the following error on fw01: [sync_settings]An error code was received while attempting XMLRPC sync with username admin http://172.16.4.6:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload on fw02 under carp status there is an enable carp button and a list of pfsync nodes: pfSync nodes: 06b3eef1 13e0f43c 23a1cb65 2ef64c64 42f4845f 548d51bf 705c6a63 7910ead2 b3ade648 f2e22130 clicking the enable carp button seems to have no effect on fw02. Any suggestions for troubleshooting this? Thanks, Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP not working...
-Ensure that the admin passwords are the same on both firewalls. -If you have a dedicated set of NICs for sync traffic, ensure that you permit this type of traffic. -Create 2 CARP address (LAN and WAN) -Enable manual outbound NAT and specify the CARP address is your default outbound for your inbound LAN (not 100% required) Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Sep 18, 2008 at 9:23 PM, JJB [EMAIL PROTECTED] wrote: Hello, we just brought up a secondary pfsense firewall, fw02. We are getting the following error on fw01: [sync_settings]An error code was received while attempting XMLRPC sync with username admin http://172.16.4.6:80 - Code 2: Invalid return payload: enable debugging to examine incoming payload on fw02 under carp status there is an enable carp button and a list of pfsync nodes: pfSync nodes: 06b3eef1 13e0f43c 23a1cb65 2ef64c64 42f4845f 548d51bf 705c6a63 7910ead2 b3ade648 f2e22130 clicking the enable carp button seems to have no effect on fw02. Any suggestions for troubleshooting this? Thanks, Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]