[pfSense Support] Re: FW: [pfSense-discussion] fully redundant dual-WAN setup
From: Eugen Leitl [mailto:eu...@leitl.org] Sent: Friday, August 07, 2009 5:41 AM Is any of you running pfSense in a fully redundant hosting setting? Care to share your setup? I'm currently running two pfSense systems (2 NICs each) in a transparent bridge mode, as a poor man's failover. I currently have 3 VLAN-capable switches, I presume 2 would be enough, if properly partitioned. Sometime next year I'd like to have a second 100 MBit/s Ethernet uplink added to the rack, for enhanced bandwidth and redundancy. It looks like I no longer can do it with the transparent bridge setup, at least not utilizing the doubled bandwidth. Can any of you point me to a network diagram illustrating such a setup, with two pfSense instances (how many NICs?) and two or three switches? I presume it needs carp+pfsync in order for it to work. So far it looks like each pfSense instance would need some 5 NICs, there would be 2 switches each segmented into 2 port-based VLANs (or tagged VLANs, in case of virtual NICs) and each server behind the setup would need 2 NICs. I am very sure the result is probably nonfunctional, due to network loops, and certainly suboptimal. What do you do to prototype and debug your setup? Use Vmware ESX server (does ESXi work, too?). How you you test that the setup works? Thanks. -- Eugen* Leitl a href=http://leitl.org;leitl/a We use these redundant setups (carp+pfsync+loadbalancer-in-failover-mode) extensively. Every pfSense in cluster has 5 NICs (LAN, VLAN, SYNC, WAN, WAN1). On LAN we have our server environment, most protected stuff. VLANs - clients. Use of other NICs is obvious. Theoretically you could use only one switch but it does not make much sense in terms of reliability/redundancy. We use separate switches for every NIC (except SYNC which is just CAT5E cable). So, all active pfSense-boxes LAN interfaces go to one switch, passive - to another one. Never played with firewalls withing virtual environment an I personally believe firewall should be stand-alone box. Eugene. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] BCP for allowing inbound traceroute
Is there an Easy Button for allowing inbound traceroute (traceroute sourced from the WAN) in pfSense other than creating two rules on the WAN side that permit inbound ICMP as well as inbound UDP source port range 33434 to 33534 to destination port range 33434 to 33534? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Kernelbug on Triple Core Processor
Hello! About myself: I have no great knowledge about FreeBSD. I use mostly the WebGUI of pfSense, but i have some years experience on Debian GNU/Linux, including building a custom kernel. My Problem: I have bought a new machine with an AMD Phenom II X3 Processor that has 3 Cores. I want to use pfSense on it and until now i tried version 1.2.3-RC1. When booting the default system the kernel hangs after 'SMP: AP CPU#2 Launched!' I have already found the exact reason, it's a bug with sched_ule + SMP, take a look at: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/120138 My questions now are: Is there a version of pfSense (at least in RC-Stage) that includes already the patch for this bug? If not, i have to compile a patched custom kernel: What do i have to do to just recompile the kernel and its modules (not the whole world)? As far as i understand i need the exact kernel-version and the configuration-file that is used for pfSense 1.2.3-RC1. Where do i find these things? Is the developer-installation the complete environment i need to build a kernel? If i know these things i hope that i am able to build a kernel with the documentation at http://www.freebsd.org/docs.html. I hope that you can help me :) Thanks in advance and best regards, Walter Kugler -- Walter Kugler e9126...@student.tuwien.ac.at - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Kernelbug on Triple Core Processor
On Sat, Aug 8, 2009 at 2:56 PM, Walter Kuglere9126...@student.tuwien.ac.at wrote: Hello! About myself: I have no great knowledge about FreeBSD. I use mostly the WebGUI of pfSense, but i have some years experience on Debian GNU/Linux, including building a custom kernel. My Problem: I have bought a new machine with an AMD Phenom II X3 Processor that has 3 Cores. I want to use pfSense on it and until now i tried version 1.2.3-RC1. When booting the default system the kernel hangs after 'SMP: AP CPU#2 Launched!' I have already found the exact reason, it's a bug with sched_ule + SMP, take a look at: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/120138 My questions now are: Is there a version of pfSense (at least in RC-Stage) that includes already the patch for this bug? If not, i have to compile a patched custom kernel: What do i have to do to just recompile the kernel and its modules (not the whole world)? As far as i understand i need the exact kernel-version and the configuration-file that is used for pfSense 1.2.3-RC1. Where do i find these things? Is the developer-installation the complete environment i need to build a kernel? If i know these things i hope that i am able to build a kernel with the documentation at http://www.freebsd.org/docs.html. I hope that you can help me :) Try a 1.2.3-RC2 snapshot. http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/livecd_installer/pfSense-1.2.3-20090807-2005.iso.gz Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BCP for allowing inbound traceroute
On Sat, Aug 8, 2009 at 2:26 PM, Jason Lixfeldjason-lists.pfse...@lixfeld.ca wrote: Is there an Easy Button for allowing inbound traceroute (traceroute sourced from the WAN) in pfSense other than creating two rules on the WAN side that permit inbound ICMP as well as inbound UDP source port range 33434 to 33534 to destination port range 33434 to 33534? No easy button, that's the easiest way to accomplish that. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org