Re: [pfSense Support] imspector
On Tue, Aug 9, 2011 at 7:19 AM, Cleber L. Medina clebermed...@gmail.comwrote: I configured thje imspector on RC3, but it dont make any report... there are some bug? Which imspector package did you use? Also, what protocol isn't logging? Thanks --Bill
Re: [pfSense Support] Load-balancing on LAN network
On Tue, May 10, 2011 at 7:15 AM, Shibashish shi...@gmail.com wrote: Hi All, I have a clustered service which needs to be load-balanced on the lan network. The following setup doesn't work for me. --- lan ip 1 load balanced lan vip --- lan ip 2 --- lan ip 3 Thanks in advance. ShiB. while ( ! ( succeed = try() ) ); Traffic has to traverse two nics. LAN IP1-3 will need to be in another network for this to work. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Comcast IPv6 Users
On Fri, May 6, 2011 at 10:06 AM, Oliver Hansen oliver.han...@gmail.com wrote: I signed up for the IPv6 trial and was accepted. I then signed into the Comcast trial website but am really at a loss whether it is available to me or not. I'm willing to help test things if I can be of any help. The last I heard, unless you are in Colorado and have a DOCSIS 3 modem, it's unlikely it's enabled for you yet (other than via 6-to-4 tunnels which we can already test and Comcast is terminating in July). --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Comcast IPv6 Users
On Fri, May 6, 2011 at 1:19 PM, Oliver Hansen oliver.han...@gmail.com wrote: It sounds doubtful that I do have an IPv6 enabled connection but I do have a DOCSIS 3 modem and have synced with the 2.0RC1 IPv6 branch at home. I won't have time to check it out this weekend but at least I can attempt it sometime next week. I don't have much experience with IPv6 but I'll check it out and see what happens. Oliver, FWIW, here's the latest list of locations that have native dual stack ipv6 enabled. https://trial.comcast.net/index.php?cmd=ForumViewThreadmessage_id=13509 Pleasanton, CA Littleton, CO Englewood, CO Norristown, PA Miramar, FL Mt. Laruel, NJ Folsom, CA Ypsilanti, MI I'm not seeing anything for business users unfortunately. So not holding my breath that I'll be able to test any time soon. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 multi-homed NAT broken?
On Tue, Jul 13, 2010 at 1:19 PM, Adam Thompson athom...@c3a.ca wrote: -Original Message- From: Bill Marquette [mailto:bill.marque...@gmail.com] Sent: Monday, July 12, 2010 8:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] 1:1 multi-homed NAT broken? This sounds like a missing reply-to, but I'm not entirely sure why. The inbound SMTP rule should be overriding the routing and sending the traffic out the right path. Take a look at /tmp/rules.debug and see if the inbound SMTP rule has a reply-to on it. Looks right to me: binat on em1 from 192.168.232.201/32 to any - 67.226.137.178/32 pass in quick on $wan proto tcp from any to SBS port = 25 keep state queue (qwandef, qwanacks) label USER_RULE: NAT forward inbound mail pass in quick on $OPT1 reply-to (em0 192.139.69.161) proto tcp from any to SBS port = 25 keep state label USER_RULE: NAT forward public web sites Yes, the comment about web sites is misleading - actually it's flat-out wrong, I probably cloned the rule from the HTTP rule and forgot to edit the comment. I'm not sure that the binat combined with reply-to actually works - as I said, I realize this is a corner case that probably isn't (ever?) often tested. Is there a way to limit binat to only affecting one public interface? hmmm, actually, that looks wrong. You're missing a reply-to on the $wan rule, so the reply traffic that should go out $wan is taking your static route out $OPT1. Not sure what the fix is, I haven't been in the code in way too long, hopefully one of the other devs can take a look. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 multi-homed NAT broken?
On Thu, Jul 8, 2010 at 3:17 PM, Adam Thompson athom...@c3a.ca wrote: My problem: reply packets to inbound NAT’d connection are being sent back out the wrong interface, and being rejected as bogons by the next-hop router. The setup… OPT1(OPT1) - vlan0 - 192.139.69.168 (/28) WAN - vlan1 - 67.226.137.177 (/29) LAN - vlan2 - 192.168.232.1 (/24) OPT2(OPT2) - vlan3 - 192.168.233.1 (/24) Virtual CARP IPs are set up on WAN, for 64.226.137.178/32 .179/32. (Using two different VHID groups, don’t know if that makes any difference.) 1:1 NAT configured on WAN:67.226.137.179/32==192.168.232.201/32 (my mail server). There’s a firewall rule allowing inbound TCP:25 from * to 192.168.232.201. A static route is defined on OPT1 for 130.179.0.0/16 via my next-hop; they’re actually another BGP hop away from me. (I was using BGPd, but it just doesn’t work for me so back to static routes for now…) *Outbound* connections from my mail server to mail servers in 130.179.0.0/16 work just fine – they get NAT’d out the OPT1 interface correctly. *Inbound* connections from mail servers in 130.179.0.0/16, however do *not* succeed – they time out. Tcpdump(1) reveals why, the return packets are leaving via vlan0 (OPT1) instead of vlan1 (WAN). Interesting to note that they appear to have the correct source IP, but of course my next-hop router is rejecting these as bogons. This trace was limited to the mail server for cs.umanitoba.ca, one of the affected domains. This is what happens when it attempts to make a connection to my public MX (67.226.137.178) on vlan1 (WAN). This sounds like a missing reply-to, but I'm not entirely sure why. The inbound SMTP rule should be overriding the routing and sending the traffic out the right path. Take a look at /tmp/rules.debug and see if the inbound SMTP rule has a reply-to on it. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Snort blocking | SHELLCODE x86 inc ecx NOOP | dhcp cable modem
On Wed, Nov 11, 2009 at 9:24 AM, Glenn Kelley gl...@typo3usa.com wrote: short update - I have blocked but still seem like we might have issues - 1394ip$EXTERNAL_NETany$HOME_NETany SHELLCODE x86 inc ecx NOOP has anyone else seen this - when all the user is doing is remote email ? I would like not to have to disable all shellcode stuff. Encrypted traffic will likely frequently trip shellcode detection signatures and are almost always going to be false positives. I'd change the sig to ignore port 587. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NIC choice
On Mon, Nov 2, 2009 at 1:32 PM, Vick Khera vi...@khera.org wrote: On Sun, Nov 1, 2009 at 9:12 PM, Ugo Bellavance u...@lubik.ca wrote: 3com 905 (xl) I'd put this on your WAN and the intel on the LAN. 3Com have been well support in FreeBSD (and even in the original 4.2BSD before that) forever. For a long while, back in the early early days of PC's running BSD's, I would only buy 3Com NICs, mostly the 509c (which even had barrel connectors!) and then the 905's when we moved up to the high-speed ethernets. Given the use of vlans, I imagine you might have LAN - LAN connectivity, the em(4) will provide better throughput than any of the non-gig cards. If you have an opportunity to drop an fxp(4) in there instead of the realtek or 3com cards, you'd be happier, but given only 30mbit throughput requirements, either will handle the traffic. The Intel card will also do vlan tagging in hardware (and checksumming) allowing you to save a bit of CPU. I had a ton of those 509c ISA cards back in the day...they almost gave me 1mbit :) (at least one had AUI, TP, and BNC connectors) I understand the 3c905 on a PCI bus ran a tad faster *grin*. At any rate, I second this config...although I've had more than my share of issues with 3com cards, I'd still pick one over a realtek (and certainly over a dlink branded realtek). --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] spamd
On Fri, Oct 23, 2009 at 8:06 AM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Lyle Giese wrote: Peter Roosenboom wrote: hello, On pfsense board I cannnot find out whether spamd is working on pfsense 1.2.3 or not. Most messages on this topic suggest that it is not working. I would like to install it, but is it worth the trouble trying? Maybe special hacks are needed to make it work? Please help me to get rid of all this messages suggesting that I might need viagra. Peter - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org spamd is a program to scan email looking for spam. what part of pfsense handles email messages? pfsense is a firewall. It deals in packets of data, not email messages. You need to use spamd with your email client or MTA, not pfsense. Lyle Giese LCR Computer Services, Inc. pfSense does have spamd and it behaves in completely different way than spamd you use with your mta. From package description: Tarpits like spamd are fake SMTP servers, which accept connections but don't deliver mail. Instead, they keep the connections open and reply very slowly. If the peer is patient enough to actually complete the SMTP dialogue (which will take ten minutes or more), the tarpit returns a 'temporary error' code (4xx), which indicates that the mail could not be delivered successfully and that the sender should keep the mail in their queue and retry again later. Very effective if you are not afraid to loose any legitimate e-mail without being able to restore it from spam. To be very clear, the spamd package for pfSense performs grey and blacklisting as well as tarpitting. If the sending MTA comes back _after_ whatever the greylist time is, it'll be passed through to your MTA, if it comes back while it's still greylisted, it will be tarpitted. Read http://www.benzedrine.cx/relaydb.html for a good description on how this all works. FWIW, on my inbox it was about 90% effective (although I no longer have the graphs to show it) - however I personally stopped using it as I was tired of the delay in mails from sources that have never sent mail to me (standard issue with the greylist technique). --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Single NIC routing
On Fri, Oct 23, 2009 at 3:45 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Bill Marquette wrote: On Fri, Oct 23, 2009 at 2:45 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: And for the third opinion in this thread :) You want the 'other' VIP type. It's used in situations where you have a subnet routed to you and just need to perform NAT. It will not be pingable (unless you nat the ICMP to some internal host). --Bill off this thread... Bill, is it possible to NAT icmp without doing 1:1 NAT? Thanks. :-) It is in pf. But by your question, I'm guessing we don't allow for it in the port forward screen. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancing on vlans
On Fri, Aug 28, 2009 at 8:41 AM, Jesse Vollmarvollm...@gmail.com wrote: You shouldn't use the parent interface generally. Don't think that's related though. You losing connectivity from the firewall to the gateway? You're far from uncharted territory, the several boxes I've worked on that have 6-12 WANs all use VLANs as WANs. You may need negate rules for anything not reachable via the specified gateway, when you specify a gateway it forces traffic to that gateway. Those are automatically added generally but you could be doing something that's overriding that. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Sorry, your comments have confused me just a bit. I have two physical WAN connections that are doing failover and one LAN interface with vlans under it. I want those vlans to use the failover rather than just the default gateway. Is this not a standard thing to do? If it won't work like this, I suppose I could do some routing on my switch to eliminate the vlans at pfsense. I just thought pfsense would be able to handle that. What's not normal (and not recommended) is the use of the physical NIC for a network while simultaneously sending tagged frames to it. That may or may not be related to the issue you are having. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Load Balancing on vlans
On Fri, Aug 28, 2009 at 8:57 AM, Jesse Vollmarvollm...@gmail.com wrote: On Fri, Aug 28, 2009 at 9:47 AM, Bill Marquette bill.marque...@gmail.com wrote: What's not normal (and not recommended) is the use of the physical NIC for a network while simultaneously sending tagged frames to it. That may or may not be related to the issue you are having. --Bill Should have mentioned that I am not actually using the LAN NIC for anything but the tagged vlans. Should I be using an OPT interface rather than the LAN interface for my vlans? Nope, that helps alot. So, you already have one VLAN interface using a load balancing rule correct? When you try to setup another VLAN interface for load balancing it breaks? --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dev enviroment
On Fri, Aug 28, 2009 at 8:51 AM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: Bill Marquette wrote:On Wed, Aug 26, 2009 at 7:53 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: On Wed, Aug 26, 2009 at 7:53 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: What do you use to develop pfSense? which editor? debugger? Alternately your favorite editor and sshfs via FUSE is a great way to edit it live on your test machine. This is new to me. Will see. I might use TextMate or NetBeans on my Mac. I see you guys use Macs intensively but how it works? I think you do not edit on mac then scp to your test box because: edit local, scp over - but that's usually too much of a pain and I always end up forgetting whether I synced the change over and get sidetracking debugging something that I fixed. So, you have your pfSenese dev box, your Mac and ??? how? Sorry for all these silly questions but just can't get comfortable within my dev box... And thanks for hints... Speaking personally..I use MacFusion (ssfs via FUSE with a gui wrapper) to mount the filesystem via ssh. Then I point my local editor at the locally mounted filesystem. This workflow should work fine on Windows, Linux, FreeBSD, or anything else that supports sshfs/fuse. Some editors also have a concept of a remote project (I believe NetBeans and Eclipse can handle syncing via sftp - although I've never used that feature). --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] dev enviroment
On Fri, Aug 28, 2009 at 10:21 AM, Jim Pingleli...@pingle.org wrote: Bill Marquette wrote: Speaking personally..I use MacFusion (ssfs via FUSE with a gui wrapper) to mount the filesystem via ssh. Then I point my local editor at the locally mounted filesystem. This workflow should work fine on Windows, Linux, FreeBSD, or anything else that supports sshfs/fuse. Some editors also have a concept of a remote project (I believe NetBeans and Eclipse can handle syncing via sftp - although I've never used that feature). Is there a FUSE port for Windows? I thought it was only on BSD, Linux, and Mac. I'd love to be able to use ssh filesystems from Windows boxes. No idea how well it works but: http://dokan-dev.net/en/download/ At one point I thought I found a commercial sshfs tool for Windows, it wasn't expensive, but I haven't used Windows in anger in over 2 years now. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Help with static routing
On Fri, Aug 28, 2009 at 2:44 PM, Guy Boisvertboisvert@videotron.ca wrote: Chris Buechler wrote: Your firewall rules on VLAN3 need to allow the traffic. There is no firewall rules on VLAN3. This is simple routing with the 2910AL (Layer 3) that simply forward traffic to its default gateway which is pfSense on VLAN0. This is exactly the point Chris is trying to make I believe. pfSense defaults to deny, with no rules on an interface, you are denying all traffic on that interface. If you want it truly open you need to put in a pass rule. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Newbie question for CARP, failover, AON and multiple WAN IP's
Don't forget to reset your cable modem after changing this. Even the business modem has a way of retaining MAC addresses. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Clone problem
On Sat, Aug 22, 2009 at 2:24 PM, Evgeny Yurchenkoevg.yu...@rogers.com wrote: Trying to get my branch cloned on local system %git clone http://gitweb.pfsense.org/pfsense-packages/EugeneY-OpenBGPD.git after many lines of digits I get an error: got 1bba2c06e541573fb5b5eeac12eb13eca0eab3c0 error: Unable to get pack file http://gitweb.pfsense.org/pfsense-packages/EugeneY-OpenBGPD.git/objects/pack/pack-84147f3a4e6fc09a6bd066d9ca20c917d8dd50d2.pack The requested URL returned error: 404 error: Unable to find 72f5963318c9394a354fcc8f7f3a97b2d2886a3e under http://gitweb.pfsense.org/pfsense-packages/EugeneY-OpenBGPD.git Cannot obtain needed tree 72f5963318c9394a354fcc8f7f3a97b2d2886a3e while processing commit 298f3bd13ecaad6fb0bf94d03e526868fb616981. fatal: Fetch failed. Try using the git or ssh clone url instead of the http clone url, but fwiw, the http clone url for your fork works fine for me. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Triple CARP setup
On Tue, Aug 18, 2009 at 9:28 AM, Veiko Kukkveiko.k...@krediidipank.ee wrote: How should I configure pfsync if I want to use three machines? I'm curious why you might want such a setup. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Triple CARP setup
On Wed, Aug 19, 2009 at 1:41 PM, Christopher M. Iarocciciaro...@tfop.net wrote: On Tue, Aug 18, 2009 at 9:28 AM, Veiko Kukkveiko.k...@krediidipank.ee wrote: How should I configure pfsync if I want to use three machines? I'm curious why you might want such a setup. --Bill [Christopher Iarocci] I was thinking the same exact thing. I could see having a 3rd machine pre-configured to go in place should 1 fail, but to actively have 3 in service I don't understand. The chances of 2 going bad at the same time is probably nothing. In environments where availability really matters, I run CARP on high end boxes that have redundant power supplies and hardware RAID (with hot spare), and hot swappable fans. The intent is to _never_ fail over, but have the hot spare box available in the event that a disaster really does impact the primary box we only take a small (usually unnoticed) hit during failover. I'm sure there's a good reason to have triple redundancy, but I can't think of a reason for it, where a few thousand dollars on higher end gear won't solve the same problem with less complexity. In running CARP clusters since CARP came out o 5? years ago or so now, I have yet to run into a situation where having more than two machines in the cluster (firewalls only here, not web servers and the like) would have bought me anything. Anything bad enough to take down the primary and the secondary would have impacted a tertiary (and I've only seen kernel bugs nail primary and secondary - our clusters are separated by about 2 miles of fiber). --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] thread hijacking - was Re: [pfSense Support] A note about top vs bottom
On Fri, Jul 31, 2009 at 5:02 AM, Paul Mansfieldit-admin-pfse...@taptu.com wrote: Scott Ullrich wrote: http://www.caliburn.nl/topposting.html http://idallen.com/topposting.html while we're all whinging, please can I whinge about thead hijacking where people start a new discussion by clicking reply and then editing the subject. snip Ok, I just hijacked the original thread :-) but sometimes it is actually valid. Not according to gmail you didn't ;-P This came in on a shiny new thread all of it's own. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Fri, Jul 31, 2009 at 10:30 AM, Paul Mansfieldit-admin-pfse...@taptu.com wrote: Rainer Duffner wrote: I may be wrong, but his problem is pps (packets per second). That's not the same as being able to download a large file. Unfortunately. How does one generate a large a mount of (small) packets with useful and genuine traffic? set the MTU to a low value (200?) so that it forces the stream to use many small packets BTW, I suggested using a data file generated from random data to avoid any simple compression applied by drivers and scp. A low MTU and Apache Bench (ab) can make for a useful test. Ditto with iperf. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
intentionally not trimming - see below On Wed, Jul 29, 2009 at 12:55 PM, apiase...@midatlanticbb.comapiase...@midatlanticbb.com wrote: iggd...@gmail.com wrote: On Wed, Jul 29, 2009 at 1:45 PM, Curtis LaMasters curtislamast...@gmail.com mailto:curtislamast...@gmail.com wrote: Gotta tell you guys...this is out right frustrating. Is it the fact that I'm using Gmail or that by definition, threading in email is broken by design. I would have imagined that the Spamassassin mailing list would have eaten all Gmail users alive if Gmail were the issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:42 PM, David Burgessapt@gmail.com mailto:apt@gmail.com wrote: The current is an example of top-posting, in response to your top-post. I don't think you've bottom-posted in this thread yet. db On Wed, Jul 29, 2009 at 11:41 AM, Curtis LaMasterscurtislamast...@gmail.com mailto:curtislamast...@gmail.com wrote: To which one? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:40 PM, David Burgessapt@gmail.com mailto:apt@gmail.com wrote: Yes. On Wed, Jul 29, 2009 at 11:38 AM, Curtis LaMasterscurtislamast...@gmail.com mailto:curtislamast...@gmail.com wrote: This is top posting apparently. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Wed, Jul 29, 2009 at 12:34 PM, iggd...@gmail.com mailto:iggd...@gmail.com wrote: On Wed, Jul 29, 2009 at 1:33 PM, Curtis LaMasters curtislamast...@gmail.com mailto:curtislamast...@gmail.com wrote: And I think the point is being missed. WHY WAS MY MESSAGE VIEWED AS TOP POSTED. Ok, I committed my internet crime of YELLING in caps for the day. In Gmail, is there a proper way to not top post? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com This is a middle post, All beware who reads the middle post. On Wed, Jul 29, 2009 at 12:28 PM, David Burgessapt@gmail.com mailto:apt@gmail.com wrote: On Wed, Jul 29, 2009 at 11:25 AM, Curtis LaMasterscurtislamast...@gmail.com mailto:curtislamast...@gmail.com wrote: Thanks Scott. I know what top posting is...I just don't know why you think I did. I hit reply, type my message and go forth. Didn't think it needed to be any harder than that. It can be a lot harder than that. It's effectively illustrated in the links that Scott provided. A little effort in replying can save a lot of wasted effort in trying to bring oneself up to speed or refresh one's memory on a long thread. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org flick the scroll wheel to get to the bottom of the post basically. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail:
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Thu, Jul 30, 2009 at 6:08 AM, Veiko Kukkveiko.k...@krediidipank.ee wrote: This is a good example, why bottom-posting sucks... Why do i need to scroll past all previous teks i read just few seconds ago, following that thread? If i need to read it, then i could scroll down, but rarely there is need for that. A good MUA will hide the quoted text. Thus allowing you to see context of interleaved comments when you wish to. A good poster will also trim crap that isn't pertinent to his message or doesn't provide any contextual value. As Michael notes, people read top to bottom, I don't want to read something, wonder what the hell it's about and scroll to the bottom to figure it out, I'll just move on. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Wed, May 13, 2009 at 7:47 PM, Scott Ullrich sullr...@gmail.com wrote: On Wed, May 13, 2009 at 8:36 PM, Dimitri Rodis dimit...@integritasystems.com wrote: My understanding is that Giant lock is gone from the FreeBSD network stack in 8: http://unix.derkeiler.com/Mailing-Lists/FreeBSD/arch/2009-04/msg00075.html PF is still protected by one giant lock and does not scale across all CPUs. Exactly. The network stack itself not being under giant is the only reason you achieve _any_ amount of scaling past one CPU - that and userland has somewhere to run still :) Ultimately look at it this way - the old engineering idea of having a 'network cpu' is live here...you can have a firewall cpu (although it's certainly not reserved for that purpose), all other cpu's will be used to handle all other tasks. Not quite what you want in a firewall, but it's the best we can do at this time. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??
On Wed, May 13, 2009 at 10:58 AM, Scott Ullrich sullr...@gmail.com wrote: On Wed, May 13, 2009 at 11:55 AM, Chris Buechler c...@pfsense.org wrote: Slowing down considerably when under full load is normal, slowing to the point that sites don't load anymore when you're just running a few Windows updates is definitely not. Sounds like there's something wrong with the T1, or the CPE it's plugged into, whatever has your CSU/DSU. Agree 100%. The fact that you can plug any firewall in and duplicate the problem shows its not firewall related and most likely a circuit issue. Call your ISP and tell them this. Consider that the bandwidth chokepoint for this particular use is upstream of you anyway. Inbound traffic is choked BEFORE it crosses the wire - no changes in network infrastructure on your part can fix this. However, with that said, with the traffic shaper you can allow for your important sites to be put into a priority queue such that they always get priority - the only way to handle this is to throttle your connection even further so the smallest chokepoint is actually pfSense, not the link itself. At any rate, I'd suggest looking closer at how the bandwidth on the 3M circuit is allocated - is this a DS3 circuit with a 3M guarantee, or is this two T1s bonded? If the latter, how are they bonded and can you get SNMP stats off the interfaces? My gut tells me that it's bonded and what you are seeing is due to some form of CEF forcing a given route down one pipe only. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??
On Thu, May 14, 2009 at 7:20 AM, Sean Cavanaugh millenia2...@hotmail.com wrote: Bill he USED to have 2 bonded T1's but they reduced to a single T1 connection to save money. -Sean Yes, I'm referring to the old circuit intentionally. I didn't get bonded out of The current connection is 3Mbit/3Mbit, works, hence the questions on whether it was. The intent was to gather why the old circuit doesn't have this issue. As correctly pointed out by numerous people in the thread, from a pure bandwidth perspective, 3M vs 1.5M doesn't make a difference. However, if that 3M is really 2x1.5M it very well might make a difference. If you can only saturate ONE link, then the other one is still capable of handling traffic. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??
On Thu, May 14, 2009 at 7:43 AM, Bill Marquette bill.marque...@gmail.com wrote: On Thu, May 14, 2009 at 7:20 AM, Sean Cavanaugh millenia2...@hotmail.com wrote: Bill he USED to have 2 bonded T1's but they reduced to a single T1 connection to save money. -Sean Yes, I'm referring to the old circuit intentionally. I didn't get bonded out of The current connection is 3Mbit/3Mbit, works, hence There are numerous ways to create a 3M/3M circuit, some of which would handle this workload better than others. For all we know, MS happens to also have a windowsupdate server colocated at his ISP which would kind of suck since the low latency will further help TCP utilize the full link. Nor do we know anything about how the ISP router is configured - is it doing anything funky, is it prioritizing packets somehow (maybe TOS high got set somehow on the windowsupdate packets - a tcpdump would certainly help show that), etc, etc. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Wed, May 13, 2009 at 6:54 AM, Lenny five2one.le...@gmail.com wrote: Hi again, sorry to wake an old thread, but this is still an issue for me. I was offered a Dell R200 server today, which comes with a single Xeon x3220 2.4GHz Quad Core CPU. (I understand it's a repacked Q6600 or something). I was wondering if this would be sufficient for my needs. I'm not terribly familiar with the Xeon's, but that's certainly a newer model than the CPUs in the x336. I believe you'll find this system performs MUCH better. The Intel spec page (http://ark.intel.com/cpu.aspx?groupId=28034) shows this as a 1066Mhz front side bus and an 8M L2 cache (2M per core it appears). L1 cache (from another site) appears to be 128K. The 5420 (http://ark.intel.com/cpu.aspx?groupId=34446) mentioned below has 12M cache (3M/core) a 1333Mhz front side bus and (from another site) 256K L1 cache. Compare these to your existing CPU specs (http://www.xpcgear.com/xeon80036fa.html) 12+16KB L1 cache (I used to know what the 12+16 actually meant) and a 2M L2 cache. The L2 cache difference isn't much (it's per physical CPU, which more or less equates to the cache in the quad core boxes. The L1 cache is actually a big deal, that seemed to make all the difference in the world with the Opterons I was testing that had a larger L1 cache. Of note, I'm not sure if the 128K and 256K numbers I referenced above are per core or total for the chip - if total (as the L2 numbers were), then you have 32K and 64K respectively. The better option is to get a Dell 1950 III with Xeon 5420, but I don't think my CEO would spend additional $700 on it, so... $700 seems like cheap insurance to me. It blows me away that a company that has 300mbit of internet traffic won't pay a few dollars for some hardware and would rather waste their employees salary. Put it this way, every hour you spend dicking around with hardware is an hours salary that they've added on to the cost of inadequate hardware (soft dollars vs hard dollars is a bogus argument here, in two weeks it's still very real currency leaving their hands). Ask the vendors for eval gear and make sure it supports the load before you buy. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Wed, May 13, 2009 at 10:25 AM, Bill McIlhargey Jr b...@mcilhargey.com wrote: Sounds like over kill for pfsense! :D Message sent from my iPhone Bill McIlhargey Jr COMPUTERONIX, LLC 978.500.5936 supp...@compute-ronix.com www.compute-ronix.com It's only overkill if you don't need the horsepower...with that said, pfSense isn't going to scale anywhere near linearly given PF being under the Giant lock, although it will scale a bit with more cores. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Mon, Mar 23, 2009 at 9:26 AM, Vick Khera vi...@khera.org wrote: On Mon, Mar 23, 2009 at 8:30 AM, Lenny five2one.le...@gmail.com wrote: I got offered a Sun Fire X2200 with Opteron Dual Core 2210(that's 1.8GHz). Will that do it? (for ~150kpps) That's a little slower than what I use in prod (2218's), but it should work - I'd want to make sure there were two physical dual core CPUs in the box (paranoia - and well...that's what I tested ;-P). Double check the NICs in that box. I believe they're broadcom and nvidia (yes, Sun does a mix and match on the same motherboard! You get two of each.) Also, one of the NICs doubles as the network port for the service processor, so if you're inclined to use the SP, you'll need to account for that dual use on the NIC port 1. Yeah, when I looked at the X2100's, they had 2 nvidia and 2 broadcoms onboard. The real issue wasn't the nics...other than they all suck IMO, but that to use the lights out management, you lost both broadcoms (unless you run Solaris on them - that _might_ have changed in the last couple years). Now, I'm not a huge fan of broadcom nics, but leaving me with only nvidias meant I had a machine with four completely unusable nics and I was _still_ putting a quad port nic in the box, thus costing me more than an equivalent machine from any of Suns competitors. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Mon, Mar 23, 2009 at 12:33 AM, Lenny five2one.le...@gmail.com wrote: It's 530 (bytes?) (and yet for 50kpps I had around 150Mb of traffic. Is this possible?) http://www.ccievault.net/index.php/tools says it's possible --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Sat, Mar 21, 2009 at 6:00 PM, Lenny five2one.le...@gmail.com wrote: Hi Bill, snip Now, for the bad part. I got to a total of almost 50kpps, and that was via 70% CPU. Which probably means that at about 70kpps or so I'd hit 100%. Which actually was a lot like what you said about Xeons (you said they maxed out around 80kpps). Then I looked at the rates you provided and I just want to understand something. The emX taskq is supposed to take one of the available CPUs and probably stick with it, right? Then if on one of the interfaces you have a That sounds about right. very high load, then this process will take a 100% of that CPU or core and it will hit the limit? Do I get this right? It means also that in your Basically. situation , while you have only 14% load on the general CPU, the core that handles the em1 might actually be somewhere around 55% and the most it will take is about 70-80kpps. In that case, what is the solution? And if I'm It's like a process, it should balance across cpu's, however it won't thread across them. ie. the taskq will only run on one cpu at any given time. wrong, how helpful will it be for me to replace the server with the one like yours or similar? Will I benefit from more than 2 CPUs/cores? Just remember, all I need is a dual port NIC, which handles in and out - that's it. I haven't benchmarked any Xeons in well over a year now, but when we did, it was HP DL385G2's vs HP DL380 G5's - the Opterons (the 385G2's) trounced the Intels - the Intels maxed at around 400kpps (the point we started seeing packet loss), we ran out of test hardware at around 600kpps. The newer model Xeons should be faster. The other design decision we made was to go dual dual core instead of a single quad core - given that we only had three interfaces in use on most of our hardware, that gave us three cores handling the NICs and one general purpose core. Any more would have likely been overkill, at least until FreeBSD 8.0. The primary thought over the dual cpus vs single was memory bandwidth to the cpu's - a quad core would have left all four cores fighting for bandwidth (note: I did no real research here, it was a gut feel decision). And the last question. I saw that even though you have Intel NICs, you still have interrupt on CPU. My RRD graphs show 0 on the interrupt. Is this normal? I don't have polling enabled. This is probably due to the differences between FreeBSD 6.2 and 7.x (in pfSense 1.2.x) --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Sun, Mar 22, 2009 at 3:32 PM, Lenny five2one.le...@gmail.com wrote: Hi Bill, ok, thanks. So as I understand it, in my production environment I will not be able to get more than say 150-200kpps even if I had the best CPU available on the You should be able to hit much more than that. One other item of interest is that PF itself is still under the Giant lock and can't take advantage of SMP. Since a good amount of cycles are spent in PF, it's important to keep in mind - we'll never come close to FreeBSDs raw routing performances due to that alone. market today? Which, by the way, equals around 450-600Mb in my case. And that is for dual port NIC, of course. Also, I was wondering, how do the lab tests differ from production environment? How is it possible that in the lab you can get 5 times more than in production? (you said it yourself - you could only reach 80kpps there, while in the lab you got 400). Unless I miss something. To be clear, on the older Xeons, we could only hit around 150kpps in the lab (optimistic conditions - 64byte udp). The newer Xeons hit 400kpps, the newer Opterons 600kpps+. In production, we were running the old Xeons at 80kpps (or so) at about 100% utilization (these boxes handle real traffic, ie TCP, which eats more cpu). given the disparity between test and prod at about a 50% hit, our new boxes should easily hit 300kpps. Oh, and one last thing, since you mentioned FreeBSD 8.0, would you recommend trying the pfSense 2.0 in production and will it actually solve the threading problem? pfSense 2.0 is still on the FreeBSD 7.x series - it's not known if it'll move to 8 yet. I know, I'm being a real pain here, but you would not believe how I struggle to get the pfSense in production and show everyone that it can be done without spending a fortune on some proprietary solution. I already have it in all the other projects(which is about 5), this one is a real tough one... But I absolutely love it, that's for sure. Can you clarify again which CPUs are in your test boxes? Info from dmesg would be perfect. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
BTW, whats your average packet size? --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
(ICH5) USB 2.0 controller mem 0xf900-0xf90003ff irq 23 at device 29.7 on pci0 ehci0: [GIANT-LOCKED] ehci0: [ITHREAD] usb2: EHCI version 1.0 usb2: companion controllers, 2 ports each: usb0 usb1 usb2: Intel 82801EB/R (ICH5) USB 2.0 controller on ehci0 usb2: USB revision 2.0 uhub2: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 on usb2 uhub2: 4 ports with 4 removable, self powered pcib7: ACPI PCI-PCI bridge at device 30.0 on pci0 pci1: ACPI PCI bus on pcib7 vgapci0: VGA-compatible display port 0x3000-0x30ff mem 0xf000-0xf7ff,0xf800-0xf800 irq 16 at device 1.0 on pci1 isab0: PCI-ISA bridge at device 31.0 on pci0 isa0: ISA bus on isab0 atapci0: Intel ICH5 SATA150 controller port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0x480-0x48f at device 31.2 on pci0 ata0: ATA channel 0 on atapci0 ata0: [ITHREAD] ata1: ATA channel 1 on atapci0 ata1: [ITHREAD] pci0: serial bus, SMBus at device 31.3 (no driver attached) sio0: 16550A-compatible COM port port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A sio0: [FILTER] speaker0: PC speaker port 0x61 on acpi0 pmtimer0 on isa0 orm0: ISA Option ROM at iomem 0xc-0xcafff pnpid ORM on isa0 atkbdc0: Keyboard controller (i8042) at port 0x60,0x64 on isa0 atkbd0: AT Keyboard irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] atkbd0: [ITHREAD] ppc0: parallel port not found. sc0: System console at flags 0x100 on isa0 sc0: VGA 16 virtual consoles, flags=0x300 sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: Generic ISA VGA at port 0x3c0-0x3df iomem 0xa-0xb on isa0 ukbd0: Microsoft Comfort Curve Keyboard 2000, class 0/0, rev 2.00/1.73, addr 2 on uhub1 kbd2 at ukbd0 uhid0: Microsoft Comfort Curve Keyboard 2000, class 0/0, rev 2.00/1.73, addr 2 on uhub1 Timecounters tick every 1.000 msec Fast IPsec: Initialized Security Association Processing. hptrr: no controller detected. mpt0:vol0(mpt0:0:0): Settings ( Hot-Plug-Spares ) mpt0:vol0(mpt0:0:0): Using Spare Pool: 0 mpt0:vol0(mpt0:0:0): 2 Members: (mpt0:1:0:0): Secondary Online (mpt0:1:1:0): Primary Online mpt0:vol0(mpt0:0:0): RAID-1 - Degraded mpt0:vol0(mpt0:0:0): Status ( Enabled ) (mpt0:vol0:0): Physical (mpt0:0:1:0), Pass-thru (mpt0:1:1:0) (mpt0:vol0:0): Online acd0: DVDROM HL-DT-STDVD-ROM GDR8083N/0L02 at ata0-master UDMA33 Waiting 5 seconds for SCSI devices to settle ukbd1: IBM IBM RSA2, class 0/0, rev 1.10/0.01, addr 3 on uhub1 kbd3 at ukbd1 uhid1: IBM IBM RSA2, class 0/0, rev 1.10/0.01, addr 3 on uhub1 ses0 at mpt0 bus 0 target 8 lun 0 ses0: IBM 25P3495a S320 1 1 Fixed Processor SCSI-2 device ses0: 3.300MB/s transfers ses0: SAF-TE Compliant Device da0 at mpt0 bus 0 target 0 lun 0 da0: LSILOGIC 1030 IM IM 1000 Fixed Direct Access SCSI-2 device da0: 3.300MB/s transfers da0: Command Queueing Enabled da0: 34678MB (71020544 512 byte sectors: 255H 63S/T 4420C) SMP: AP CPU #1 Launched! Trying to mount root from ufs:/dev/da0s1a bge0: link state changed to DOWN em0: link state changed to UP em0: link state changed to DOWN em1: link state changed to UP em1: link state changed to DOWN bge1: link state changed to DOWN pflog0: promiscuous mode enabled em0: link state changed to UP em1: link state changed to UP ukbd0: at uhub1 port 2 (addr 2) disconnected ukbd0: detached uhid0: at uhub1 port 2 (addr 2) disconnected uhid0: detached # Bill Marquette wrote: On Sun, Mar 22, 2009 at 3:32 PM, Lenny five2one.le...@gmail.com wrote: Hi Bill, ok, thanks. So as I understand it, in my production environment I will not be able to get more than say 150-200kpps even if I had the best CPU available on the You should be able to hit much more than that. One other item of interest is that PF itself is still under the Giant lock and can't take advantage of SMP. Since a good amount of cycles are spent in PF, it's important to keep in mind - we'll never come close to FreeBSDs raw routing performances due to that alone. market today? Which, by the way, equals around 450-600Mb in my case. And that is for dual port NIC, of course. Also, I was wondering, how do the lab tests differ from production environment? How is it possible that in the lab you can get 5 times more than in production? (you said it yourself - you could only reach 80kpps there, while in the lab you got 400). Unless I miss something. To be clear, on the older Xeons, we could only hit around 150kpps in the lab (optimistic conditions - 64byte udp). The newer Xeons hit 400kpps, the newer Opterons 600kpps+. In production, we were running the old Xeons at 80kpps (or so) at about 100% utilization (these boxes handle real traffic, ie TCP, which eats more cpu). given the disparity between test and prod at about a 50% hit, our new boxes should easily hit 300kpps. Oh, and one last thing, since you mentioned FreeBSD 8.0, would you recommend trying the pfSense 2.0 in production
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Sun, Mar 22, 2009 at 4:39 PM, Bill Marquette bill.marque...@gmail.com wrote: On Sun, Mar 22, 2009 at 4:13 PM, Lenny five2one.le...@gmail.com wrote: sorry, you got me there:) how do I check that? Bill Marquette wrote: BTW, whats your average packet size? Easiest way to get in the ballpark should be to: tcpdump -w /tmp/pps.pcap -i WAN -c 1 erm... tcpdump -w /tmp/pps.pcap -i WAN -c 1 -s1514 The last part is kinda critical :) substitute WAN for your wan interface (em0 or em1 I imagine), take the output filesize divide by 1 and subtract 40 ( to account for the pcap file format overhead ). --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Sun, Mar 22, 2009 at 4:13 PM, Lenny five2one.le...@gmail.com wrote: sorry, you got me there:) how do I check that? Bill Marquette wrote: BTW, whats your average packet size? Easiest way to get in the ballpark should be to: tcpdump -w /tmp/pps.pcap -i WAN -c 1 substitute WAN for your wan interface (em0 or em1 I imagine), take the output filesize divide by 1 and subtract 40 ( to account for the pcap file format overhead ). --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Sun, Mar 22, 2009 at 5:20 PM, Chris Buechler c...@pfsense.org wrote: On Sun, Mar 22, 2009 at 5:33 PM, Bill Marquette bill.marque...@gmail.com wrote: I believe so. The newer Core designs have lower Ghz ratings. Any chance you know the models? I'm not seeing the VTX feature in your dmesg, which makes me think it's not a 5xxx series CPU (which would get you more throughput). He said it's an IBM x336 server, which would make it an old 800 FSB Xeon with HT, not even dual core. Roughly a 4-5 year old box. Ahh, yes, the boxes I eval'd alongside my HPDL380G3's. Yeah, you won't get too much more than about 80-120k filtered pps rates (past about 80k, userland will be entirely unusable). --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] packet loss question
On Fri, Mar 20, 2009 at 4:50 AM, Mikel Jimenez Fernandez mi...@irontec.com wrote: If I check, or dont chek, bad cksum in tcpdump always appear. I have to reboot ? You are chasing up the wrong tree. Bad checksums are normal when using checksum offloading, tcpdump shows the packet before the card has calculated the checksum. Disabling this feature will move the checksumming to your cpu and lower throughput. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Web User interface gone ?
On Thu, Mar 19, 2009 at 6:56 AM, Michel Servaes mic...@mcmc.be wrote: I just updated my pfSense 1.2.3 prerelease version through a webupdate. Which just seems to be working fine, allthough I cannot access the webinterface anymore ?? Yeah, it wasn't a very popular feature so we removed it. --Bill Or just read Scott's followup :) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] packet loss question
On Thu, Mar 19, 2009 at 6:09 PM, Mikel Jimenez Fernandez mi...@irontec.com wrote: mm OK I think that I understna sysctl value what mean.. backup:~# ping -f 10.10.0.98 -c 500 PING 10.10.0.98 (10.10.0.98) 56(84) bytes of data. . --- 10.10.0.98 ping statistics --- 500 packets transmitted, 499 received, 0% packet loss, time 160ms rtt min/avg/max/mdev = 0.269/0.296/3.321/0.140 ms, ipg/ewma 0.322/0.282 ms backup:~# ping -f 10.10.0.98 -c 600 PING 10.10.0.98 (10.10.0.98) 56(84) bytes of data. . --- 10.10.0.98 ping statistics --- 600 packets transmitted, 499 received, 16% packet loss, time 1391ms rtt min/avg/max/mdev = 0.227/0.302/2.523/0.104 ms, ipg/ewma 2.323/0.288 ms What exactly mean icmp limit value? It means that the firewall will start dropping ICMP from a host that's spamming the crap out of it like you are. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] Re: Can't get more than 15kpps.
On Wed, Mar 18, 2009 at 7:32 AM, five2one.le...@gmail.com wrote: Hi, ok, I'm back with some tests and results. I read a lot about the em driver settings, and this is what I did: in /etc/sysctl.conf I added: dev.em.0.rx_processing_limit=1600 dev.em.1.rx_processing_limit=1600 although I also tried -1 and some smaller values. in /boot/loader.conf I added: hw.em.rxd=4096 hw.em.txd=4096 and I believe these took care of the errors on the interfaces I used to see. I also decided to change these in sysctl.conf: kern.ipc.somaxconn=1024 net.inet.ip.intr_queue_maxlen=4096 the first one was a recommendation from a freebsd documentation and the second one I changed even though I had net.inet.ip.intr_queue_drops = 0. I also tried changing net.isr.direct to 0. Now, for the important part. The emX taskq is back(after reboot), swi1: net is gone and while I don't have any serious load right now, I can see by the percentage of this process that it will hit 100% exactly around 15kpps, as usual. And I should remind you that this is still a different server - IBM x336. Just as an FYI and comparison proving that FreeBSD 6.2 handles this w/out blinking. Unfortunately, I don't have any boxes running 7.x at this time. bwm-ng v0.6 (probing every 0.500s), press 'h' for help input: getifaddrs type: rate - iface Rx TxTotal == em0: 3801.54 P/s 4210.02 P/s 8011.56 P/s em1:19377.65 P/s 18855.49 P/s 38233.14 P/s em2: 111.75 P/s 7231.21 P/s 7342.97 P/s em3:1.93 P/s 1.93 P/s 3.85 P/s lo0:0.00 P/s 0.00 P/s 0.00 P/s last pid: 67441; load averages: 0.47, 0.53, 0.54 up 241+10:41:12 13:33:00 48 processes: 1 running, 28 sleeping, 19 zombie CPU states: 0.8% user, 0.0% nice, 1.3% system, 11.5% interrupt, 86.5% idle Mem: 22M Active, 1298M Inact, 243M Wired, 112M Buf, 1696M Free Swap: 2048M Total, 2048M Free This is on an HP DL385G5 with two dual-core Opteron 2218 cpu's and dual port Intel PCI-e LC fiber cards (as well as a quad port copper card...the PPS rates above are going over the fiber card). The operating system version is FreeBSD 6.2 - the same kernel (and some of the same patches) that pfSense 1.2.0 runs. # sysctl net.isr net.isr.direct: 0 net.isr.count: 1942552898 net.isr.directed: 0 net.isr.deferred: 1942552900 net.isr.queued: 31395 net.isr.drop: 0 net.isr.swi_count: 347040539 (all 4 nics running the same settings) # sysctl dev.em.0 dev.em.0.%desc: Intel(R) PRO/1000 Network Connection Version - 6.2.9 dev.em.0.%driver: em dev.em.0.%location: slot=0 function=0 handle=\_SB_.PCI0.EXB0.PES5 dev.em.0.%pnpinfo: vendor=0x8086 device=0x105f subvendor=0x8086 subdevice=0x125f class=0x02 dev.em.0.%parent: pci5 dev.em.0.debug_info: -1 dev.em.0.stats: -1 dev.em.0.rx_int_delay: 0 dev.em.0.tx_int_delay: 66 dev.em.0.rx_abs_int_delay: 66 dev.em.0.tx_abs_int_delay: 66 dev.em.0.rx_processing_limit: 100 net.inet.ip.intr_queue_maxlen: 5000 net.inet.ip.intr_queue_drops: 0 --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] Re: Can't get more than 15kpps.
On Wed, Mar 18, 2009 at 10:27 AM, five2one.le...@gmail.com wrote: So the question is, should I go for it? Will it help me in any way? I mean, if I have 2 Xeon CPUs and Hyper Threading enabled, I can actually divide it into 4 threads, right? Don't use hyperthreading. It's likely to cause you more performance thank it gives you. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Wed, Mar 18, 2009 at 3:12 PM, Lenny five2one.le...@gmail.com wrote: Hi Bill, thanks for answering. a couple of questions: I'm gonna disable hyperthreading tomorrow, but tell me, should I do it in BIOS and just boot it up, All our older Intel machines had it disabled in BIOS. The Opterons obviously don't have such a setting :) FWIW, the older Xeons (about the same generation as yours I believe) maxed at around 80kpps (production load). regarding your stats: I see that you have net.isr.directed: 0 does it help? should I do it too? For us it did. Again, this is FreeBSD 6.2, YMMV on 7.x do you have anything related added to /boot/loader.conf or sysctl.conf besides net.inet.ip.intr_queue_maxlen: 5000 ? # cat /etc/sysctl.conf net.inet.ip.fastforwarding=1 net.inet.carp.preempt=1 net.inet.ip.intr_queue_maxlen=5000 No loader.conf settings. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Wed, Mar 18, 2009 at 3:14 PM, Lenny five2one.le...@gmail.com wrote: Hi, ok, thanks. Regarding MSI - I never checked, but as far as I remember the BIOS settings - I never saw it there. I'll check tomorrow. That reminds me. Our HP gear has an APIC setting in BIOS - we set it to Full Table APIC. There's no particular reason for the setting and I don't believe we ever benched the boxes with any other setting as we were happy with performance. That _might_ affect interrupt handling (particularly assignment I believe) though. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP over Serial?
Further, CARP doesn't run on a dedicated NIC, pfsync does (and no, it's not required, however it isn't encrypted or authenticated). --Bill Sent from my iPhone On Mar 18, 2009, at 7:01 PM, Chris Buechler c...@pfsense.org wrote: On Wed, Mar 18, 2009 at 7:55 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Is there any provision for doing CARP over serial/SLIP, or do I have to have a third Ethernet interface? No, because it wouldn't work unless you have a 512 Kb Internet pipe or slower. Serial is *way* too slow to sync states with any modern broadband connection. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Help with NIC Hardwares
BEGIN:VCALENDAR PRODID:-//Google Inc//Google Calendar 70.9054//EN VERSION:2.0 CALSCALE:GREGORIAN METHOD:REQUEST BEGIN:VEVENT DTSTART:20090319T043000Z DTEND:20090319T053000Z DTSTAMP:20090319T041244Z ORGANIZER;CN=Bill Marquette:mailto:bill.marque...@gmail.com UID:b2vqdqrcj8k2iiau4k3gb4u...@google.com ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP= TRUE;cn=supp...@pfsense.com;X-NUM-GUESTS=0:mailto:support@pfsense.com ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=ACCEPTED;RSVP=TRUE ;CN=Bill Marquette;X-NUM-GUESTS=0:mailto:bill.marque...@gmail.com CLASS:PRIVATE CREATED:20090319T041243Z DESCRIPTION:2009/3/18 Alexandre F. Guimarães alexandre.fguimar...@gmail. com:\n Hello Pfsensers!\n\n I need some help with brands of NIC to buy\ , I need Giga ether cards with\n more or less 300kpps (real throughput) on ly for routing.\n\n What card is the best for this? Intel? 3com? What mod el?\n\n Can anyone help me?\n\n\nNICs aren't the only piece of the puzzl e...there's another ongoing thread talking about pps rates right now\, you might check it out\, there's some good info in it. http://marc.info/?t=123 40997942r=1w=2\n\n--Bill \n\nView your event at http://www.google.com /calendar/event?action=VIEWueid=b2vqdqrcj8k2iiau4k3gb4ungk. LAST-MODIFIED:20090319T041243Z SEQUENCE:0 STATUS:CONFIRMED SUMMARY: TRANSP:OPAQUE END:VEVENT END:VCALENDAR invite20090318T233000.ics Description: application/ics - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Help with NIC Hardwares
On Wed, Mar 18, 2009 at 11:06 PM, Victor Padro vpa...@gmail.com wrote: Intel 1Gbps are the best for routing, data transfer, etc. Although intel pro 100Mbps are quite alright in a 300 kbps routing enviroment. thousands of PACKETs per second, not bits. You'd need a bit more than 100Mbit capable nic to route 300kpps ;) --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPsec tunnel with 0.0.0.0/0 remote subnet
Your ipsec policy matches all traffic, this isn't a routing issue. What you've told the kernel is that all traffic uses an ipsec poliicy that encrypts it and sends it to a different site. --Bill On Tue, Mar 10, 2009 at 9:02 AM, Pabel Zenteno pzent...@prodemffp.com.bo wrote: I have an IPsec tunnel with 0.0.0.0/0 remote subnet, so all clients behind the LAN interface of the pfsense route all traffic through this tunnel. I added a third interface to pfsense to reach another network and added the static route to reach it. Pfsense reaches this network , but the clients behind the LAN interface of the pfsense always want to go through the IPsec tunnel instead of obeying the static route defined. The question is: where do I have to add a rule or what I have to modify in order to work with this third network routed in the pfsense? Sincerely, Pabel. NOTA DE CONFIDENCIALIDAD: La informacion contenida en este correo electronico y sus anexos solo puede ser utilizada por el individuo o compania a la cual esta dirigido. Sin expresa autorizacion del remitente, su difusion, distribucion o copia esta prohibida y sancionada por la ley. Si por error recibe este mensaje, por favor reenvielo a su emisor y luego borrelo. Gracias por su atencion. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPsec tunnel with 0.0.0.0/0 remote subnet
On Tue, Mar 10, 2009 at 9:30 AM, Pabel Zenteno pzent...@prodemffp.com.bo wrote: So, is there something I can do? Change your ipsec policy. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsync vs contrackd
Go troll elsewhere. On Thu, Feb 19, 2009 at 5:51 AM, Mikel Jimenez mi...@irontec.com wrote: Hello Is pfsync better than contrackd? Who cares, pfsense runs on FreeBSD where there be demons, not penguins. In what aspects? It runs on *BSD, not linux, so yes, infinitely better. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsync vs contrackd
On Thu, Feb 19, 2009 at 12:26 PM, mikel mi...@irontec.com wrote: I ask this question, because I am favour ogf *BSD, and one friend discuss me that what pfsync+carp does, is possible with contrackd. I have read that contrackd only syncs tcp states, and is a user space daemon, not kernel level. My question is, it can do all that pfsync? All 255 protocols. If it's in state, it's sync'd. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Date Change Bug
On Sun, Feb 15, 2009 at 5:58 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Hello, I recently changed the timezone on one of our PFSense boxes, as it thought it was 12 hours ahead of where it actually is. Since I have made that change, states do not appear to be expiring normally, and the logs are still labeled with the old date/time offset. However, the result of 'date' in the command line is correct. Short answer: don't do that. Long answer: Yeah, don't change dates on a running unix system unless you plan on restarting all services afterwards. At best, what you did is increased the expiration time on all states by 12 hours (including states that would normally have expired in say 30 seconds). At worst, you also are no longer running the kernel thread that cleans up states (well, at least for the next 12 hours - by the time you read this, your system might actually be back to normal). Restarting this box is pretty difficult, although I am confident that a reboot would fix the issue. Do I have any other options? Wait it out, assuming you don't run out of state table entries and hose the box first. It'll either recover once it catches up to the date it _used_ to have, or you'll be rebooting it. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Date Change Bug
Logs won't be fixed short of a reboot, unless you like monkeying around in the shell. Syslog records it's offset from GMT when it starts up. --Bill On Mon, Feb 16, 2009 at 8:17 AM, Bill Marquette bill.marque...@gmail.com wrote: On Sun, Feb 15, 2009 at 5:58 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Hello, I recently changed the timezone on one of our PFSense boxes, as it thought it was 12 hours ahead of where it actually is. Since I have made that change, states do not appear to be expiring normally, and the logs are still labeled with the old date/time offset. However, the result of 'date' in the command line is correct. Short answer: don't do that. Long answer: Yeah, don't change dates on a running unix system unless you plan on restarting all services afterwards. At best, what you did is increased the expiration time on all states by 12 hours (including states that would normally have expired in say 30 seconds). At worst, you also are no longer running the kernel thread that cleans up states (well, at least for the next 12 hours - by the time you read this, your system might actually be back to normal). Restarting this box is pretty difficult, although I am confident that a reboot would fix the issue. Do I have any other options? Wait it out, assuming you don't run out of state table entries and hose the box first. It'll either recover once it catches up to the date it _used_ to have, or you'll be rebooting it. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Redirecting Traffic Destined for outbound NAT
On Mon, Feb 9, 2009 at 3:14 PM, Joel Robison robisonj...@gmail.com wrote: Hello All, I was wondering if anyone here would be able to give me some pointers in context of traffic redirection. What I am attempting (and failing at I should add) to do is redirect all SMTP traffic from the LAN to another machine on the LAN interface for mail processing with a given set of rules I have created for the postfix instance (Think DLP reasons). Essentially this should be no different that setting up a transparent proxy server with squid (redirecting all web traffic to another server before it egresses the firewall). I know that at some point I have used PFSense to do the latter, but as I mentioned before I am failing, as the rule I have added to the LAN tab never gets hits. Here is the rule: Proto Source Port Destination Port Gateway Schedule Description TCP/UDP LAN net * 10.10.1.151 25 (SMTP) * Any ideas what it is that I am NOT doing? or that I am doing wrong? -Joel The MTA needs to not be on the same network as you are redirecting. ie. You can't send LAN traffic back to LAN, it MUST go to a different interface (say a DMZ). There are ways around the issue Tim describes, but it's not really pertinent to your issue at the moment anyway. Bottom line, you can't port forward to an address on the same network as the traffic is sourced from. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Redirecting Traffic Destined for outbound NAT
On Mon, Feb 9, 2009 at 5:11 PM, Chris Buechler c...@pfsense.org wrote: On Mon, Feb 9, 2009 at 5:43 PM, Tim Nelson tnel...@rockbochs.com wrote: - Bill Marquette bill.marque...@gmail.com wrote: The MTA needs to not be on the same network as you are redirecting. ie. You can't send LAN traffic back to LAN, it MUST go to a different interface (say a DMZ). There are ways around the issue Tim describes, but it's not really pertinent to your issue at the moment anyway. Bottom line, you can't port forward to an address on the same network as the traffic is sourced from. Care to share the ways around the issue? :-) Specifying source IP/net in port forward rules, which isn't possible in pfSense 1.2 nor 2.0 at this time. It's on the feature request list already. Erm, yeah, my mistake, I'm used to working in pf.conf :) My home firewall is much less complex than the stuff I deal with at work. It's possible to do, just not in pfSense at this time. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Redirecting Traffic Destined for outbound NAT
On Mon, Feb 9, 2009 at 5:30 PM, Joel Robison robisonj...@gmail.com wrote: I have done a little experimenting with this over the past few hours (while dodging IT requests, I am sure most of you are familiar). I setup a VLAN interface that is off of the LAN interface to put the email server in a DMZ. I then created a rule that will look for my workstation as a source IP and the Source PORT of 25 and forward them to the new VLAN subnet/machine on port 25. Admitantly, I am a little confused by this, as I had always thought that the source PORT range would most likely not be the port I was trying to match as most programs generate a higher port on the client side then establish a connection to the server. Am I wrong? Are you referring to the External port range in the port forward screen? If so, that's not source port, it's the original destination port. In which case, yes, you want port 25, you happen to also be forwarding it to port 25, but on a different host. If you truly mean the filter rule screen, I'd be willing to bet that the rule isn't matching, but some other rule (maybe a default allow?) is. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Does anybody have working dual wan failover with pfsense?
On Mon, Jan 19, 2009 at 3:07 AM, Veiko Kukk veiko.k...@krediidipank.ee wrote: Bill Marquette wrote: Setup a load balancer entry with an active node and a failover node. As I previously said, I dont want load balancing, I only need failover. duh, what do you think this provides? Rhetorical question, obviously you think a load balancer pool of ONE entry and a failover entry somehow magically balances multiple entries. If wan fails then opt1 is used until wan returns. As simple as that. How to configure pfsense to accomplish that? Currently I'm having one failover pool (Type: Gateway; Behavior: Failover): wan|wan gateway opt1|opt1 gateway yup, that's it. Use that entry as your gateway in your rules. I have one firewall rule for LAN to accept all traffic from one host in LAN and gateway is that pool. good It's really not rocket science. I'm still unable to get packages list in pfsense web interface, thought I'm able to ping outside world from that one LAN host. When I ping google.ee from command line, I get: And we finally get to your misunderstanding. Failover is for traffic routed _through_ pfsense. During a failover situation as you've described, pfsense itself will not have a route to the internet. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] installing pfSense via pxeboot and nfs
fwiw, that's not an install guide, it was really a how to make it boot over the network guide - very helpful for development. I don't know of anyone that has had a successful install to a soekris over the network. Not to say it can't be done, but you've got a lot of exploring ahead of you. Chances are in the below, your IP changed (ie, you didn't update config.xml before booting). --Bill On Mon, Jan 19, 2009 at 5:41 PM, Stefan Lambrev stefan.lamb...@moneybookers.com wrote: Greetings, I'm trying to install pfSense embeded using only network and serial console on soekris net5501. I'm following the steps from this document - http://devwiki.pfsense.org/wikka.php?wakka=NetBootSoekrisEmbedded Unfortunately I'm unable to finish the installation because the boot process stops at: Trying to mount root from nfs:10.1.1.1:/usr/local/tftpboot/4801-60 vr0: link state changed to UP NFS ROOT: 10.1.1.1:/usr/local/tftpboot/4801-60/ I tried and with the iso/livecd but with it I cannot even see the kernel booting (dmesg) nor the welcome menu. Is it possible at all to install pfSense using pxeboot,tfpt and nfs over serial console? -- Best Wishes, Stefan Lambrev ICQ# 24134177 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Iface combo not showing lagg interfaces for vlan association.
On Tue, Jan 13, 2009 at 6:13 PM, Aliet Santiesteban Sifontes alietsantieste...@gmail.com wrote: Testing 20090112 2.0 Alpha I have found that the lagg interfaces are not listed in the combo for vlan parent interface, any workaraound for this???. write code submit patch get famous continue living on ramen (the contract didn't stipulate profit) --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Does anybody have working dual wan failover with pfsense?
On Mon, Jan 12, 2009 at 6:28 AM, Veiko Kukk veiko.k...@krediidipank.ee wrote: Erwan David wrote: On Mon, Jan 12, 2009 at 11:30:44AM CET, Veiko Kukk veiko.k...@krediidipank.ee said: Do you have also load sharing or only failover? How are your failover pools configured? --- Veiko I have both. 2 links, Wan and opt1 interfaces. I got it working the same way (with load balancer), but I'm not interested in load balancing/sharing), I only need failover. Simple dual wan faileover is not working or I'm missing something about configuration. Or your missing something, I think is the correct statement. Setup a load balancer entry with an active node and a failover node. Use that entry as your gateway in your rules. It's really not rocket science. This feature has worked flawlessly since I implemented it over 3 years ago, with only usability tweaks having been made to it since commit (not counting the major feature changes to it in 2.0). I no longer need the feature having no desire to continue maintaining payment for multiple WAN connections, but it's used by numerous other devs on a daily basis and lots of users. If it were truly broken we would have heard about it not only after releases, but during release candidates and betas which are released entirely so our userbase can help perform our quality assurance and make sure that releases are solid. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.2 released
On Sun, Jan 11, 2009 at 2:19 PM, Chris Buechler c...@pfsense.org wrote: On Sun, Jan 11, 2009 at 11:22 AM, Karl Fife karlf...@gmail.com wrote: I want to say that I recall a move to IPTables was anticipated at some point. Has that happened? What?! hah Never. Wow, the chance of anyone with a commit bit even remotely considering iptables is beyond absurd. No, no, no, no. And would require either a port of iptables from linux to freebsd, or a port of pfsense from freebsd to linux. As Chris says, nobody with commit access to our repo has any sort of desire to see either happen. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1.2.2 released
On Sun, Jan 11, 2009 at 5:02 PM, Karl Fife karlf...@gmail.com wrote: Tell them to use a worthwhile browser. The reason the SVG graphs don't work is because IE is the only browser that doesn't come with SVG integrated and for whatever reason the plugin has issues if you force authentication with HTTPS. See the 1.2.2 release announcement for details. This is a known problem with IE, and the only way to fix it is to not require authentication to see the graphs. We're not going to do that for the sake of supporting IE. Sound reasoning. I agree that it's the right choice. Am I correct in my understanding that the auth is NOT sent across the network in clear text even when using HTTP? No. So to clarify, that would be to say auth IS sent in clear text across the network, when using HTTP web admin ? Yes Thanks keep up the outstanding work! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Delete pf rule for SIP (VoIP) every 24 hours?
On Sat, Jan 10, 2009 at 3:45 AM, Dominik Schips domi...@s235.de wrote: Hello, I am using pfSense 1.2.2 and it is wonderfull. However I have one problem with SIP (port 5060) calls. My (german) provider does every 24 hours a reconnect of the ADSL line (PPPoE). Normally that is never a problem. I set the reconnect to 5:30 in the morning. I use siproxd to pass the SIP connections to a SIP phone. It works without problems. But after the 24 hour reconnect I still have the old public IP at the state for the port 5060. So I can not make a new call before I delete the second rule at the states diagnostic page. udp 217.10.x.x:5060 - 192.168.1.100:5060 MULTIPLE:MULTIPLE udp 192.168.1.100:5060 - 92.227.x.x:5060 - 217.10.x.x:5060 MULTIPLE:MULTIPLE 217.10.x.x is the sip provider asterisk server. 92.227.x.x is my public IP (for the current 24 hours). 192.168.1.100 is my SIP phone at the LAN. After deletion the new rule (with new public IP) appears and SIP calls are possible again without problems. Does somebody has an idea or could explain me how to make a cronjob by ssh login to delete all states for port 5060 every 24 hours? You'll want to do: pfctl -k 217.10.x.x in your cron job. http://forum.pfsense.org/index.php?topic=8485.msg47601 has some good information on setting up cron jobs. A scheduled rule might also solve your problem. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Outbound NAT to Virt. IP issues. Maybe it's the config, maybe it's VMWare ESXi?
On Mon, Dec 22, 2008 at 5:31 PM, Jason Lixfeld jason-lists.pfse...@lixfeld.ca wrote: Hi Dimitri, It is a CARP address, yes and it does in fact match the mask on the WAN interface; they are both /28. After doing some more digging, I figured it out. It was a VMWare thing. I had to set the virtual adapter with a security policy exception to allow promiscuous mode. There seems to be another issue though - it seems as though there is another client out there on the WAN (albeit, on a different VLAN) using a pfSense box, because I see the same MAC address as what my pfSense box is using for my CARP MAC Address. Probably VRRP is what you're seeing. http://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol#History for history on this. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can't get more than 15kpps.
On Sun, Dec 21, 2008 at 2:08 AM, Lenny five2one.le...@gmail.com wrote: Bill Marquette wrote: On Sat, Dec 20, 2008 at 4:45 PM, Lenny five2one.le...@gmail.com wrote: Hi, I'm kind of desperate here, so please try to help me. Here's my problem: I have a setup in production (a very dynamic website). It consists of pfsense--Alteon Load Balancer--IBM Bladecenter(with a Squids cluster on it). pfsense is installed on IBM x335 with 2 Xeon 2.4GHz, 2GB RAM, and Dual Intel NIC PCI-X 1Gb. I'm connected with 1Gb to the ISP. The problem is that no matter what I do, I can't get more than 15kpps. After that I start to get a lot of packet loss. Check sysctl net.inet.ip.intr_queue_drops and raise net.inet.ip.intr_queue_maxlen if it's non-zero. Also check net.isr.drop. The intel driver has some debugging also under the dev.em sysctl I believe. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Hi, thanks for the reply. Actually I wrote in the original post that I already checked queue_maxlen and it is zero. Sorry, missed that. Now I also checked the net.isr.drop and it's also zero. regarding the intel driver, do you really think it can be the problem, because I had the same problems with broadcom cards as well... Nope, just commenting that the Intel driver has more debugging options. I don't know which of the two Broadcom drivers you might be using, nor do I know what debugging options they have - but I _do_ know the Intel features :) What I was more suggesting is that I have certainly seen instances where the OS drop counters do not increase, but the counters in the NIC driver do - this was seen with various isr modes (my memory is too fuzzy to remember the exact settings - it may have even been polling). --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Can't get more than 15kpps.
On Sat, Dec 20, 2008 at 4:45 PM, Lenny five2one.le...@gmail.com wrote: Hi, I'm kind of desperate here, so please try to help me. Here's my problem: I have a setup in production (a very dynamic website). It consists of pfsense--Alteon Load Balancer--IBM Bladecenter(with a Squids cluster on it). pfsense is installed on IBM x335 with 2 Xeon 2.4GHz, 2GB RAM, and Dual Intel NIC PCI-X 1Gb. I'm connected with 1Gb to the ISP. The problem is that no matter what I do, I can't get more than 15kpps. After that I start to get a lot of packet loss. Check sysctl net.inet.ip.intr_queue_drops and raise net.inet.ip.intr_queue_maxlen if it's non-zero. Also check net.isr.drop. The intel driver has some debugging also under the dev.em sysctl I believe. --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FreeBSD SA-08:11 and pfSense
On Thu, Dec 18, 2008 at 7:00 AM, a800 pentes...@scanit.be wrote: The FreeBSD advisory says one has to upgrade to 7.0-RELEASE-p6 to get he bug fixed. pfSense 1.2.1-RC4 image I have downloaded couple days ago says it runs 7.0-RELEASE-p5. Do you mean this flaw was fixed in the source tree of pfSense, independently from FreeBSD? Yes. But looking into this, I believe 1.2.1 should have been on -p6 since we pulled the arc4random patch due to it making it's way into the RELENG_7_0 branch. I wonder if this fact was mentioned in some release notes or changelog document? I am doing a security review of a custom firewall based on CVS commit logs. Adding patch http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/builder_scripts/patches.RELENG_1_2?rev=1.31;content-type=text%2Fx-cvsweb-markup Removing patch http://cvs.pfsense.org/cgi-bin/cvsweb.cgi/tools/builder_scripts/patches.RELENG_1_2?rev=1.33;content-type=text%2Fx-cvsweb-markup --Bill - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Many CARP servers in seperate groups
On Wed, Dec 10, 2008 at 10:05 AM, Tim Roberts [EMAIL PROTECTED] wrote: Im still trying to track this issue down. I have one of the two new nodes up finally without blowing up the network. I re-arranged VHIDs on all PFSense servers on the network so they are unique and that did the trick for one out of two. Still bringing the second server up to pair up with carp, it shuts down one segment of my wireless network. There are 2 PFSense servers on the hard wire over there. One is a bridge and does not use carp. One is a traditional NAT firewall without carp as well. There might be a few customers we have recommended PFSense too over there but I doubt any of them use carp (intentionally). I read a post about PFSense becoming unresponsive after adding carp ips.This is what happens during the outage. The console freezes for 4-5 minutes on that last PFSense server Im trying to bring up. In another post it was mentioned that although you can set pfsync to sync over a certain interface, carp multicast is sent out over any interface that has a carp ip assigned to it. We use Motorola Canopy for pretty much the entire wireless network. In the past, we had huge outages do to multicast floods. We had to filter out all multicast on every customer modem to stop it. So I know we have some sort of an outstanding issue with multicast over the Canopy network that maybe this is related to. Both CARP and pfsync make use of multicast to do their job. CARP is very similar to VRRP, the master node advertises once a second, the passive server watches the wire to see if the advertisements come in. If you are dropping multicast on your switch, I'd be surprised if CARP is working at all for you. You'll need it enabled on at least the ports that have your firewalls plugged in. My questions: 1.) Under status - carp - I see a list of pfsync nodes. I was able to determine one of the listed nodes was a pfsense firewall with CARP enabled. However, the other 4-5 listed, I cannot match up with any of my MAC's. Are these node ID's randomly made up becuase of the virtual carp ips? Some of my PFSense servers have 30+ pfsense nodes listed. These are system ids and get uniquely generated at boot. You'll tend to see more than your cluster count due to reboots and long lived connections going through the cluster that live longer than the reboot times. You can identify a given nodes current id with a 'pfctl -si |grep Hostid' in the shell 2.) Being that it looks like Im still conflicting somehow with my own PFSense servers AND possibly current and future subscribers, is there a way to block carp broadcasts all together per node with the exception of each master's partner? I entered a block rule on every interface of one pfsense server (whose slave is turned off) Protocal = carp source/destination * and yet it still sees other pfsync nodes in the carp status. I dont see anything in the firewall logs for related drops. pfsync needs to be on a dedicated cable PER cluster. I think I see some of your issue here. pfsync and carp are COMPLETELY different beasts, they work hand in hand, but are mutually exclusive - neither requires the other. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Many CARP servers in seperate groups
On Mon, Dec 8, 2008 at 2:32 PM, Tim Roberts [EMAIL PROTECTED] wrote: SNIP Do VHIDs have to be unuique per IP on the same physical wire to avoid conflicts with other CARP servers? We had similar floods when we first setup Pair1 to carp sync on LAN. It was flooding certain linksys and belkin WAPs out on subscriber sites. We switched it to sync to WAN and the issue went away. The CARP vhid dictates it's MAC address. You can only have a given VHID on one Layer 2 segment (and depending on the switch, on one switch if it can't handle identical MACs on multiple ports even if they are on different VLANs). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Sizing for Throughput up to 6Gbit/s
On Fri, Dec 5, 2008 at 10:43 AM, Chris Buechler [EMAIL PROTECTED] wrote: Commodity PC hardware of any type may not be able to push that. It's not about Gbps, it's about pps and the kind of traffic you're pushing. You're going to max out at probably 1 Mpps (million packets per second). 1 Mpps of 64 byte frames is 488 Mbps. 1 Mpps of 1500 byte frames is 11+ Gbps. You'll fall somewhere in the middle likely. Exactly what I was going to reply with. Stick with the quad core procs and the Intel cards. Anything over 4 GB RAM isn't necessary. Keep the procs. FreeBSD will spread the interrupt load across the cores. You won't achieve perfect scaling by any means since PF is still Giant locked, but there's some amount of cpu cycles that are still eaten up by the driver (and other parts of the stack) that multiple CPUs will help. As for ram, we're a 32bit install w/out PAE. You won't see more than 3G of that ram available to the OS. Nor is it needed. 3G of ram, should handle around 3 million state entries (you'll probably find some unique tuning issues well before that depending on the lifetimes of those states). But there isn't enough info here to tell you whether or not any solution based on PC hardware is workable in your environment. Agreed. Jumbo frames and handling backups, for example, I see no reason why you can't hit 6gbit on your stated hardware. Like Chris said, the number that matters in this game is packets per second, not throughput. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] regulary checks of config.xml through md5
On Fri, Dec 5, 2008 at 3:14 PM, Chris Buechler [EMAIL PROTECTED] wrote: Along those lines - one of the in the future items on the list for the autoconfigbackup is an option to email when the configuration changes. For some environments that would be nothing more than an annoyance, but could be useful for others where things should only very rarely change. Even though the config is encrypted and unreadable, we can still tell if it's different. I'm guessing it wouldn't take much to have write_config() dump a message to our standard event logger, which I believe makes use of syslog. I might poke at that in the next few days now that I think of it (2.0 only obviously) - it's been one of those things I've wanted to do for some time. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Policy Routing and Re-Direct Question
On Wed, Dec 3, 2008 at 10:12 AM, Gary Buckmaster [EMAIL PROTECTED] wrote: It can be done, although not if the proxy machine is inside your LAN. It would need to live on a separate network segment (ie: DMZ). In this case, yes, its possible to redirect outbound traffic for TCP 80 to the proxy machine, do your content filtering and pass it on. You cannot transparently proxy SSL traffic in this manner however due to the fact that the streams are encrypted. Well, there are ways to do it, all of them evil :) Consider it a trusted MITM attack. Wh...outside of commercial proxies however, I know of no open source way to automate this (without lots of work on the administrator end to set it up). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Policy Routing and Re-Direct Question
On Wed, Dec 3, 2008 at 5:12 PM, Ermal Luçi [EMAIL PROTECTED] wrote: On Wed, Dec 3, 2008 at 5:40 PM, Bill Marquette [EMAIL PROTECTED] wrote: On Wed, Dec 3, 2008 at 10:12 AM, Gary Buckmaster [EMAIL PROTECTED] wrote: It can be done, although not if the proxy machine is inside your LAN. It would need to live on a separate network segment (ie: DMZ). In this case, yes, its possible to redirect outbound traffic for TCP 80 to the proxy machine, do your content filtering and pass it on. You cannot transparently proxy SSL traffic in this manner however due to the fact that the streams are encrypted. Well, there are ways to do it, all of them evil :) Consider it a trusted MITM attack. Wh...outside of commercial proxies however, I know of no open source way to automate this (without lots of work on the administrator end to set it up). Actually relayd can do this! I assume you are talking about the transparent mode of relayd which isn't in the FreeBSD port (and I believe requires kernel work to be usable?). While it can terminate an HTTPS connection and send it to a proxy, the proxy will have no idea that the destination should be HTTPS (let alone on port 443). You'd be better off using something like HAProxy if you went that route. My point was solely that it can't be done isn't technically correct - only in the context of the current state of technology in open source and pfSense in general (it wouldn't take much for someone motivated to actually implement this correctly though - decrypt SSL, figure out destination, turn it into a CONNECT call through a proxy and reencrypt - or proxy it yourself). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Monitor IP address
On Mon, Dec 1, 2008 at 2:41 PM, Mike Lever [EMAIL PROTECTED] wrote: Hi, Can somebody please explain to me exactly how this works. I am having an argument with my superior. He is insistent on setting the monitor IP addresses in my load balancer pool to the same IP address. In his mind it makes sense, as that way it will pick up which line is the fastest to the same point and route accordingly. Yeah, that won't work. I read in the manuals that these IP addresses should be unique, and therefore did as the manual said. What will happen if they are set to the same address and why is that so ? You'll actually lose link failure detection. Whichever link came up last will set the route to your monitor IP through it. Here is my thinking on how it works, please correct me where I am going wrong. I have 5 WAN ports. The load balancer will constantly ping WAN1, WAN2,WAN3, WAN4 WAN5 simultaneously. Depending on which has the quickest response and is not currently transmitting packets, it will utilise. Then why set the unique IP addresses ? Usually the monitor IP is set to the next hop so you can detect link failure. Latency is not taken into account. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Monitor IP address
On Mon, Dec 1, 2008 at 3:06 PM, Mike Lever [EMAIL PROTECTED] wrote: Thanks for the explanation Bill. Can you please elaborate where you mention: You'll actually lose link failure detection What exactly is link failure detection ? I understand the meaning of the words in isolation but can you elaborate in the load balancing / Pfsense context ? Only one of the links (whichever one has decided that your monitor IP is available over it) will actually do any link failure detection. ie. in your case with 5 WANS, if monitoring is occurring for WAN5 and it's the same address as WANS1-4, if WAN1 goes down, you'll still send 1/5th of your traffic down that pipe (even though it won't work) as there will be nothing in place to determine it's availability. Whichever link came up last will set the route to your monitor IP through it. So then, say WAN2 was the last WAN port to come up and the monitor addresses were set to the same IP address, would it then only route traffic through WAN2 ? It'll still round robin over all 5 links. It's just that only one of them will be monitored for availability. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Monitor IP address
On Mon, Dec 1, 2008 at 3:09 PM, Chris Buechler [EMAIL PROTECTED] wrote: On Mon, Dec 1, 2008 at 3:41 PM, Mike Lever [EMAIL PROTECTED] wrote: I have 5 WAN ports. The load balancer will constantly ping WAN1, WAN2,WAN3, WAN4 WAN5 simultaneously. Depending on which has the quickest response and is not currently transmitting packets, it will utilise. What Bill said is correct. One additional comment, the above isn't true. Your load balancing is round robin, all connections in a pool are used equally. If the monitor IP for a specific gateway stops This is an important point to note. Monitoring is for the purposes of availability, not for latency detection. The WANs are load balanced from a connection perspective, not from a throughput or latency perspective. If you have a single flow eating up an entire connection, nothing will stop other flows from using that connection. The load balancing is on a flow by flow basis in a round robin fashion. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: [Pfsense Support] Monitor IP address
On Mon, Dec 1, 2008 at 4:42 PM, Mike Lever [EMAIL PROTECTED] wrote: Great, thank you very much Bill. One point for clarification purposes... please define a flow ? Any given TCP connection (from connection setup, to teardown). Or UDP (say a VOIP call) stream of sufficient packet frequency to remain in state. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] problem installing full version on alix board w/ 5gb microdrive
Can you post the error at step 10? Or the entire serial boot log so we can see where you are getting stuck? Thanks --Bill On Wed, Nov 26, 2008 at 8:26 AM, Patrick M. Murray, M.F.A. [EMAIL PROTECTED] wrote: Hi, I followed these instructions (pasted below), and I cannot get the file system to mount. What am I doing wrong? It lists no GEOM file systems when I push the '?'. But I sat here and watched it install, it loads up via serial interface, but step #10 is where I am having the problem. What do I do? Thanks Ps. Using 1.21RC2 iso -patrick Steps In VirtualBox, create a new virtual machine with USB redirection, no need to set up virtual hardrive, use pfSense iso for CD-ROM mapping and add another network interface, 1. 2. Start VirtualBox, pfSense is booting, configure network interfaces, menu should then appear. 3. Plug your USB CF adapter with Microdrive inside. 4. At menu prompt, type option 99 to install. 5. Proceed with the defaults, choose embedded kernel install. Check Grub for boot method. 6. Stop the virtual machine. 7. Eject microdrive, let's now proceed with Wrap. 8. Boot your WRAP with microdrive inside, serial cable connected. 9. Connect the serial console, pfSense should be booting but can't mount root filesystem. 10. When asked, type ufs:/dev/ad0s1a, pfSense boot should mount the root filesystem and complete. 11. Set up your network interfaces 12. On console menu, type option 8. 13. Edit /etc/fstab. Replace /dev/da0s1a to /dev/ad0s1a. Save. 14. Reboot 15. Enjoy! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] problem installing full version on alix board w/ 5gb microdrive
CPU: Geode(TM) Integrated Processor by AMD PCS (498.05-MHz 586-class CPU) Origin = AuthenticAMD Id = 0x5a2 Stepping = 2 Features=0x88a93dFPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CLFLUSH,MMX AMD Features=0xc040MMX+,3DNow+,3DNow real memory = 268435456 (256 MB) avail memory = 253272064 (241 MB) pnpbios: Bad PnP BIOS data checksum wlan: mac acl policy registered K6-family MTRR support enabled (2 registers) ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) cpu0 on motherboard pcib0: Host to PCI bridge pcibus 0 on motherboard pci0: PCI bus on pcib0 MFGPT bar: f0016200 pci0: encrypt/decrypt, entertainment crypto at device 1.2 (no driver attached) vr0: VIA VT6105M Rhine III 10/100BaseTX port 0x1000-0x10ff mem 0xe000-0xe0 ff irq 10 at device 9.0 on pci0 miibus0: MII bus on vr0 ukphy0: Generic IEEE 802.3u media interface on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto vr0: Ethernet address: 00:0d:b9:13:b0:68 vr1: VIA VT6105M Rhine III 10/100BaseTX port 0x1400-0x14ff mem 0xe004-0xe0 0400ff irq 12 at device 11.0 on pci0 miibus1: MII bus on vr1 ukphy1: Generic IEEE 802.3u media interface on miibus1 ukphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto vr1: Ethernet address: 00:0d:b9:13:b0:69 isab0: PCI-ISA bridge port 0x6000-0x6007,0x6100-0x61ff,0x6200-0x623f,0x9d00-0x 9d7f,0x9c00-0x9c3f at device 15.0 on pci0 isa0: ISA bus on isab0 atapci0: GENERIC ATA controller port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xff0 0-0xff0f at device 15.2 on pci0 ata0: ATA channel 0 on atapci0 ata1: ATA channel 1 on atapci0 ohci0: OHCI (generic) USB controller mem 0xefffe000-0xefffefff irq 15 at devic e 15.4 on pci0 ohci0: [GIANT-LOCKED] usb0: OHCI version 1.0, legacy support usb0: OHCI (generic) USB controller on ohci0 usb0: USB revision 1.0 uhub0: AMD OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered ehci0: AMD CS5536 USB 2.0 controller mem 0xefffd000-0xefffdfff irq 15 at devic e 15.5 on pci0 ehci0: [GIANT-LOCKED] usb1: EHCI version 1.0 usb1: companion controller, 4 ports each: usb0 usb1: AMD CS5536 USB 2.0 controller on ehci0 usb1: USB revision 2.0 uhub1: AMD EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub1: 4 ports with 4 removable, self powered orm0: ISA Option ROM at iomem 0xe-0xea7ff on isa0 ppc0: parallel port not found. sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A, console sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled RTC BIOS diagnostic error 80clock_battery Timecounter TSC frequency 498052607 Hz quality 800 Timecounters tick every 10.000 msec Fast IPsec: Initialized Security Association Processing. Trying to mount root from ufs:/dev/da0s1a Manual root filesystem specification: fstype:device Mount device using filesystem fstype eg. ufs:da0s1a ? List valid disk boot devices empty line Abort manual input mountroot ? List of GEOM managed disk devices: Manual root filesystem specification: fstype:device Mount device using filesystem fstype eg. ufs:da0s1a ? List valid disk boot devices empty line Abort manual input mountroot ? List of GEOM managed disk devices: Manual root filesystem specification: fstype:device Mount device using filesystem fstype eg. ufs:da0s1a ? List valid disk boot devices empty line Abort manual input mountroot ufs:/dev/ad0s1a Trying to mount root from ufs:/dev/ad0s1a Manual root filesystem specification: fstype:device Mount device using filesystem fstype eg. ufs:da0s1a ? List valid disk boot devices empty line Abort manual input mountroot ufs:/dev/da0s1a Trying to mount root from ufs:/dev/da0s1a Manual root filesystem specification: fstype:device Mount device using filesystem fstype eg. ufs:da0s1a ? List valid disk boot devices empty line Abort manual input mountroot ufs:ad0s1a Trying to mount root from ufs:ad0s1a Manual root filesystem specification: fstype:device Mount device using filesystem fstype eg. ufs:da0s1a ? List valid disk boot devices empty line Abort manual input mountroot ufs:da0s1a Trying to mount root from ufs:da0s1a Manual root filesystem specification: fstype:device Mount device using filesystem fstype eg. ufs:da0s1a ? List valid disk boot devices empty line Abort manual input mountroot END LOG 2 --- -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2008 10:08 AM To: support@pfsense.com Subject: Re: [pfSense Support] problem installing full version on alix board w/ 5gb microdrive Can you post the error at step 10? Or the entire serial boot log so we can see where you are getting
Re: [pfSense Support] manual pf rules
On Tue, Nov 25, 2008 at 1:10 PM, mikel [EMAIL PROTECTED] wrote: Hello where i can add pf rules in pfsense ( manually editing, or creating one file), and mantaing this rules if I reload configuration throught web interface? You don't (although you might be able to hijack some of our unused anchors). What's missing in the UI that you need to do this for? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] pptp help!!
On Tue, Nov 25, 2008 at 5:51 PM, Scott Ullrich [EMAIL PROTECTED] wrote: On Tue, Nov 25, 2008 at 6:45 PM, mikel [EMAIL PROTECTED] wrote: Dear Crish/Scot/Developers I t will be possible modify this patch to adapt to 1.2RCx and 2.0? http://www.mail-archive.com/[EMAIL PROTECTED]/msg01766.html thanks, I wait your response This patch will not solve your problem. It still obtains the IP address via DHCP. Unless I'm mistaken, he says he gets an RFC1918 address via DHCP (maybe this is the actual problem here...ie. the default rfc1918 block rule) and then gets his WAN address via PPTP. I've never seen the PPTP config screen before of course and have zero idea how it's supposed to behave - or indeed, if anyone is even successfully using it. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] manual pf rules
On Tue, Nov 25, 2008 at 2:25 PM, mikel [EMAIL PROTECTED] wrote: Some ideas? Do you understand me? Can we please keep this to one thread? My mailbox will thank you. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense and dynamic routing
On Wed, Nov 19, 2008 at 8:07 AM, Veiko Kukk [EMAIL PROTECTED] wrote: Erwan David wrote: OpenBGPD is in the packages. Thank you, but is it stable enought (ALPHA)? Are there any plans to make Quagga package for pfSense? The software itself is stable. The pfsense wrapper package is marked alpha. At this point we should probably move it to stable as it's been around a while and has had no bug reports. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] embedded pfsense and external squid ... how?
On Fri, Nov 14, 2008 at 9:03 AM, David Meireles [EMAIL PROTECTED] wrote: Angelo, not joking, not crazy... Before having squid installed in the pfSense box, there was an IPCop Proxy with a direct connect to the web (2 lan cards, one green, other red). To make the clients pass that server (in transparent mode), I used it as gateway in DHCP config, and it worked all the time... I'm guessing the IPCop redirects port 80 to it's local squid instance. If your squid is setup this way, then yes, this would work. I can only guess at the original posters configuration, but it's likely not setup to do that. Squid is probably running on it's default 3128 port and expecting to be used as a proxy and is using pfSense to do the redirection. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cannot boot the live CD
On Thu, Oct 30, 2008 at 6:32 AM, Angelo Turetta [EMAIL PROTECTED] wrote: Olivier Nicole wrote: Hi, I get a bunch of errors like: acd0: FAILURE - PREVENT_ALLOW timed out or acd0: WARNING - SETFEATURES SET TRANSFER MODE taskqueue timeout - completing reques directly I am using a Dell PowerEdge R200 plateform with 8GB of RAM. 8G Ram on a firewall? you like to play it safe:) Seriously, unless you are installing a firewall for a multi-gigabit connection (with thousands of clients), or plan to put a *BUSY* squid on it, you'll hardly see any benefit for anything more than 2GB. Given that we don't enable PAE and aren't pushing out a 64-bit version, the most he's going to see is just over 3G. And no, no questions on when either PAE or 64bit will be available, unless they also come with patchsets and accompanying test data proving the patchset work (and in the case of PAE are stable). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] routing
On Sat, Oct 11, 2008 at 12:39 PM, Chris Buechler [EMAIL PROTECTED] wrote: 2008/10/11 Curtis LaMasters [EMAIL PROTECTED]: A static route on pfsense for the 2.x network sending traffic to 0.245 should do the trick unless I'm missing something. And also check Bypass firewall rules for traffic on the same interface on the Advanced page since this will end up being asymmetrically routed. Shouldn't be asymmetrically routed - it looks like this is two different interfaces. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
On Sat, Oct 11, 2008 at 11:28 AM, David McNett [EMAIL PROTECTED] wrote: On Oct 1, 2008, at 5:18 PM, BSD Wiz wrote: have rules to allow allow traffic out on port 80 and 443. I have also(just to be sure) allowed *ALL* traffic out from my static ip on my macbook. Problem is I can't get to the site subaru.com. I'm also jumping in late to the thread. Have you tried disabling pf scrub Yeah, way late...although admittedly he replied in a different thread. This issue was caused by a broken wireless access point, not pfSense. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Can't connect to subaru.com on port 80
On Wed, Oct 1, 2008 at 11:12 PM, Chris Buechler [EMAIL PROTECTED] wrote: On Wed, Oct 1, 2008 at 11:55 PM, BSD Wiz [EMAIL PROTECTED] wrote: yep, i looked at it using tcpdump. i just see syn packets going out the door, i never get any syn-acks back. 22:50:47.417326 IP unixbox.gnet.49330 subaru.com.http: S 3917131801:3917131801(0) win 65535 mss 1460,nop,wscale 0,nop,nop,timestamp 2090776378 0,sackOK,eol Have you tried lowering MTU on your WAN, or just on the problem machine? Doing it on the WAN will MSS clamp everything, so if this is limited to one machine I wouldn't do that. With the 1460 MSS that shows and likely 1500 MTU end to end, that should not be a problem. It's worth a shot though. Wouldn't explain no syn/ack's coming back. This would seem more like an upstream routing (or firewalling) issue to me. That, or a conspiracy against BSD Wiz and his desire to look at new cars. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipv6 possibility
FWIW, I've said this before, I'll say it again. Open source works because people have an itch to scratch and they scratch it. None of the current devs have an IPv6 itch. It's a lot of work to convert a predomenently IPv4 based system to work in an IPv6 world and none of use have a need or desire to make it work. We'd certainly welcome anyone that has an itch and has not only the skills, but the stamina to bring this functionality to pfSense. Unless someone steps forward and does this, no further discussion on the topic is going to change anyones mind (unless there's a fairy god-company that is planning on fully sponsoring the work - and no, that's not an offer to accept it). --Bill PS. Is there anything actually on IPv6 only that matters (I'll define matters the same way Apple defines sufficient utility so just because it matters to you, it may not pass my 1d6 roll)? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Transferring configs
On Mon, Sep 29, 2008 at 11:03 AM, Rainer Duffner [EMAIL PROTECTED] wrote: Hi, my WRAP died and I finally managed to order an ALIX from PC-Engines. But I think I can't find a backup of my config - can I just take the config.xml from the old CF card and use the restore-option with that? Or can the WARP-CF just be put into the ALIX? It's 1.2, IIRC. Plug the old CF into the new ALIX - do note that the NICs will have changed between the WRAP and ALIX boards - you might make a backup of your CF (if possible) and/or the config, but entering in the NICs again shouldn't kill any existing config. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] PFsense on P4 Hyperthreading
On Mon, Sep 29, 2008 at 10:15 AM, Ryan Rodrigue [EMAIL PROTECTED] wrote: Thanks for the super quick reply. I thought as much, but just wanted to confirm. Is there a limit to the number of processors it supports? Will a dual zeon quad core (8 processors) work? i really don't have a need for that much, but I was just curious while I have you here. *work* - yes. There is a point of diminishing returns since PF (the packet filter we use) is under the Giant lock in FreeBSD. There certainly is a performance boost going past one CPU (not linearly scaled to the number of cores however), not sure if you'll see it with HyperThreading or not though - the FreeBSD SMP scheduler isn't exactly optimized for HTT. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
On Sat, Sep 6, 2008 at 3:23 PM, BSD Wiz [EMAIL PROTECTED] wrote: after doing considerable research with tcpdump on my WAN interface and DMZ interface i see that the traffic is indeed passing but my phone is not ringing sometimes. i have no idea why this is happening but it appears that pfsense is doing it's job correctly. so, lingo sucks and i'm looking for recommendations on a new VoIP provider for my home. I'm happy with Broadvoice. I believe they also operate a STUN server which should make life even easier (I personally direct all my traffic through my Asterisk box and have enough static IPs that I just 1:1 NAT and pass all UDP to the PBX). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
On Sat, Sep 6, 2008 at 3:35 PM, Scott Ullrich [EMAIL PROTECTED] wrote: On Sat, Sep 6, 2008 at 4:23 PM, BSD Wiz [EMAIL PROTECTED] wrote: after doing considerable research with tcpdump on my WAN interface and DMZ interface i see that the traffic is indeed passing but my phone is not ringing sometimes. i have no idea why this is happening but it appears that pfsense is doing it's job correctly. so, lingo sucks and i'm looking for recommendations on a new VoIP provider for my home. Try enabling static port on advanced outbound NAT or your LAN interface. The forum has a lot of information regarding this. Good point, give this a shot first. What's probably happening here is that pfSense will randomize the outbound port on new connections. Lingo might be coming back (after state has expired on the outbound connection) and trying to connect to a port your phone (PC?) isn't listening on any more. Using static nat will remove the randomization pfSense is adding to the mix and let Lingo see the real source port for the connection. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
On Sat, Sep 6, 2008 at 3:52 PM, BSD Wiz [EMAIL PROTECTED] wrote: i should enable static nat on the interface that my voip router is on, which is my dmz correct? Nope, on your WAN interface. You'll put in a rule that is specific to your VOIP provider and check the 'static nat' box. That will force a static translation for anything destined to your provider. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] rule not working correctly
I think you're dancing all around the solution :) You need an inbound NAT or port forward for UDP ports 1-65535 pointing to 10.0.0.1. Alternately, a 1:1 NAT using YOUR external IP, not the IP of the service (ie. 216.181.136.7 in your example below should be whatever your external IP is, not that of Lingo). The internal is still 10.0.0.1 (assuming that's your internal machine doing Lingo VOIP). --Bill On Fri, Sep 5, 2008 at 9:17 PM, BSD Wiz [EMAIL PROTECTED] wrote: man O man still getting blocked, tried calling my VoIP phone from my cell phone and the traffic was blocked again by the default drop all rule. below is the log entry of the blocked traffic. WAN 216.181.136.7:5065 xx.xx.xx.xx:63792 this after allowing source 216.181.136.7 through my WAN interface destined for any port and also creating a 1:1 entry as follows: Interface External IP Internal IPDescription WAN 216.181.136.7/3210.0.0.1/32 Allow Incoming VoIP WTF, shouldn't that be allowed through? thanks gents. -phil On Sep 5, 2008, at 8:12 AM, Paul Mansfield wrote: BSD Wiz wrote: ah, i don't have any 1:1 nat entries, or static routes for this firewall issue. so when the traffic hits the WAN interface perhaps it's not always finding it's way to the voip box in the dmz? i have added a 1:1 mapping as follows: Interface External IP Internal IP Description WAN216.181.136.7/32 10.0.0.1/32 VoIP Box where 10.0.0.1/32 is the ip of the DMZ interface. should that be sufficient? i can see why some of the traffic was not making it through since i only had a rule to allow traffic from 216.181.136.7 but no port forwarding, static routes or 1:1 nat entries. seems reasonable to me, you should know if it's working by testing. use tcpdump on firewall, on each interface in turn to see traffic flow... use tcpdump -ln port XXX to limit the amount of traffic you sniff. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
On Wed, Aug 20, 2008 at 4:55 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: People, here I attach you an image with my current settings and the migration, is just replace one firewall with pfsense, without changing anything else. Notice that my wan is a private /30 network only for connect with the isp, the public addresses are on the dmz net. Is this posible as it is wusing pfsense?? It should be. How is your LAN reaching the Internet? Is the Checkpoint performing NAT on that? If so, what address space is it NAT'ing to? --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
On Tue, Aug 19, 2008 at 4:07 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: Hi, all I'm using a new installed pfsense 1.2.1 with three attached newtoks, wan, lan and optional 1, I have defined rules on lan interface to allow all outgoing connections on that interface, but everything is blocked, a test in dns server query shows this on pftop: What makes you think pfSense is blocking the traffic? Are the logs pointing to this? Have you tcpdump'd on the outside interface to show the traffic not leaving the firewall? Maybe it's not getting NAT'd correctly - are you expecting it to be NAT'd? Also, ASCII network diagrams rarely work properly for anyone using systems that render email with truetype fonts, can you provide an image with your layout (not that I suspect this is of issue, but since you provided one and it'd be helpful to understanding what it is you are trying to do, it'd be nice). Thanks --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Pfsense blocking outside connections with NO_TRAFFIC:SINGLE
On Tue, Aug 19, 2008 at 7:03 PM, Bill Marquette [EMAIL PROTECTED] wrote: On Tue, Aug 19, 2008 at 4:07 PM, Aliet Santiesteban Sifontes [EMAIL PROTECTED] wrote: Hi, all I'm using a new installed pfsense 1.2.1 with three attached newtoks, wan, lan and optional 1, I have defined rules on lan interface to allow all outgoing connections on that interface, but everything is blocked, a test in dns server query shows this on pftop: What makes you think pfSense is blocking the traffic? Are the logs pointing to this? Have you tcpdump'd on the outside interface to show the traffic not leaving the firewall? Maybe it's not getting NAT'd correctly - are you expecting it to be NAT'd? Also, ASCII network diagrams rarely work properly for anyone using systems that render email with truetype fonts, can you provide an image with your layout (not that I suspect this is of issue, but since you provided one and it'd be helpful to understanding what it is you are trying to do, it'd be nice). Thanks --Bill BTW, hit send to early, but pftop is clearly showing that the state is getting inserted in the firewall state table. pfSense isn't blocking this. It may not be contributing to making it work, but that will likely be due to a misconfig, not due to the platform itself. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Tunning pfsense for really heavy loads
On Thu, Aug 14, 2008 at 6:11 PM, RB [EMAIL PROTECTED] wrote: Two suggestions: search the list archives and find the multitude of answers to this question, and find out what your current PPS and bandwidth throughput is. Unless you're actually pushing Gig-E speeds, it's doubtful you'll even stress most modern router-quality hardware. At best, his current hardware isn't pushing 500Mbit (32bit PCI bus - besides, the Netra has two onboard 100Mbit NICs and it's unlikely given the age of the hardware that he has a gig card in there, probably just another Happy Meal adapter). Given my personal testing, he won't have a problem hitting somewhere close to 400k PPS with the new hardware - I promise the Sun hardware is lower (it's closing on 10 years old). You'll be happy with the ML350 - it's not even a fair comparison against that Sun box. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]