Re: [pfSense Support] Kingston SSD filesystem corruption
On Tue, Aug 9, 2011 at 12:19 PM, Jeppe Øland wrote: >>> I had a OCZ Vertex 1 (Indilinx) in my home PC for 2 years ... every 3 >>> months it would corrupt fatally (BIOS wouldn't even see it). >>> After 3 RMAs I got them to replace it with a Vertex 2 (Sandforce), and >>> that one is stable as a rock. >>> ... Slightly slower than the Indilinx - but who cares about that when >>> it's at the expense of stability. >> >> Interesting. Have a few 30-120 GB Vertex 1s around here. Been OK >> once OCZ got the firmware stablized and pretty stable. > > The thing with V1 is that they don't move data around on the flash cells. > In other words, if you fill the drive 90% with static data > (Windows/Applications), and then write like crazy ... the remaining > 10% + the overprovisioned area will be wearing out very quickly. I can tell you that it definitely does move data around looking at the smart data for drives I have. The minimum erase count climbs on all drives I have even with plenty of static data. >> The Vertex 2 should be MUCH faster than the Vertex 1 - at least that's >> what all the benchmarks say. > > V2 is faster with *some* data. > The controller employs data compression - partly to give you longer > life by having to write fewer physical bytes to the flash - and partly > to get speed. > The numbers quoted are for "average" data that compresses 2:1 or even 3:1. > Use the drive for incompressible data, and the speed is actually > slower than a V1. OK, so I reviewed the benchmarks and the Vertex 2 is only slower when writing sequential random data to the drive. Which doesn't really matter for most use cases (especially pfsense) as it's random IO performance kills the Vertex 1 - with or without random data. > Just don't trust any important data to them either back up > religiously, or just use the SSD for the boot/applications drive, and > keep your hard-to-replace data on an HDD. > (And spend the money that a bigger SSD would have cost on lots and > lots of RAM instead). My luck with rotating drives isn't any better than with SSDs - those need to be backed up as well. Regardless of the type of drive I'm using - if the data and downtime is important - you need to use the drive in a RAID array and it needs to be backed up to separate media regularly. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Kingston SSD filesystem corruption
On Tue, Aug 9, 2011 at 11:19 AM, Jeppe Øland wrote: > It's amazing how unreliable many SSDs still are :-( > > I had a OCZ Vertex 1 (Indilinx) in my home PC for 2 years ... every 3 > months it would corrupt fatally (BIOS wouldn't even see it). > After 3 RMAs I got them to replace it with a Vertex 2 (Sandforce), and > that one is stable as a rock. > ... Slightly slower than the Indilinx - but who cares about that when > it's at the expense of stability. Interesting. Have a few 30-120 GB Vertex 1s around here. Been OK once OCZ got the firmware stablized and pretty stable. The Vertex 2 should be MUCH faster than the Vertex 1 - at least that's what all the benchmarks say. Have a Vertex 2 around here somewhere - it also has had a few minor issues where it wasn't always detected at boot, but OK now that the firmware has stabilized. I have a 120GB Intel 320 in my laptop - been flawless so far - but the Intel forums report that if it loses power unexpectedly it can basically "brick" and you lose all your data. Intel is still working on a firmware fix for this. Seems that SSDs have traded one type of failure mode for another at this point. I expect them to get all the bugs worked out eventually. The performance and power usage of them is so great that I use them in any new build where random IO performance is an issue. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Mon, Apr 4, 2011 at 3:56 AM, Ermal Luçi wrote: > On Mon, Apr 4, 2011 at 12:52 AM, David Rees wrote: >> On Sat, Apr 2, 2011 at 12:19 AM, Chris Buechler wrote: >>> Can't replicate, I connected and disconnected PPTP about 30 times to a >>> system with a few IPsec connections all with DPD and had 0 issues with >>> any of them. Typical basic PPTP setup and site to site IPsec. See if >>> you can narrow it down more, or if there's something specific about >>> your setup that's pertinent. >> >> Thanks for the response - I'll try to narrow down our config in a test >> bed to try to duplicate situation. >> > > Can you try the suggestion posted here > http://forum.pfsense.org/index.php/topic,34853.0.html? > >> Only "special" settings are that it's a dual-WAN setup with multiple >> VLANs and use IPsec, OpenVPN and PPTP VPN. connections... We were able to replicate the issue today with a barebones configuration on a spare system. We tested both the original RC1 release as well as the most recent snapshot with the same results. I can send a configuration backup privately along with configuration notes to any developer interested - let me know... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Mon, Apr 4, 2011 at 3:56 AM, Ermal Luçi wrote: > On Mon, Apr 4, 2011 at 12:52 AM, David Rees wrote: >> On Sat, Apr 2, 2011 at 12:19 AM, Chris Buechler wrote: >>> On Thu, Mar 31, 2011 at 5:05 PM, David Rees wrote: >>>> On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 >>>> When a PPTP user connects and then disconnects, all IPsec VPNs go down >>>> shortly afterwards. >>>> >>>> In the logs, we see that the pptp user logs out - shortly afterwards >>>> the DPD kicks in on the VPNs, but fails to bring the VPNs back up. >>>> Disabling/enabling an IPsec VPN brings them all back up. >>>> >>>> We don't use PPTP much so it's the first time we've seen it. We're >>>> planning on going back to the official RC1 in the mean time. Known >>>> issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this >>>> issue? What's your setup like? >>> >>> Can't replicate, I connected and disconnected PPTP about 30 times to a >>> system with a few IPsec connections all with DPD and had 0 issues with >>> any of them. Typical basic PPTP setup and site to site IPsec. See if >>> you can narrow it down more, or if there's something specific about >>> your setup that's pertinent. >> >> Thanks for the response - I'll try to narrow down our config in a test >> bed to try to duplicate situation. >> >> Only "special" settings are that it's a dual-WAN setup with multiple >> VLANs and use IPsec, OpenVPN and PPTP VPN. connections... > > Can you try the suggestion posted here > http://forum.pfsense.org/index.php/topic,34853.0.html? Thanks - saw your reply there - will give it a shot in a little bit... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Sat, Apr 2, 2011 at 12:19 AM, Chris Buechler wrote: > On Thu, Mar 31, 2011 at 5:05 PM, David Rees wrote: >> I posted this on the forum[1] but didn't get any responses, so am trying >> here. >> >> On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 >> >> When a PPTP user connects and then disconnects, all IPsec VPNs go down >> shortly afterwards. >> >> In the logs, we see that the pptp user logs out - shortly afterwards >> the DPD kicks in on the VPNs, but fails to bring the VPNs back up. >> Disabling/enabling an IPsec VPN brings them all back up. >> >> We don't use PPTP much so it's the first time we've seen it. We're >> planning on going back to the official RC1 in the mean time. Known >> issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this >> issue? What's your setup like? > > Can't replicate, I connected and disconnected PPTP about 30 times to a > system with a few IPsec connections all with DPD and had 0 issues with > any of them. Typical basic PPTP setup and site to site IPsec. See if > you can narrow it down more, or if there's something specific about > your setup that's pertinent. Thanks for the response - I'll try to narrow down our config in a test bed to try to duplicate situation. Only "special" settings are that it's a dual-WAN setup with multiple VLANs and use IPsec, OpenVPN and PPTP VPN. connections... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
On Thu, Mar 31, 2011 at 2:05 PM, David Rees wrote: > I posted this on the forum[1] but didn't get any responses, so am trying here. > > On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 > > When a PPTP user connects and then disconnects, all IPsec VPNs go down > shortly afterwards. > > In the logs, we see that the pptp user logs out - shortly afterwards > the DPD kicks in on the VPNs, but fails to bring the VPNs back up. > Disabling/enabling an IPsec VPN brings them all back up. > > We don't use PPTP much so it's the first time we've seen it. We're > planning on going back to the official RC1 in the mean time. Known > issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this > issue? What's your setup like? > > It definitely looks lke this thread[2] could be related - but I tried > making the change noted in that thread w/no change in results. > > Here's what the IPsec logs look like - replaced IPs with characters. > > Mar 23 15:38:40 fw-vista racoon: [x.x.x.x] INFO: DPD: remote > (ISAKMP-SA spi=xxx) seems to be dead. > Mar 23 15:38:40 fw-vista racoon: INFO: purging ISAKMP-SA spi=xxx. > Mar 23 15:38:40 fw-vista racoon: INFO: purged IPsec-SA spi=yyy. > Mar 23 15:38:40 fw-vista racoon: INFO: purged IPsec-SA spi=zzz. > Mar 23 15:38:40 fw-vista racoon: INFO: purged ISAKMP-SA spi=xxx. > Mar 23 15:38:40 fw-vista racoon: INFO: ISAKMP-SA deleted > y.y.y.y[500]-x.x.x.x[500] spi:xxx > > Mar 23 15:38:49 fw-vista racoon: INFO: IPsec-SA request for x.x.x.x > queued due to no phase1 found. > Mar 23 15:38:49 fw-vista racoon: INFO: initiate new phase 1 > negotiation: y.y.y.y[500]<=>x.x.x.x[500] > Mar 23 15:38:49 fw-vista racoon: INFO: begin Identity Protection mode. > Mar 23 15:38:49 fw-vista racoon: ERROR: phase1 negotiation failed due > to send error. www > Mar 23 15:38:49 fw-vista racoon: ERROR: failed to begin ipsec sa negotication. > > This is the only real issue we've seen with the 2.0 release so far - > otherwise looks good! > > Thanks > > Dave > > [1] http://forum.pfsense.org/index.php/topic,34853.0.html > [2] http://forum.pfsense.org/index.php/topic,34250.0.html > FWIW - I had a chance to test the original RC1 i386 build Sat Feb 26 15:30:26 EST 2011 and it behaved the same way, so it's not an issue unique to the amd64 build... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0RC1 - PPTP client disconnect kills all IPsec VPNs
I posted this on the forum[1] but didn't get any responses, so am trying here. On 2.0-RC1 (amd64) built on Tue Mar 22 21:02:19 EDT 2011 When a PPTP user connects and then disconnects, all IPsec VPNs go down shortly afterwards. In the logs, we see that the pptp user logs out - shortly afterwards the DPD kicks in on the VPNs, but fails to bring the VPNs back up. Disabling/enabling an IPsec VPN brings them all back up. We don't use PPTP much so it's the first time we've seen it. We're planning on going back to the official RC1 in the mean time. Known issue? Anyone using both PPTP server and IPsec VPNs NOT seeing this issue? What's your setup like? It definitely looks lke this thread[2] could be related - but I tried making the change noted in that thread w/no change in results. Here's what the IPsec logs look like - replaced IPs with characters. Mar 23 15:38:40 fw-vista racoon: [x.x.x.x] INFO: DPD: remote (ISAKMP-SA spi=xxx) seems to be dead. Mar 23 15:38:40 fw-vista racoon: INFO: purging ISAKMP-SA spi=xxx. Mar 23 15:38:40 fw-vista racoon: INFO: purged IPsec-SA spi=yyy. Mar 23 15:38:40 fw-vista racoon: INFO: purged IPsec-SA spi=zzz. Mar 23 15:38:40 fw-vista racoon: INFO: purged ISAKMP-SA spi=xxx. Mar 23 15:38:40 fw-vista racoon: INFO: ISAKMP-SA deleted y.y.y.y[500]-x.x.x.x[500] spi:xxx Mar 23 15:38:49 fw-vista racoon: INFO: IPsec-SA request for x.x.x.x queued due to no phase1 found. Mar 23 15:38:49 fw-vista racoon: INFO: initiate new phase 1 negotiation: y.y.y.y[500]<=>x.x.x.x[500] Mar 23 15:38:49 fw-vista racoon: INFO: begin Identity Protection mode. Mar 23 15:38:49 fw-vista racoon: ERROR: phase1 negotiation failed due to send error. www Mar 23 15:38:49 fw-vista racoon: ERROR: failed to begin ipsec sa negotication. This is the only real issue we've seen with the 2.0 release so far - otherwise looks good! Thanks Dave [1] http://forum.pfsense.org/index.php/topic,34853.0.html [2] http://forum.pfsense.org/index.php/topic,34250.0.html - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Upgrade to 2.0 RC1
On Thu, Mar 3, 2011 at 1:21 PM, Scott Benson wrote: > When I take a freshly installed 1.2.3 full, and try and do the update > methods via the firmware page, it doesn't seem to work. When I select > "pfSense 2.0 Beta I386 Snapshot", then go to "Auto Update Check" it starts > to download, but stops at 5% and then times out minutes later. This > happened 5 times, so I decided to download .gz file and do a "Manual > Update", it looks like it's uploading, then 5 minutes later it times out. > Is anyone else having any of these problems Saw similar behavior when trying to upload a 64bit upgrade file onto a 32bit 1.2.3 install. Would be nice to get some sort of indication that the upgrade failed. Noted it left a bunch of 1 MB files in /root/ as well. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects
On Fri, Feb 11, 2011 at 7:10 PM, Chris Buechler wrote: > On Fri, Feb 11, 2011 at 5:31 PM, David Rees wrote: >> Ah, now I see my confusion. You can't create an alias or firewall >> rule with a hostname in 1.2.3 > > You can do that too. :) doesn't update automatically though, have to > cron a ruleset reload. 2.0 handles it very nicely. Hmm.. so what am I missing? When trying to create an alias with a host name, I get an error when I use either the Host(s) or Network(s) type. If I try to create a rule, set the source type to Single host or alias and type in a hostname for the address, I get an error, too. Good to know 2.0 will be able to handle this nicely, though as it does come in handy on occasion... Thanks -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects
On Thu, Feb 10, 2011 at 6:14 PM, Chris Buechler wrote: > On Thu, Feb 10, 2011 at 8:11 PM, David Rees wrote: >> BTW Martin - how are you using dynamic endpoints for IPsec w/pfSense? >> I didn't think that was possible... > > It's possible, just use dyndns names. It largely works fine, you can > hit some scenarios in 1.2.3 though that require kicking racoon on > typically rare occasion. Ah, now I see my confusion. You can't create an alias or firewall rule with a hostname in 1.2.3, but you can setup an IPsec VPN connection with one... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense 1.2.3 ipsec stopping to work after too many unsuccessful connects
On Thu, Feb 10, 2011 at 2:57 PM, Chris Buechler wrote: > On Thu, Feb 10, 2011 at 5:36 PM, Fuchs, Martin > wrote: >> I run pfsense 1.2.3 and use 4 ipsec tunnels with dynamic endpoints. >> >> Everything works fine, but when one endpoint continuously gets a new WAN-IP >> due to numerous reconnects, raccoon stops working and has to be started >> manually… > > Probably because DPD doesn't work entirely correctly in that version > of ipsec-tools, it does in the newest version that's now in 2.0 > snapshots. Is this the relevant ticket? http://redmine.pfsense.org/issues/1256 Has the fix been checked in to 2.0 yet? We occasionally see issues with VPNs dropping after network drops and may want to do some testing with the latest snapshots... BTW Martin - how are you using dynamic endpoints for IPsec w/pfSense? I didn't think that was possible... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] "Phantom" rules
On Mon, Jul 5, 2010 at 2:57 PM, Chris Buechler wrote: > On Mon, Jul 5, 2010 at 11:37 AM, David Rees wrote: >> I've got a system (1.2.3, set up in a cluster) which has a couple of >> "phantom" rules - rules that exist in the config.xml file, but don't >> show up so they can't be deleted. >> >> It appears that somehow they lost their interface element and since >> all rules are keyed off what interface they are on, they don't show >> up. >> >> What's the recommended way to remove these rules? >> >> It looks like I have two options: >> >> 1. Remove the rules manually from the config file from each system in >> the cluster. >> 2. Download a backup, remove the rules manually, then restore the backup. > > Those are your options. When you delete an interface it orphans its > rules in the config (IIRC that's not the case in 2.0). Thanks - went for option #2 which worked great and thanks to the cluster, only had a couple seconds of downtime. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] "Phantom" rules
I've got a system (1.2.3, set up in a cluster) which has a couple of "phantom" rules - rules that exist in the config.xml file, but don't show up so they can't be deleted. It appears that somehow they lost their interface element and since all rules are keyed off what interface they are on, they don't show up. What's the recommended way to remove these rules? It looks like I have two options: 1. Remove the rules manually from the config file from each system in the cluster. 2. Download a backup, remove the rules manually, then restore the backup. Suggestions? Thanks -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Less bandwidth available behind the firewall
On Wed, Jan 13, 2010 at 9:42 AM, David Rees wrote: > On Tue, Jan 12, 2010 at 8:50 PM, Ugo Bellavance wrote: >> I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM. HDD install. >> >> When I start a download from a nearby centos mirror, directly from the >> firewall (using fetch), I get the full bandwith available from my ISP (60 >> mbps). However, If I try to download the same file from the same server, >> but from a linux server behind the firewall, using wget, I only get about 20 >> mbps. If I start multiple download, I can reach 60mbps. Is there an >> explanation? > > What are the latency (ping times) to your nearby mirror? > > As Chris suggested, you should attach a sniffer to see what the TCP > window sizes are doing. Sounds like either the TCP window scaling > flag is getting dropped or not scaling up appropriately. > > One easy thing to try is to disable TCP window scaling on the Linux > machine, but it probably won't change much unless ping times are very > low. BTW, you can see if TCP window scaling is enabled on the pfSense box by looking at the sysctl net.inet.tcp.rfc1323. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Less bandwidth available behind the firewall
On Tue, Jan 12, 2010 at 8:50 PM, Ugo Bellavance wrote: > I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM. HDD install. > > When I start a download from a nearby centos mirror, directly from the > firewall (using fetch), I get the full bandwith available from my ISP (60 > mbps). However, If I try to download the same file from the same server, > but from a linux server behind the firewall, using wget, I only get about 20 > mbps. If I start multiple download, I can reach 60mbps. Is there an > explanation? What are the latency (ping times) to your nearby mirror? As Chris suggested, you should attach a sniffer to see what the TCP window sizes are doing. Sounds like either the TCP window scaling flag is getting dropped or not scaling up appropriately. One easy thing to try is to disable TCP window scaling on the Linux machine, but it probably won't change much unless ping times are very low. A lot of detail here on what can happen if the window scaling flag gets dropped somewhere between the source and destination during TCP negotation. http://lwn.net/Articles/92727/ -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ticket #1931: NAT reflection bug
On Thu, Aug 27, 2009 at 3:09 PM, Chris Buechler wrote: > On Thu, Aug 27, 2009 at 5:54 PM, David Rees wrote: >> OK - I guess what I'm asking is this: >> >> I've just checked my particular pfSense box and aside from the nearly >> 1000 ports it's listening to from 19000+ for my NAT reflection rules, >> is there anything else keeping us from using a wider port range to >> allow even more NAT reflection rules to be used? > > There are some foot shooting possibilities if you aren't careful. Any details on those? >> I don't see many other ports in use on localhost except for ssh, dns, >> pptp and a handful of ports ranging from 8021+ (which I believe are >> used for the FTP helper). I think that it may be helpful to be able >> to override the default starting port range and number as well as the >> maximum number of ports to use for NAT reflection. > > Having them configurable in System->Advanced is probably good. > >> I assume that working from a recent 1.2.3 snapshot OK? Do you think >> it will apply to the 2.0 branch as well? I have no idea how much the >> code there has changed... > > This wouldn't be accepted into RELENG_1_2 (1.2.x), that's strictly bug > fixes only and this isn't a bug - though not ideal, it works as > designed. The patch (preferably merge request in git) would have to be > to 2.0. 2.0 is considerably different in many ways, but this > particular part of the code base probably isn't much different. Hmm, if I just submit a patch which addresses #1931 and keeps duplicate nc entries out of inetd.conf without adding new features (which IMO is a bug), could that be accepted into the stable branch? Hate to say it, but I don't have a lot of interest in writing code for a release whose release schedule appears to be many, many, months away and I am not yet even testing in the lab. I am much more motivated to write code which has a good chance of seeing production use relatively soon. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Ticket #1931: NAT reflection bug
On Thu, Aug 27, 2009 at 11:59 AM, Scott Ullrich wrote: > On Thu, Aug 27, 2009 at 2:15 PM, David Rees wrote: >> I've recently run into the issue described on ticket #1931 and on the >> forum thread below: >> >> http://cvstrac.pfsense.org/tktview?tn=1931 >> http://forum.pfsense.org/index.php/topic,16314.0.html >> >> Even though we only have about 200 port forwards, we have 6 local >> interfaces so we've quickly run into this limitation. >> >> So a couple questions before I go and tackle this issue: >> >> 1. Why the limitation of 1000? Is that more or less arbitrary to keep >> from too many local ports from being used by the inetd nc rules, or >> could it be increased some? > > Because of some of the issues you outlined in #2. OK - I guess what I'm asking is this: I've just checked my particular pfSense box and aside from the nearly 1000 ports it's listening to from 19000+ for my NAT reflection rules, is there anything else keeping us from using a wider port range to allow even more NAT reflection rules to be used? I don't see many other ports in use on localhost except for ssh, dns, pptp and a handful of ports ranging from 8021+ (which I believe are used for the FTP helper). I think that it may be helpful to be able to override the default starting port range and number as well as the maximum number of ports to use for NAT reflection. Bonus points I guess for a patch which does this as well! ;-) >> 2. If I write a patch to limit the number of inetd entries below the >> above limit, will it be accepted upstream? We should be able to stop >> the inetd nc port multiplication issue so we will be able to reflect >> up to 1000 ports, but there will still be $num_interfaces * >> $num_portforwards NAT redirect rules generated. If the patch is >> likely to be accepted upstream, I'm more likely to spend time to write >> a 'proper' solution instead of just hacking it. :-) > > We will gladly accept changes for this. Thanks! Cool - I'll try to find some time over the next week to work on this. I assume that working from a recent 1.2.3 snapshot OK? Do you think it will apply to the 2.0 branch as well? I have no idea how much the code there has changed... -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Ticket #1931: NAT reflection bug
I've recently run into the issue described on ticket #1931 and on the forum thread below: http://cvstrac.pfsense.org/tktview?tn=1931 http://forum.pfsense.org/index.php/topic,16314.0.html Even though we only have about 200 port forwards, we have 6 local interfaces so we've quickly run into this limitation. So a couple questions before I go and tackle this issue: 1. Why the limitation of 1000? Is that more or less arbitrary to keep from too many local ports from being used by the inetd nc rules, or could it be increased some? 2. If I write a patch to limit the number of inetd entries below the above limit, will it be accepted upstream? We should be able to stop the inetd nc port multiplication issue so we will be able to reflect up to 1000 ports, but there will still be $num_interfaces * $num_portforwards NAT redirect rules generated. If the patch is likely to be accepted upstream, I'm more likely to spend time to write a 'proper' solution instead of just hacking it. :-) Thanks Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Fri, Jul 31, 2009 at 12:09 PM, Keenan Tims wrote: >> then use "time scp /tmp/random otherhost:/tmp/blah" or use "netcat -l -p >> 1234" on one to create a listen and on other "time cat /tmp/random | >> netcat -p 1234 otherhost" to see how long it takes >> > scp doesn't perform well over fast links, it's not really a good tool > for testing. I can barely get 100mbit out of my GigE network that > otherwise performs well. I think it is due to the issue discussed here: > > http://www.psc.edu/networking/projects/hpn-ssh/ Most of the time, the real issue is that scp has to encrypt the data on one end and decrypt it on the other - that takes a lot of CPU power that could otherwise be used for tossing packets around. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A note about top vs bottom posting -- please read and make sure you bottom post on our lists. Thank you.
On Wed, Jul 29, 2009 at 10:31 AM, wrote: > Unfortunately Gmail top posts by default. So expecting bottom posting to be > and to remain the default behavior may be an exercise in futility. proper > ettiquite or not, some people just bang off replies and figure everything is > a-ok. This being a reason, not an excuse. Yes - bottom posting takes a bit of work. But on a high volume mailing list or if you receive a lot of mail, a little bit of context goes a LONG way. And while we're talking about it - Trim your messages, too! Only leave the relevant portion of the original email in the message - so that means trimming the list-footer off the message. Again - it takes a bit of work, but it really makes reading mailing lists a LOT easier. Try it for a bit - once you do, you'll realize how much better it is. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RE: T1 Saturating - Windows update kills the connection... ??
On Wed, May 13, 2009 at 8:55 AM, Chris Buechler wrote: > Slowing down considerably when under full load is normal, slowing to > the point that sites don't load anymore when you're just running a few > Windows updates is definitely not. Sounds like there's something wrong > with the T1, or the CPE it's plugged into, whatever has your CSU/DSU. I'm with Chris here. A simple test would be to watch latency while performing multiple concurrent downloads. Run a continuous ping to www.google.com and find a big file to download. Start with one download and increase to 4. Ping times should get pretty high - I'd estimate 300-500ms with 4 downloads running. But you still shouldn't be seeing any packet loss. If you are, there's something wrong with your T1. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ftp troubleshooting instructions help
On Tue, Feb 10, 2009 at 12:51 PM, Nick Smith wrote: > I would like some clarifications on the FTP troubleshooting page. > > It states: > 2. If you have a restrictive ruleset or are utilizing policy based > routing for multiple-wans then ensure that you have permitted traffic > to 127.0.0.1 / ports 8000-8030. IE: allow LAN subnet to 127.0.0.1 > 8000-8030. This rule should be on top of all other LAN rules that > utilize policy based routing. > > What does this mean exactly? > Make a rule, select LAN Subnet as the source to destination 127.0.0.1 > for ports 8000-8030? > > Would this be created under the LAN tab? Yes, the rule should be created on the LAN tab. > What if my client also used ports 7950-8079 as well? > Would i edit the rule to allow all the ports instead? Doesn't matter - this rule is only to make sure that you LAN hosts can access the FTP helper. > do i need to make rules from the lan subnet for each IP address i need > to ftp to? No, you only need rules for the LAN subnets you want to be able to FTP from, not to. > Also, do i need to do port forwarding for those ports as well? No. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] outdated bogon networks?
On Mon, Jan 26, 2009 at 12:56 PM, Jonathan Reed wrote: > I setup my first pfsense box over the weekend and I am having trouble > with connection attempts from an IP address at 173.32.x.x. I checked > that address space here > http://www.iana.org/assignments/ipv4-address-space/ and it says it was > allocated not over a year ago. Connections and ICMP packets respond > from every other connection I've tried, so I'm wondering if the > default "Block Bogon Networks" rule are blocking my connection from > the 173.x.x.x network. Is there a place on the pfsense box where I can > view what it considers to be a bogon network? And where does it get > the knowledge of bogon networks (via updates/online repo) from? http://www.mail-archive.com/support@pfsense.com/msg15272.html -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Stuck on boot
On Mon, Jan 26, 2009 at 12:20 PM, k_o_l wrote: > Thanks Dave, I tried all with no luck OK, try disabling acpi to see if that helps: http://devwiki.pfsense.org/BootOptions -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Stuck on boot
On Mon, Jan 26, 2009 at 9:05 AM, k_o_l wrote: > I'm reinstall Pfsense on Pentium 4, 3.40Ghz (Intel Pentium 4 > Northwood/Prescott) however, after a successful installation, it get stuck > on boot with "/boot/kernel/acpi.ko" I tried IDE and SATA drives with the > same problem, any suggestions? What version of pfSense? Try the following: 1. Make sure bios is the latest version. 2. Reset bios to defaults 3. Make sure you're using the latest pfSense. If already trying 1.2.2, give the latest 1.2.3-snapshot a try. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Packages with pfSense embedded not an option - very sad
On Thu, Jan 22, 2009 at 7:22 PM, Chris Buechler wrote: > That will work for some packages, but not all. Embedded runs ro on > mounts that some packages need rw on. Also takes very little to run > out of space on the CF unless you do a full install to a 1-4 GB card, > which will give you plenty of breathing room for most things. How do you get a full-install onto CF on a headless system like the ALIX box? Install on a separate machine using an IDE-CF adapter as Morgan suggested? And then what about losing the console after swapping the CF into the ALIX box - any steps required there? -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Intel Atom Motherboards or Similar Systems
On Thu, Jan 15, 2009 at 7:32 AM, Angelo Turetta wrote: > Never try to route/bridge between high speed LAN segments, though. > Maximum sustainable throughput around 20 Mbps (with polling), but copying a > 30GB backup file from one net to another is not recommended: on FreeBSD6 > based pfSense I frequently get spontaneous reboots, which become highly > repeatable if I disable device polling. > I suspect the watchdog is not being reset because the CPU is maxed out by > interrupts. Hmm, This may be fixed in 1.2.1+. Someone was testing Alix hardware throughput and posted results on the forum. Here's the link and a quick snippet of results using 1.2.1RC1 on an Alix 2D3: http://forum.pfsense.org/index.php?topic=12766.0 Bidrectional TCP: ~57Mbps Single direction TCP: ~80-85Mbps Bidrectional UDP: ~40-47Mbps Single direction UDP ~47-62Mbps Thread also has OpenVPN performance in it, too. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Intel Atom Motherboards or Similar Systems
On Tue, Jan 13, 2009 at 6:23 PM, Jeppe Øland wrote: > Boards like this would be interesting (but probably expensive). > http://www.ibase.com.tw/ib882.htm This is is a cheap way to get a barebones Atom setup: http://www.newegg.com/Product/Product.aspx?Item=N82E16856107036 Just need to add another NIC, memory and storage device to get it going. Will cost a bit more and draw significantly more power than an Alix box, but should be able to push a gigabit through it if you get the right NIC. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Intel Atom Motherboards or Similar Systems
On Tue, Jan 13, 2009 at 3:44 PM, Chuck Mariotti wrote: > I have been looking at Atom based systems for a while. I keep drooling over > these cheapo, compact, low power units. > > I'd really like to replace my 1Ghz, 1GB, 1U machine running pfSense with one. > Are these things supported in pfSense? > > Is anyone using them or can recommend a board or specific system? > > I just need dual network/LAN. > > I have been looking at Jetway and Intel boards. > > Any suggested configs (and accessories, riser cards, CF, etc...) or > alternatives would be appreciated. Here ya go: http://www.netgate.com/product_info.php?cPath=60_84&products_id=671 Alix 6B2 Kit. 2 10/100 NICs, 500MHz Geode processor, 256MB RAM, 512MB flash, $180. All you need to run pfSense. And only draws about 5w from the wall. Only drawback is that you have to pull the flash card when you want to upgrade an embedded system - for my production systems I keep an extra flash card around (less than $20) flash that and load it with a config backup so that downtime is minimal when upgrading. Basically as long as it takes for you to pull the thing apart and swap out a flash card. If the case had an opening for the flash card it'd be even faster (have been tempted to dremel out an opening to make flash card swapouts and upgrades extremely quick). They also make the Alix boards with 3 NICs and you can also load them up with a miniPCI wireless card, too if you want that. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Couple OpenNTPd Ticket Comments & Fix
On Wed, Jan 7, 2009 at 8:15 PM, David Rees wrote: > On Wed, Jan 7, 2009 at 8:12 PM, David Rees wrote: >> On Wed, Jan 7, 2009 at 8:04 PM, Chris Buechler wrote: >>> On Wed, Jan 7, 2009 at 10:24 PM, David Rees wrote: >>>> I just commented on http://cvstrac.pfsense.org/tktview?tn=1859,4 with >>>> a fix. Hopefully this can sneak into 1.2.2 after the fix is confirmed. >>> >>> It was already built, but it was built literally minutes before >>> today's FreeBSD security advisories. The OpenSSL one is potentially >>> applicable with OpenVPN, so it's being rebuilt with the updates. >>> >>> I believe it's building as I'm writing this, so it's likely there will >>> not be any additional changes in 1.2.2. >> >> No worries, not a major bug as there is a workaround, but would be >> nice to get into the 1.2 branch for the next release. > > It's not a complete fix, anyway. It actually breaks that other ticket. > :-( I'll look at it more when I get a chance. OK, here's a tested fix. Seems to work on my system. Looks like you applied the other "fix" already, this patch should apply over it. -Dave status_services.php.patch Description: Binary data - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Couple OpenNTPd Ticket Comments & Fix
On Wed, Jan 7, 2009 at 8:12 PM, David Rees wrote: > On Wed, Jan 7, 2009 at 8:04 PM, Chris Buechler wrote: >> On Wed, Jan 7, 2009 at 10:24 PM, David Rees wrote: >>> I just commented on http://cvstrac.pfsense.org/tktview?tn=1859,4 with >>> a fix. Hopefully this can sneak into 1.2.2 after the fix is confirmed. >> >> It was already built, but it was built literally minutes before >> today's FreeBSD security advisories. The OpenSSL one is potentially >> applicable with OpenVPN, so it's being rebuilt with the updates. >> >> I believe it's building as I'm writing this, so it's likely there will >> not be any additional changes in 1.2.2. > > No worries, not a major bug as there is a workaround, but would be > nice to get into the 1.2 branch for the next release. It's not a complete fix, anyway. It actually breaks that other ticket. :-( I'll look at it more when I get a chance. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Couple OpenNTPd Ticket Comments & Fix
On Wed, Jan 7, 2009 at 8:04 PM, Chris Buechler wrote: > On Wed, Jan 7, 2009 at 10:24 PM, David Rees wrote: >> I just commented on http://cvstrac.pfsense.org/tktview?tn=1859,4 with >> a fix. Hopefully this can sneak into 1.2.2 after the fix is confirmed. > > It was already built, but it was built literally minutes before > today's FreeBSD security advisories. The OpenSSL one is potentially > applicable with OpenVPN, so it's being rebuilt with the updates. > > I believe it's building as I'm writing this, so it's likely there will > not be any additional changes in 1.2.2. No worries, not a major bug as there is a workaround, but would be nice to get into the 1.2 branch for the next release. Cheers Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Couple OpenNTPd Ticket Comments & Fix
I just commented on http://cvstrac.pfsense.org/tktview?tn=1859,4 with a fix. Hopefully this can sneak into 1.2.2 after the fix is confirmed. Also, Ticket http://cvstrac.pfsense.org/tktview?tn=1617,36 appears to be fixed in 1.2.1 (which I also commented on) -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] FTP Helper Question
On Tue, Jan 6, 2009 at 5:17 PM, Chris Buechler wrote: > On Tue, Jan 6, 2009 at 6:43 PM, David Rees wrote: >> I recently upgraded a site to 1.2.1 and had some problems with inbound >> FTP afterwards. >> >> In doing my troubleshooting, I noticed that the pftpx daemon never >> starts on the WAN interface - regardless if the "Disable FTP Helper" >> setting. >> >> I looked at the system_start_ftp_helpers function in >> /etc/inc/config.inc, but it doesn't seem to add the WAN interface to >> the array it uses to start the daemons. So the question is - should >> the FTP helper run on the WAN interface, or does it not run on the WAN >> interface by design? > > It's done in filter.inc for WAN interfaces, what you're looking at > there is for outbound client FTP rather than inbound server. If you > have a port forward for TCP 21 it will automatically launch the helper > if it is enabled on that WAN. Hmm, I'm pretty sure that we had a NAT rule forwarding port 21 to the internal server, but it was a Proxy-ARP IP which would explain why it wasn't getting started - though I'm pretty sure we tried an "Other" VIP. Which brings up another question: If we have to use a CARP IP, what should be entered for the VIP password and group? I thought that CARP IPs were primarily used for setting up high availability between two pfSense boxes... Looking further at the code in filter.inc, looks like there's a number of reasons pftpx might not be getting started. Looks like I'll have to enable debugging to troubleshoot further - how can I do that? Thanks! -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] FTP Helper Question
I recently upgraded a site to 1.2.1 and had some problems with inbound FTP afterwards. In doing my troubleshooting, I noticed that the pftpx daemon never starts on the WAN interface - regardless if the "Disable FTP Helper" setting. I looked at the system_start_ftp_helpers function in /etc/inc/config.inc, but it doesn't seem to add the WAN interface to the array it uses to start the daemons. So the question is - should the FTP helper run on the WAN interface, or does it not run on the WAN interface by design? The install is a dual WAN setup which uses PPPOE on the WAN and static IP address assignments on the OPT1 and LAN interfaces. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] /cf: filesystem full
On Wed, Dec 17, 2008 at 11:42 AM, David Rees wrote: > On Sat, Dec 13, 2008 at 3:18 PM, Scott Ullrich wrote: >> On Thu, Dec 11, 2008 at 7:45 PM, David Rees wrote: >>> Still seems like a bug to leave so little extra room on the config >>> partition, though. Seems like we'd want to increase the size by at >>> least double to 4M if not more. >> >> Done. Please test >> http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/pfSense-1.2.1-RC3-20081213-2210.img.gz >> ASAP. My serial cable is not working for some reason and >> cannot send characters to verify that the image has indeed seen /conf >> double. > > Thanks - I'm going to try to get our system upgraded from 1.2 to > 1.2.1-RC4 today once I get a spare CF card. Got our ALIX system upgraded successfully and can confirm that the config partiion is now about 4.5MB. Thanks! -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] /cf: filesystem full
On Sat, Dec 13, 2008 at 3:18 PM, Scott Ullrich wrote: > On Thu, Dec 11, 2008 at 7:45 PM, David Rees wrote: >> >> Your problem sounds different than ours. We finally ran out of space >> because our config files kept on getting bigger, not because something >> is filling up the partition behind our backs. >> >> After a reboot, there still seems to be a discrepancy between what df >> -h reports and what du -h reports, but I am thinking that this is >> likely because of filesystem block sizes or similar. >> >> Still seems like a bug to leave so little extra room on the config >> partition, though. Seems like we'd want to increase the size by at >> least double to 4M if not more. > > Done. Please test > http://snapshots.pfsense.org/FreeBSD7/RELENG_1_2/pfSense-1.2.1-RC3-20081213-2210.img.gz > ASAP. My serial cable is not working for some reason and > cannot send characters to verify that the image has indeed seen /conf > double. Thanks - I'm going to try to get our system upgraded from 1.2 to 1.2.1-RC4 today once I get a spare CF card. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] /cf: filesystem full
On Thu, Dec 11, 2008 at 4:30 PM, apiase...@midatlanticbb.com wrote: > I had this exact same problem on a Sokrsis 5501 box. I could not find the > files that were taking the space. I actually had RRD graphs disabled, and it > was still full. A reboot would fix the problem temporally, but after about > 30-60mins it would fill up again giving me all sorts of errors. I finally > just replaced it with a "full version" install and used a 40gb hard drive. > That should take care of any space issues :) > > rrd.tgz is a backup of your RRD graphs. Your problem sounds different than ours. We finally ran out of space because our config files kept on getting bigger, not because something is filling up the partition behind our backs. After a reboot, there still seems to be a discrepancy between what df -h reports and what du -h reports, but I am thinking that this is likely because of filesystem block sizes or similar. Still seems like a bug to leave so little extra room on the config partition, though. Seems like we'd want to increase the size by at least double to 4M if not more. -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: /cf: filesystem full
On Thu, Dec 11, 2008 at 3:52 PM, David Rees wrote: > Upon perusing the logs, we found that /cf had filled up. Logged in, > and sure enough, it had filled up. > > Looking in /cf, the largest culprit was a rrd.tgz file which was about > 1MB, but the rest of the files only took up a bit over 300k (there are > 5 backups of the config and each config is about 50KB each), so it > looks like there are possibly some deleted files sitting around that a > process is still hanging on to taking up the other 300-400KB? Well, we restored our last backup and rebooted. Left us with -98K free on the /cf partition. Needless to say, we deleted the rrd.tgz file again. Is the /cf partition bigger on new versions of pfSense? -Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] /cf: filesystem full
Running pfSense 1.2 embedded on an Alix box. While doing some configuration changes today, we ran into a situation where we somehow lost part of our configuration (some of our VPN definitions and all of our Virtual IPs). Upon perusing the logs, we found that /cf had filled up. Logged in, and sure enough, it had filled up. pfsense:/cf/conf# df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/ufs/pfSense 111M 58M 44M57%/ devfs 1.0K1.0K 0B 100%/dev /dev/md038M1.8M 34M 5%/tmp /dev/md119M5.2M 12M29%/var /dev/ufs/pfSenseCfg1.8M1.7M -7.0K 100%/cf devfs 1.0K1.0K 0B 100%/var/dhcpd/dev Looking in /cf, the largest culprit was a rrd.tgz file which was about 1MB, but the rest of the files only took up a bit over 300k (there are 5 backups of the config and each config is about 50KB each), so it looks like there are possibly some deleted files sitting around that a process is still hanging on to taking up the other 300-400KB? pfsense:/cf/conf# ls -l total 1101 drwxr-xr-x 2 root wheel 512 Dec 11 15:04 backup -rw-r--r-- 1 root wheel52276 Dec 11 15:45 config.xml -rw-r- 1 root wheel0 Nov 6 2004 ez-ipupdate.cache -rw-r--r-- 1 root wheel 1062656 May 5 2008 rrd.tgz Since the rrd.tgz hadn't been updated in ages, we've deleted that file for now. We're not even sure what it's used for. Any ideas? Is this something that's handled better in 1.2.1RC? Thanks Dave - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ipv6 possibility
On Wed, Sep 24, 2008 at 3:22 PM, RB <[EMAIL PROTECTED]> wrote: > Who has put off rolling out pfSense or a similar platform > because it didn't implement IPv6? Anything for the US Government is required to be IPv6 ready. > What about the fact that for the > huge majority of users, the magical IPv6 land of ponies and sugar > cakes will end at their border unless they tunnel it out to some > 3rd-party provider? Yes, some ISPs are starting to offer v6 > connectivity, but those are few and far between. I think you will start to see IPv6 adoption rapidly pick up steam, but as you indicate, anything that is 2-3 years off still leaves most people thinking that they have plenty of time. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] blocking china
On Tue, Sep 23, 2008 at 3:30 PM, Chris Buechler <[EMAIL PROTECTED]> wrote: > On Tue, Sep 23, 2008 at 10:40 AM, Derrick Conner <[EMAIL PROTECTED]> wrote: >> For some reason, some of the messages in here get sent to junk mail. > > Gmail has been sending about 10-20% of the list messages to spam the > past week or so for me. I changed my filter for the lists to never > move to spam, and it's been showing "this message not marked as spam > because of a filter" on 10-20% of messages. Nothing has changed on our > end, and I checked to see if we somehow got blacklisted somewhere but > that's not the case. Interesting, I haven't had that problem at all with Gmail and pfsense list messages... -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] OpenVPN Tunnel "Quality" with VoIP Applications
On Thu, Sep 18, 2008 at 12:25 PM, Vivek Khera <[EMAIL PROTECTED]> wrote: >> Depending on bandwidth requirements, we may eventually use G.729 but we're >> currently testing in our lab on a completely unloaded 100mbit network. > > G.729 also handles higher latency well. But still, your latency is under > 150, which shouldn't affect G.711u so much. I think the point is that there should only be a couple ms of latency introduced by using an openvpn connection. Tim, how are ping times across the tunnel? How fast can you copy files across it? I'm using some openvpn tunnels and haven't had any weird latency issues with them. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Please don't switch to FreeBSD7 in pfSense1.2.1
On Mon, Jun 30, 2008 at 6:29 AM, Gary Buckmaster <[EMAIL PROTECTED]> wrote: > IMNSHO, device driver changes and tracking something close to current are > good things. There are so many devices that just don't have decent support > in FreeBSD6 and some devices are simply broken in FreeBSD6. +1 - I would love to see the next release of pfSense based on FreeBSD 7.0. Just the hardware support alone is worth it, not to mention all the work it has with regards to network performance. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Easy way to change ISP info
On Thu, Jun 26, 2008 at 12:49 AM, Mike Lever <[EMAIL PROTECTED]> wrote: > In our country at the moment we are experiencing connectivity problems. > When this occurs I then have to connect to each of my 7 WAN/DSL routers, > change login info to an alternate ISP's, then reset the load balancer pool to > another pool. > > Does anybody else have a simila situation ? Any ideas / suggestions how I can > streamline this process ? Set up a dedicated pfSense box for each PPPoE connection you have, then place another pfSense box behind them all to handle the load balancing. Yeah, it means that you'll have 8 machines instead of one, but then you'll be able to fail over between lines seamlessly. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Picky load balancing?
On Wed, Jun 25, 2008 at 11:12 PM, "Rüdiger G. Biernat" <[EMAIL PROTECTED]> wrote: > But coming to the point - This morning I woke up and realized that all of a > sudden (after starting Vuze) I get my 80kB/s out of my two DSL-lines! > And I am pretty sure that nobody has modified pfsense while I was sleeping. > > Does pfsense has some sort of self-healing features? Or is there simply a > bug? Simply sounds like all your connections (how many were active?) ended up going over one line, but later you ended up with connections going over both lines. Sounds fairly normal to me. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] monitoring bandwidth usage of individual lan addresses
On Sun, Jun 15, 2008 at 5:43 PM, Daniel Lloyd <[EMAIL PROTECTED]> wrote: > The bandwithd package does just that. But he's running on a ALIX board, isn't he most likely using the embedded version which does not support packages? -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ipsec woes
On Fri, May 9, 2008 at 2:01 AM, Jure Pečar <[EMAIL PROTECTED]> wrote: > Of course. Let's debug one by one. This is office1->office2): > > on office1 i see: Looks fairly normal. > ... and on office2 side i see: > > May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does > not already exist: "192.168.1.0/24[0] 192.168.111.0/24[0] proto=any dir=in" > May 9 10:30:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does > not already exist: "192.168.111.0/24[0] 192.168.1.0/24[0] proto=any dir=out" Oops. Loks like you have some sort of VPN definition error here. Are you sure that the local/remote nets match on both ends? Also make sure that you do not have any duplicate local/remote nets across all VPN connectons defined on each firewall. -Dave
Re: [pfSense Support] ipsec woes
On Thu, May 8, 2008 at 1:24 PM, Jure Pečar <[EMAIL PROTECTED]> wrote: > I inherited three pfsense setups at three locations of the same company. > pfSense itself is working perfectly well, only the ipsec is causing the > troubles. What version of pfSense? > office1 to office2: works most of the time, unless when it doesn't - it > goes blank for minutes at a time and then comes back. What do you mean "goes blank"? > office1 to servers: works, but typing 'dmesg' or something else with lots > of output freezes the ssh session over it. It never freezes if left idle. > Sshing to the same machine over public ip does not exhibit this problem. Is there any packet loss on the VPN between office1 and servers? > home to office1: doesn't work at all. Going to need logs. Probably a VPN configuration error with either the remote/local net or VPN ids, or PSK. I would also suggest trying main mode instead of aggressive mode for the negotiation mode. -Dave
Re: [pfSense Support] ping_hosts.sh in infinite loop
On Tue, May 6, 2008 at 2:07 PM, David Rees <[EMAIL PROTECTED]> wrote:
> Ah, missed that. I did see a few other places where it appears that
> config.xml is written besides through the write_config routine...
> Modifying write_config to update the config file atomically will be
> straight forward and should cover most of the cases where the file is
> commonly written.
OK, attached is a patch to /etc/config.inc that makes sure that the
config.xml and config.cache is updated atomically. The patch adds a
function function "write_safe_file" with 3 arguments: $file, $content,
$force_binary.
Tested on my local pfSense 1.2 box here, seems to work OK.
Let me know what you think!
If the patches I submitted look OK, do you think they'll make it into 1.2.1?
-Dave
--- config.inc.orig 2008-02-14 10:41:55.0 -0800
+++ config.inc 2008-05-06 14:23:24.0 -0700
@@ -1061,11 +1061,9 @@
conf_mount_rw();
/* write new configuration */
- $fd = fopen("{$g['cf_conf_path']}/config.xml", "w");
- if (!$fd)
+ if (!write_safe_file("{$g['cf_conf_path']}/config.xml", $xmlconfig, false)) {
die("Unable to open {$g['cf_conf_path']}/config.xml for writing in write_config()\n");
- fwrite($fd, $xmlconfig);
- fclose($fd);
+ }
if($g['platform'] == "embedded") {
cleanup_backupcache(5);
@@ -1082,11 +1080,7 @@
$config = parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']);
/* write config cache */
- $fd = @fopen("{$g['tmp_path']}/config.cache", "wb");
- if ($fd) {
- fwrite($fd, serialize($config));
- fclose($fd);
- }
+ write_safe_file("{$g['tmp_path']}/config.cache", serialize($config), true);
/* tell kernel to sync fs data */
mwexec("/bin/sync");
@@ -1096,6 +1090,45 @@
return $config;
}
+/f* config/write_safe_file
+ * NAME
+ * write_safe_file - Write a file out atomically
+ * DESCRIPTION
+ * write_safe_file() Writes a file out atomically by first writing to a
+ * temporary file of the same name but ending with the pid of the current
+ * process, them renaming the temporary file over the original.
+ * INPUTS
+ * $filename - string containing the filename of the file to write
+ * $content - string containing the file content to write to file
+ * $force_binary - boolean denoting whether we should force binary
+ * mode writing.
+ * RESULT
+ * boolean - true if successful, false if not
+ **/
+function write_safe_file($file, $content, $force_binary) {
+ $tmp_file = $file . "." . getmypid();
+ $write_mode = $force_binary ? "wb" : "w";
+
+ $fd = fopen($tmp_file, $write_mode);
+ if (!$fd) {
+ // Unable to open temporary file for writing
+ return false;
+ }
+ if (!fwrite($fd, $content)) {
+ // Unable to write to temporary file
+ fclose($fd);
+ return false;
+ }
+ fclose($fd);
+
+ if (!rename($tmp_file, $file)) {
+ // Unable to move temporary file to original
+ unlink($tmp_file);
+ return false;
+ }
+ return true;
+}
+
/f* config/reset_factory_defaults
* NAME
* reset_factory_defaults - Reset the system to its default configuration.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ping_hosts.sh in infinite loop
On Tue, May 6, 2008 at 1:54 PM, Scott Ullrich <[EMAIL PROTECTED]> wrote:
> On 5/6/08, David Rees <[EMAIL PROTECTED]> wrote:
> > I did some checking in the PHP code - it does look like there are
> > various locations where the /conf/config.xml or
> > {$g['conf_path']}/config.xml or /cf/conf/config.xml are written just
> > using a plain fopen, write, close. This does leave you open to the
> > race condition I mentioned earlier where it's possible that another
> > process ends up reading a halfway written config file.
>
> Yes and no. Any config.xml operations are protected by config_lock()
> and unlock().Are you seeing a case where they are not? Note:
> write_config() automatically handles this behind the scenes.
Ah, missed that. I did see a few other places where it appears that
config.xml is written besides through the write_config routine...
Modifying write_config to update the config file atomically will be
straight forward and should cover most of the cases where the file is
commonly written.
If you lock the file before doing any reads of the config then we
should be sure that we aways get a valid config file. Even if
everything does, it's not bad practice to attempt the config files
atomically.
But since the ping_hosts.sh script doesn't check, that explains the
problem. I'm guessing that there are other scripts that don't as well.
I'll see if I can modify write_config to do the "right thing".
-Dave
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ping_hosts.sh in infinite loop
On Tue, May 6, 2008 at 12:09 PM, Scott Ullrich <[EMAIL PROTECTED]> wrote:
> On 5/6/08, David Rees <[EMAIL PROTECTED]> wrote:
> > If my theory is correct, I would suggest two fixes:
> >
> > 1. Make sure the config file is written atomically to the filesystem.
> > This means writing the file to a temporary file and then
> > moving/linking the temporary file over the real one.
I did some checking in the PHP code - it does look like there are
various locations where the /conf/config.xml or
{$g['conf_path']}/config.xml or /cf/conf/config.xml are written just
using a plain fopen, write, close. This does leave you open to the
race condition I mentioned earlier where it's possible that another
process ends up reading a halfway written config file.
I'll try to get the time to fix this properly - a generic "safe_write"
function which takes a filename as an argument, writes to a temporary
file in the same folder, then renames the temporary file over the
original filename should do the trick. Then it's just a matter of
finding all the places where the config file is written to and
replacing the those sections of code with the function call.
> > 2. Check that the read in the inner loop is successful and abort the
> > inner loop if not.
> >
> > while [ "$configline" != "" ];
> > do
> > read configline
> > # check for successful read here and abort if not successful
> > # inner loop code omitted for brevity
> > done
This sanity check is only a couple lines.
> Excellent suggestions. Can you make these changes to your file and
> test? If all looks well submit a diff -rub patch and I'll get it
> committed.
No problem, I just need to find the time to do the first patch which
is pretty involved. Find a patch to check that the read configline was
successful to avoid the infinite loop on a corrupt config file. Seems
to work on my system.
-Dave
--- ping_hosts.sh.orig 2007-11-23 17:17:54.0 -0800
+++ ping_hosts.sh 2008-05-06 13:45:33.0 -0700
@@ -25,6 +25,9 @@
VPNENABLED=1
while [ "$configline" != "" ];
do
+if ! read configline ; then
+ break
+fi
read configline
if [ "$configline" = "" ]; then
VPNENABLED=0
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ping_hosts.sh in infinite loop
On Tue, May 6, 2008 at 11:31 AM, Scott Ullrich <[EMAIL PROTECTED]> wrote: > Since you appear to have some shell script knowledge check the script > where it reads in a couple of files. Can you take a look at the > files that it reads in and tell me how many entries in the file there > are? > > I am wondering if one of those files have grown in size to a point > where it can never finish processing. All the files appear to be empty. No files are large. I suspect that whatever triggered the issue has since resolved itself, otherwise we'd have ping_hosts.sh scripts piling up every 5 minutes. My best guess is that it's somehow gotten stuck in the loop reading the config file near the top - possibly when doing the tunnel parsing. This would make sense if the config file isn't written out atomically. In the "while [ "$configline" != "" ];" loop there is an explicit read - which doesn't appear to check to see if the read failed or not - unfortunately I'm not familiar enough with the while read bash syntax to know what happens when a read fails - would have to do a bit of research and am a bit short on time right this second. How is the config file written to disk? Is it simply overwritten? Or does a temporary config get generated and then linked over the original config file? If my theory is correct, I would suggest two fixes: 1. Make sure the config file is written atomically to the filesystem. This means writing the file to a temporary file and then moving/linking the temporary file over the real one. 2. Check that the read in the inner loop is successful and abort the inner loop if not. while [ "$configline" != "" ]; do read configline # check for successful read here and abort if not successful # inner loop code omitted for brevity done -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ping_hosts.sh in infinite loop
On Tue, May 6, 2008 at 10:06 AM, Scott Ullrich <[EMAIL PROTECTED]> wrote: > Show the process information (ps awux | grep ping). It is normal for > this process to be running quite a bit but I am not sure about 8 > hours. root 59637 5.7 0.5 1744 1216 ?? S 7:51PM 58:41.28 /bin/sh /etc/ping_hosts.sh root1510 0.0 0.3 1268 732 ?? Is2:06PM 0:00.04 minicron 240 /var/run/ping_hosts.pid /etc/ping_hosts.sh root 59636 0.0 0.5 1716 1176 ?? I 7:51PM 0:00.01 sh -c /etc/ping_hosts.sh root 88640 0.0 0.5 1744 1216 ?? S11:12AM 0:00.00 /bin/sh /etc/ping_hosts.sh The box was rebooted around 2pm. The high CPU utilization started right before 8pm, you can see how the first ping_hosts.sh script has used over an hour of CPU time. The script itself doesn't take up that much CPU, but looking at top CPU time is 25-30% user and 60-70% system, 0% idle which seems to indicate that the script is forking off a lot of processes. I was making some changes to the NAT rules and number of states to track around the time to see how pfsense would handle a SYN flood. Looking at the script itself, I don't see any obvious places where the script could get stuck. If it were possible to see what the script was doing that would help. I don't think I mentioned this earlier, but it's running 1.2 embedded on ALIX hardware. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ping_hosts.sh in infinite loop
On Tue, May 6, 2008 at 9:27 AM, Chris Buechler <[EMAIL PROTECTED]> wrote: > David Rees wrote: > > Was it just me, or did [EMAIL PROTECTED]'s reply look empty? > > It was. Thought so. ;-) Anyone have any ideas on the ping_hosts.sh getting stuck and apparently looping? It's still doing it 8 hours later - I'd like to kill the process to let the box rest a bit, but if someone has any requests for information or diagnostics before I do so I can wait a bit... -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ping_hosts.sh in infinite loop
On Tue, May 6, 2008 at 6:12 AM, <[EMAIL PROTECTED]> wrote: > Was it just me, or did [EMAIL PROTECTED]'s reply look empty? -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] ping_hosts.sh in infinite loop
Earlier today while I was making some changes to my NAT rules (I was testing to see how many connection states I can track as a result of the DDoS/syn flood I am currently under[1]) and it seems that /etc/ping_hosts.sh got stuck in an infinite loop. I'm guessing it's forking processes which are immediately dying or something. Anyone got a good way to debug this to try to gain some information about why it's stuck and burning CPU before I kill the process? -Dave [1] http://forum.pfsense.org/index.php/topic,9284.msg52570.html#msg52570 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Wanted: Tips for a VLAN capable switch (for home use)
On Sat, Apr 5, 2008 at 12:42 PM, Chris Buechler <[EMAIL PROTECTED]> wrote: > The best fanless, managed gigabit switch I've seen is a Netgear > GS108T. Actually it's the *only* managed fanless gigabit switch I've ever > seen. :) Low price, and works well. I can recommend that switch as well. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP
On Mon, Mar 31, 2008 at 11:40 PM, Anil Garg <[EMAIL PROTECTED]> wrote: > Say we have one www.server on lan or dmz. If this server to die, we want > the system to point to another www.server on the same subnet. Yes, you can do this with the Load Balancing feature. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Disable the userland FTP-Proxy application
On Fri, Mar 7, 2008 at 6:11 PM, Anil Garg <[EMAIL PROTECTED]> wrote: > Thanks dave. I am trying out different settings to figure out some problems > I get with open VPN. Part of the problem is in my lack of knowledge and > that makes me shy asking so many question and consume air time. If you are having a problem with OpenVPN, why are you asking about the FTP proxy? Looking at the archives I see that this thread is a dupe from the same unanswered post a couple days ago... Perhaps you'd have better luck asking questions which are relevant to your problem as well as supplying information as to why you are asking the question instead of beating around the bush. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Disable the userland FTP-Proxy application
On Fri, Mar 7, 2008 at 4:07 PM, Anil Garg wrote: >> David Rees <[EMAIL PROTECTED]> wrote: >>> On Thu, Mar 6, 2008 at 12:06> PM, Anil Garg wrote: >>> Is there any harm in Disable the userland FTP-Proxy application ?? >>> >>> Any pointers or lead to read somewhere else would be appreciated. >> >> If you don't use FTP, then no. If you do use FTP, then yes, keeping >> the FTP-Proxy enabled can help. >> >> Google for ftp proxy and bsd to learn more about FTP proxies. > > It appears that if I am using FTP, pfsense is creating some rules for > that duration that helps me do FTP smoothly. Most of times we are > using FTP to download patches and documents even on google search > that use FTP - Correct? > > Thats why we should leave this on... Please keep messages on the list, thanks. The real question is - if it's not broken, what are you trying to "fix" by turning it off? It's on by default for a reason. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Disable the userland FTP-Proxy application
On Thu, Mar 6, 2008 at 12:06 PM, Anil Garg <[EMAIL PROTECTED]> wrote: > Is there any harm in Disable the userland FTP-Proxy application ?? > > Any pointers or lead to read somewhere else would be appreciated. If you don't use FTP, then no. If you do use FTP, then yes, keeping the FTP-Proxy enabled can help. Google for ftp proxy and bsd to learn more about FTP proxies. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Squid using RAM disk
On Wed, Mar 5, 2008 at 6:05 PM, Curtis LaMasters <[EMAIL PROTECTED]> wrote: > Hard drives are cheap, RAM isn't. What are you actually trying to achieve? > Parsing the logs on a disk isn't very time consuming. Interesting idea > though. I suspect that he is trying to eliminate a commonly failed part - the hard drive. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Help Get Games And SW Working Please
On Fri, Feb 29, 2008 at 5:15 PM, SD <[EMAIL PROTECTED]> wrote: > We recently installed pfSense firewall/routers, now none of my games > work (BF2, america's army). > > My trading software isn't working either. > > I tried the static port thing but it didn't help. Help us help you... You have provided no information on what your setup is like so any advice would be shots in the dark. Please provide the following information: 1. Version of pfSense 2. Interface setup - WAN, LAN, Optional ports? 3. NAT setup 4. Packet filter rules -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Wiki Account & Documentation
There was some changes I wanted to make to the wiki (notably the Multi WAN 1.2 docs have some instructions backwards for the failover rules), but I need an account. Will someone (I think that is Chris B) help me get set up? Or are you specifically restricting access to developers? I think if it was a bit easier to sign up, you might attract more people willing to write/cleanup the documentation. (I know that mediawiki has a ConfirmAccount module that help keep the spammers out, for example, by only activating accounts manually, and the ConfirmEdit module which provides CAPTCHAs). In addition, I think it would be useful to link to the devwiki as well on the main website Documentation page, it still has some information which is useful, the devwiki is hard to find unless you already know it exists. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Setting gateways ?
On Tue, Feb 26, 2008 at 7:48 AM, Mike Lever <[EMAIL PROTECTED]> wrote: > I haven't had a reply from anyone.. please !! any assistance would greatly > be appreciated. I know this may seem like a basic question but its bringing > my network to a halt ! I think that you will find that if you don't provide enough information and provide limited information in an extremely difficult to read manner (HTML email, 15 gazillion attachments) you will have a hard time getting people to respond. Asking the same question again without changing anything will rarely do anything but annoy people. So let's start over: 1. What version are you running? 2. How do you think each of your interfaces should be configured? 3. How they configured incorrectly? Please provide this information in plain text format that is easy to read and I'm sure you will get the appropriate answers. You may find this document helpful in formulating your reply and future posts to the mailing lists and support forums. http://catb.org/~esr/faqs/smart-questions.html -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Basic Load Balancer
On Mon, Feb 25, 2008 at 4:30 AM, Paul Cockings <[EMAIL PROTECTED]> wrote: > On a single ADSL connection, when customers are uploading/downloading > files to our FTP server this dramatically slows http/smtp. Have you tried setting up QoS first? That will make a huge difference in how much a big download or upload affects the performance of other network usage at the time. -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
