RE: [pfSense-discussion] Problems with CARP VIP and layer 3 switch
From: Vinicius Coque [mailto:vco...@gmail.com] Sent: Monday, April 18, 2011 08:01 On Sun, Apr 17, 2011 at 11:49 PM, Chris Buechler cbuech...@gmail.com wrote: On Sun, Apr 17, 2011 at 10:25 PM, Vinicius Coque vco...@gmail.com wrote: Now I understand the problem. I'll keep track of the bug on redmine. I would definitely check the problem on the switch too as in a CARP setup it shouldn't have problems with MACs that switch between ports quickly. That bug in and of itself isn't the problem, the nature of CARP means that switch issue will potentially cause other issues for you in the future. My client really needs the cluster working, so I have to find a solution for that. Now you gave me more information about the problem, I'll check the switch and the CARP setup and see what I can get. If something works for me I'll inform you. Can you tell us what model of switch(es) is(are) involved here? There are some specific configurations that can cause issues, others on the list may be able to make suggestions. -Adam Thompson athom...@athompso.net - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] anyone using Netgear GSM7352S-200 ?
I'm not using that exact model, but I have two GS724Tv3 units in production. Hardware is decent - no dead ports so far (~10 months). Mine are the web smart type without a serial port or CLI, so configuring VLANs is a royal pain in the ass. Other than that, the software is acceptable without being great in any way. I have a good friend who resells that model (and the GS748 also) and he's got about 12 of them in production at various customer sites. In ~3 years, I think he's had to return 2 of them so far due to dead ports. One dead port is a (lifetime) warranty problem. If you need to save money, Netgear seems to be OK. But I'd still rather have a ProCurve. -Adam Thompson athom...@athompso.net -Original Message- From: Eugen Leitl [mailto:eu...@leitl.org] Sent: Wednesday, January 12, 2011 15:11 To: discussion@pfsense.com Subject: [pfSense-discussion] anyone using Netgear GSM7352S-200 ? This is offtopic, but I figured this would be a good place to ask. Anyone using Netgear GSM7352S-200 in production? http://www.netgear.com/images/GSM7328Sv2_GSM7352Sv2_23Sept1018- 10817.pdf I know, it's Netgear, but how badly does it blow chunks? Inquiring minds, etc. (Disclaimer: I am currently using Netgear and HP ProCurve, and thought to upgrade to Juniper, or at least ProCurve, but have severe budget issues: 6 kEUR for 2 48-port switches). -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE --- -- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] country blocking for single address
The specific country involved might take far less than that; accuracy also matters. For example, I can block about 80% of Africa with less than ten rules. Blocking 100% of Africa takes hundreds of entries. I do recall there was a way previously discussed on-list to import huge aliases; unfortunately, I *think* it consisted of download (backup) config.xml, edit it programmatically, then upload (restore) it. I also think there are enhancement requests still open for 2.0 to make this easier, but of course I can't find them right now... -Adam Thompson athom...@athompso.net -Original Message- From: Eugen Leitl [mailto:eu...@leitl.org] Sent: Friday, November 26, 2010 06:46 To: discussion@pfsense.com Subject: Re: [pfSense-discussion] country blocking for single address On Fri, Nov 26, 2010 at 01:19:15PM +0100, Eugen Leitl wrote: I have a single (OS X) box on home LAN, which I would like to block all traffic against a specific country, or several countries. There's a pfSense 2.0 package for that (which I haven't been able to make to work yet), but it blocks everything entirely. Can pfSense do this, or should I try improvising something on the OS X box with its native firewalling? A single country block takes about 20 k lines of CIDR network notation. Apparently it's possible to produce ipfw rules via a script http://macscripter.net/viewtopic.php?id=19701 for OS X. It would be nice to be able to process ~20k lines worth of CIDR into a single alias. Would that work? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE --- -- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] how to receive BGP routes
You definitely need an AS number, although if your BGP route provider agrees, you can use a private AS number (kind of like RFC1918 IP addressing, conceptually). You don't need portable IP address space to get (or use) a BGP feed - again, subject to negotiation with your BGP provider(s). I'm using OpenBGPD under 2.0B4 and it works OK (except for a nasty bug concerning 1:1 NAT entries [#958]). I'm not pulling in a full route set, though, only about 13k routes. IPv4 portable address space is already extremely difficult to obtain - an ISP I do work for has to justify 80% usage of every additional class-C block they obtain, and they're only being given /24s and /23s now. (I think they're going to renumber a large chunk of addresses, though, and exchange a bunch of /23s and /22s for a /21.) It's not all that expensive to obtain IP addresses from ARIN, the problem is you likely don't meet their minimum thresholds. Quoting from https://www.arin.net/policy/nrpm.html, 4.1.1. Routability Provider independent (portable) addresses issued directly from ARIN or other Regional Registries are not guaranteed to be globally routable. Therefore, ISPs should consider the following order of priority when requesting IP address space: - Request IP address space from upstream provider - Request IP address space from provider's provider - Request IP address space from ARIN (not guaranteed to be globally routable) According to section 4.2.1.5 Minimum Allocation, ARIN will issue /20s or larger to end-users, and /22s and larger to multi-homed ISPs. And keep in mind that many large transit providers filter all announcements smaller than a defined threshold (I'm told that's up to /20 now in some cases). You generally receive BGP feeds from your directly connected neighbours; typically this means both your ISPs must agree to talk BGP with you, they must both agree to advertise your address space, and they must both agree on your AS number. (Same considerations apply for n2, just exponentially more difficult unless you're a large ISP yourself.) It's perfectly feasible to run iBGP (i=internal) which is the same protocol but just not talking to anyone on the outside. This lets you set up multiple routers internally and experiment with BGP to your heart's content. It's also sometimes possible to find a friendly ISP and import a BGP feed from them and not talk BGP to your neighbours at all. Most BGP partners will happily apply filters that discard all advertisements from you, which means you won't screw up anyone except yourself. And, AFAIK, most BGP routers have sane filters that block advertisements of (for example) 0.0.0.0/0, 127.0.0.0/8, 192.168.0.0/16, etc. so while it's always possible for BGP mistakes to affect many non-related users, it's fairly rare; I can only remember one internet-wide mistake in the last year or two. I run a unusual case myself: I have two small public IP allocations, a /29 from my public ISP (TeraGo) and a /32 from my regional RD/Edu network (MRNET). I don't have any portable address space at all, and neither set of addresses is advertised to the opposite link; BGP only really helps me for outbound connections. I only talk BGP to MRNET (that's the 13k routes, basically CA*Net, NSFNet, ESNet, I2, et al.), and I use a default route to TeraGo. If you live in an area with multiple large ISPs, you'll have much better luck finding someone who knows what BGP is. Ditto if you have business-grade service with an actual Account Manager assigned to you. Smaller, regional ISPs often refuse to provide BGP peering for non-technical reasons. (And good luck finding a Cable operator anywhere who's willing to even *think* about the possibility of a multi-homed customer...) -Adam Thompson athom...@athompso.net -Original Message- From: Eugen Leitl [mailto:eu...@leitl.org] Sent: Thursday, November 11, 2010 07:07 To: discussion@pfsense.com Subject: [pfSense-discussion] how to receive BGP routes I should now have enough resources (4 GByte RAM) to start fiddling around with the whole BGP table. As I have very little netop clue, from where can one receive a full feed? I do not have PI space nor an AS number, obviously. I hope to be able to obtain enough clue and finances eventually to get PI space (probably IPv6, as IPv4 PI should be getting terribly scarce rather soon). I see there's a OpenBGPD package in 2.0-BETA4 list, as well as OpenOSPFD (the latter is only used within an AS, apparently). Is it possible to set up to receive a full routing table without having one's own AS? How would one go about to make sure one's modifications do not get published by mistake? I'd rather try to avoid screwing up somebody's routes by a rookie mistake, for obvious reasons. This is just a lab. Thanks! -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org
RE: [pfSense-discussion] pfSense router/firewall in a Vmware ESXi guest for other guests
It works, but performance is, in my experience, poor. Don't use trunking (802.3ad / LACP) and VLANs together, or inter-vlan routing slows down drastically. This appears to be a VMWare problem, not a pfSense problem. I recommend creating one virtual Ethernet device per network, and in fact mapping each virtual switch (or vlan) to a physical NIC on the host. Basically, keep the networking as simple as possible, don't get fancy like I did. -Adam Thompson athom...@athompso.net -Original Message- From: Eugen Leitl [mailto:eu...@leitl.org] Sent: Saturday, October 02, 2010 05:20 To: discussion@pfsense.com Subject: [pfSense-discussion] pfSense router/firewall in a Vmware ESXi guest for other guests A customer needs to run VMWare instances on the cheap, so naturally I thought about http://wiki.hetzner.de/index.php/VMware_ESXi_english ESXi can't route by itself though, so I thought about putting pfSense into one VMWare guest instance, and use that for a router/ firewall for the other guests. Anyone here doing that? Works well? Care to share details of your setup? -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE --- -- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] pfSense router/firewall in a Vmware ESXi guest for other guests
This started with 4.0, I have upgraded to 4.1 but haven't specifically tested performance since. Routing from one VLAN to another entirely inside VMware is still slow, however. AFAIK this is somehow related to interrupt handling and/or mitigation. The bad news is that since upgrading to 4.1, the pfSense guest occasionally loses ALL network interrupts for about 15 minutes at a time - this happens at least once or twice a week. It starts slowly, performance is merely degraded, then nothing, then slowly returns to normal - whole event takes ~15min. Traffic arriving at or leaving the VMWare HOST shows normal performance levels, it's only traffic within the host that seems slow: SMB traffic across the pfSense router, no NAT involved, one pass-all pf rule, runs between 10Mbit/sec and 100Mbit/sec. I also see lots of TCP badness if I run a sniffer on either end - dup acks, dup pkts, and missing packets. I also have a lot (~7Mbyte/sec) of multicast traffic on one of the VLANs, which may contribute to the problem. -Adam -Original Message- From: Scott Ullrich [mailto:sullr...@gmail.com] Sent: Saturday, October 02, 2010 13:37 To: discussion@pfsense.com Subject: Re: [pfSense-discussion] pfSense router/firewall in a Vmware ESXi guest for other guests On Sat, Oct 2, 2010 at 2:27 PM, Adam Thompson athom...@c3a.ca wrote: It works, but performance is, in my experience, poor. Don't use trunking (802.3ad / LACP) and VLANs together, or inter-vlan routing slows down drastically. This appears to be a VMWare problem, not a pfSense problem. I recommend creating one virtual Ethernet device per network, and in fact mapping each virtual switch (or vlan) to a physical NIC on the host. Basically, keep the networking as simple as possible, don't get fancy like I did. Was this with 4.0 or 4.1? 4.1 seems to drastically improved across the board in terms of I/O in general. Scott --- -- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org