Re: [pfSense-discussion] any chances to see pfsense on GuruPlug Plus?
Seeing that the current ALIX platform can switch at about 75Mbps, if the CPU on those plugs isn't much better, Gig-E gets you little advantage. I agree, though, it'd be nice to see a little better hardware at that size. -Adrian - Original Message - From: Mark Crane m...@netprofx.com To: discussion@pfsense.com Sent: Thursday, February 25, 2010 1:59:22 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] any chances to see pfsense on GuruPlug Plus? Different CPU types. You are comparing apples and oranges. I bet this device will move about the same amount of packets at the end of the day. Apples to oranges analogy may work with the CPU. Capability would have to tested to know which one performs better. But apples and oranges doesn't apply to double the size of the RAM, Gb Ethernet vs 10/100 and all the extras. Again I would like to see ALIX get an update to a more modern processor, with support for more RAM and Gb Ethernet. Mark Scott Ullrich wrote: On Thu, Feb 25, 2010 at 1:27 PM, Mark Crane m...@netprofx.com mailto:m...@netprofx.com wrote: Look at the specs. ALIX could really use an updated CPU like the Intel atom or a VIA CPU. GuruPlug : Power consumption 5watts of power. CPU is over 1.2ghz 512mb o16bit DDR2 800MHz esata support 2x Gb Ethernet 2x USB 2.0 1x Micro SD built-in WiFi Bluetooth TDM chipset built into the board expansion port ALIX: CPU 500mHz 128 to 256mb of Ram USB CF Card 10/100 Ethernet ALIX specs in more detail. http://www.netgate.com/product_info.php?cPath=60_83products_id=516 http://www.netgate.com/product_info.php?cPath=60_83products_id=516 Some links http://hackaday.com/2010/02/08/guruplug-the-next-generation-of-sheevaplug/ http://www.globalscaletechnologies.com/t-guruplugdetails.aspx Different CPU types. You are comparing apples and oranges. I bet this device will move about the same amount of packets at the end of the day. Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Traffic shaping VOIP on low bandwidth connections?
You should set the in/out maxes to the real available bandwidth you experience. Do several tests against different test sites. If you set those max values too high, the shaper will allow you to clog your pipe (it let's too much traffic pass without shaping because it thinks it has more bandwidth to play with). The reserve value for VoIP tells the shaper to make sure VoIP traffic never has less than that amount of bandwidth available. If you're using G.729 and want to have a max of 10 channels active at one time, you'd want to put 320Kbps (10 x 32Kbps (the bandwidth used for one G.729 channel)), perhaps 384Kbps to play it safe. Regards, Adrian - Original Message - From: Joe Lagreca lagr...@gmail.com To: discussion@pfsense.com Sent: Tuesday, December 15, 2009 2:43:26 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Traffic shaping VOIP on low bandwidth connections? With the traffic shaper turned off, I get about 1340 kb/sec both ways. What should I set the traffic shapers inbound bandwidth to? Should the outbound be the same? Also, when it asks for reserving bandwidth for VOIP, what should I set that to? I have it set to 384 or 512 right now. But I'm not even sure what that is for. Joe LaGreca Founder Owner, BIG Net Online 619-393-1733 x200 Office 619-318-3246 Cell www.BIGnetOnline.com On Tue, Dec 15, 2009 at 10:47 AM, Chris Buechler c...@pfsense.org wrote: On Mon, Dec 14, 2009 at 11:12 PM, Joe Lagreca lagr...@gmail.com wrote: I have a T-1 (1.54mb symmetrical) for our data connection. Whenever there is a big download filling the pipe, the inbound voice chops. When I set the inbound traffic to 1450kb (tested all the way down to 1000kb), I got VERY bad results. Audio was VERY choppy inbound, and ping latency to the internal interface of the firewall would jump from 1ms to 700ms. I was told you can't effectively rate limit the inbound traffic, Wrong. so I set the inbound bandwidth to 5,000 kb. The outbound is set to 1450kb. It sounds much better, but I still have chops when a big download is initiated. Because of the above excessive limit. You can't do anything once traffic is on your downstream, but limiting on the download side delays traffic after it gets to you, causing TCP's congestion control to slow down the connection, and hence not overfill your downstream. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Traffic shaping VOIP on low bandwidth connections?
Quick question: does it sound bad when the bandwidth maxes are set to experience levels and there's no other traffic present? Anyhow, setting the bandwidth to 85-90% of experience levels is not a bad idea. Setting it lower should yield better results than setting it higher. There are issues with shaping that depend on the hardware and software. For example, if more traffic than your bandwidth cap can pass through your interface between polls by the software, you're effectively limited in how low you can throttle traffic. You should be above those levels, but that's just a guess without knowing what hardware you're using. What queues and rules do you have setup in the shaper? Thanks, Adrian - Original Message - From: Joe Lagreca lagr...@gmail.com To: discussion@pfsense.com Sent: Tuesday, December 15, 2009 3:48:59 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Traffic shaping VOIP on low bandwidth connections? The problem is that I have already done this (set bandwidth to real experienced levels) and it sounds bad. I get better results with the way its set right now, however it still has periods where it sounds bad. I'm considering setting it to 90% of real experienced levels to see if that helps. I'd like it to be as good as in my office, but I also have alot more bandwidth. But the shaping seems to work MUCH better when it has more bandwidth to deal with. Joe LaGreca Founder Owner, BIG Net Online 619-393-1733 x200 Office 619-318-3246 Cell www.BIGnetOnline.com On Tue, Dec 15, 2009 at 12:11 PM, Adrian Wenzel adr...@lostland.net wrote: You should set the in/out maxes to the real available bandwidth you experience. Do several tests against different test sites. If you set those max values too high, the shaper will allow you to clog your pipe (it let's too much traffic pass without shaping because it thinks it has more bandwidth to play with). The reserve value for VoIP tells the shaper to make sure VoIP traffic never has less than that amount of bandwidth available. If you're using G.729 and want to have a max of 10 channels active at one time, you'd want to put 320Kbps (10 x 32Kbps (the bandwidth used for one G.729 channel)), perhaps 384Kbps to play it safe. Regards, Adrian - Original Message - From: Joe Lagreca lagr...@gmail.com To: discussion@pfsense.com Sent: Tuesday, December 15, 2009 2:43:26 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Traffic shaping VOIP on low bandwidth connections? With the traffic shaper turned off, I get about 1340 kb/sec both ways. What should I set the traffic shapers inbound bandwidth to? Should the outbound be the same? Also, when it asks for reserving bandwidth for VOIP, what should I set that to? I have it set to 384 or 512 right now. But I'm not even sure what that is for. Joe LaGreca Founder Owner, BIG Net Online 619-393-1733 x200 Office 619-318-3246 Cell www.BIGnetOnline.com On Tue, Dec 15, 2009 at 10:47 AM, Chris Buechler c...@pfsense.org wrote: On Mon, Dec 14, 2009 at 11:12 PM, Joe Lagreca lagr...@gmail.com wrote: I have a T-1 (1.54mb symmetrical) for our data connection. Whenever there is a big download filling the pipe, the inbound voice chops. When I set the inbound traffic to 1450kb (tested all the way down to 1000kb), I got VERY bad results. Audio was VERY choppy inbound, and ping latency to the internal interface of the firewall would jump from 1ms to 700ms. I was told you can't effectively rate limit the inbound traffic, Wrong. so I set the inbound bandwidth to 5,000 kb. The outbound is set to 1450kb. It sounds much better, but I still have chops when a big download is initiated. Because of the above excessive limit. You can't do anything once traffic is on your downstream, but limiting on the download side delays traffic after it gets to you, causing TCP's congestion control to slow down the connection, and hence not overfill your downstream. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial
Re: [pfSense-discussion] Online scanning
Sounds like they're looking for a service that scans ports remotely, like some of those returned by googling: - Original Message - From: RB aoz@gmail.com To: discussion@pfsense.com Sent: Tuesday, April 14, 2009 8:20:11 AM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Online scanning On Tue, Apr 14, 2009 at 04:10, cl...@pfsense pfse...@mail-fwd.archie.dk wrote: To test my new configuration can anyone recommend a secure, thorough online port scanner ? What qualifies thorough? Although nmap's aggressive mode pretty well covers most there's a port open and this is what it's running scenarios, it's not as thorough as some more limited application scanners, like Metasploit. What are you looking for? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Online scanning
Sorry... googling: online port scanner free Honestly, I've never looked for a service like this. Has anyone? Regards, Adrian - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Tuesday, April 14, 2009 8:53:59 AM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Online scanning Sounds like they're looking for a service that scans ports remotely, like some of those returned by googling: - Original Message - From: RB aoz@gmail.com To: discussion@pfsense.com Sent: Tuesday, April 14, 2009 8:20:11 AM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Online scanning On Tue, Apr 14, 2009 at 04:10, cl...@pfsense pfse...@mail-fwd.archie.dk wrote: To test my new configuration can anyone recommend a secure, thorough online port scanner ? What qualifies thorough? Although nmap's aggressive mode pretty well covers most there's a port open and this is what it's running scenarios, it's not as thorough as some more limited application scanners, like Metasploit. What are you looking for? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Hello, I'm glad you've made some progress. I'd like to help explain private subnets, and since I don't know how much you already know, please don't be offended! (I realize at this point I'm not helping you accomplish your task, but just trying to helpful in general.) There are three subnets allocated as private (for internal network use): 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 I've listed these in CIDR notation, meaning the /xx at the end denotes the number of bits in the netmask that are 1s. For example: /8 means 255.0.0.0 or in binary: ... /12 means 255.240.0.0 or in binary: ... The purpose of the netmask is to determine what bits of an IP address make up the network address, and what bits make up the host address (ie, determining whether the IP is local or if requests should be made through a router). A host with an IP of 172.16.0.1 and a netmask of 255.240.0.0 (or /12) would mean that these IPs would be local: 172.16-31.xxx.xxx as shown by comparing the IP to the netmask: ... IP: 10101100.0001..0001 netmask: ... 1st 2nd 3rd 4th So there 4 bits in the 2nd octet, 8 bits in the 3rd octet, and 8 bits in the 4th octet that are valid for use as IPs on the local subnet (the +'s represent bits that, if changed, would tell the Transport layer that the IP is not local... the -'s are bits you can change to give yourself IPs local to your subnet. Note that they correspond to the 1's and 0's of the netmask). I hope this is somewhat understandable. Also, keep in mind that these private subnets are referenced by the greatest possible netmask, but you're not required to use this as your netmask (in fact, you almost always shouldn't). So, for your LAN2 subnet, you could use the following: IP: 172.16.0.1 netmask: 255.255.255.0 (ie, /24) This will give you 253 IPs available for your hosts (172.16.0.2-254). As RB said, it's good to get these private subnets right, since accidentally using a subnet outside of these will cause you to lose access to any hosts on the internet that use the subnet (your hosts will think the IPs are local, and won't send their requests to the router to be forwarded). Feel free to email me off-list if you have any more IP related questions. Sounds like RB's answered your routing questions. Enjoy! -Adrian - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 6:36:01 AM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) I think I've moved this on some. What I did was avoid the subnet issues which I was clearly running into (and not fully understanding), I opted to use a 172.10.x.x/16 private range for the 2nd LAN. I entered the rules as per DarkFoon (Thank you) Using the rules as suggested are preventing LAN2 access to LAN while allowing Internet access. LAN does not yet seem to have LAN2 access yet though, in terms of no pings and no WINS access, which I was hoping for one way (LAN to LAN2 only) but perhaps that is just not going to happen in this dual LAN setup? Any further guidance would be appreciated please. Kind regards David - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 8:17 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi Adrian Thank you so much for your response. I think those numbers do have something to do with it, as when I enable OPT1 I loose the webserver's access and have to reset to a default and start over (I hate that!) I have since tried configuring as: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.(aaa+1).bbb.ccc/9 I presume I have still got it wrong. I want to keep LAN1's IP numbers as it is, as there a number of Static DHCP assignments all set, for LAN2 I don't really care what this is, and I can't imagine needing more than 20 addresses on LAN2, which may be relevant. Can you suggest further? (Of course they can be changed if necessary) Also I assume I will need to do some LAN2 rules to 1) give access to the Internet and LAN1 rules to gain access to LAN2 however the devil may be lying in the detail to do that... Still as you say we need to get LAN2 working for a start. Kind regards David - Original Message - From: Adrian Wenzel adr...@lostland.net To: discussion@pfsense.com Sent: Saturday, February 28, 2009 7:05 PM Subject: Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hello, So, it seems you are configuring as such: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.xxx.yyy.zzz/8 This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the same subnet. Two devices with configured with the same subnet, and on two
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
My apologies, I meant Network layer, not Transport. Sheesh. Serves me right for spamming the list with general info (as I spam it again with my correction ;) snip So there 4 bits in the 2nd octet, 8 bits in the 3rd octet, and 8 bits in the 4th octet that are valid for use as IPs on the local subnet (the +'s represent bits that, if changed, would tell the Transport layer that the IP is not local... the -'s are bits you can change to give yourself IPs local to your subnet. Note that they correspond to the 1's and 0's of the netmask). /snip - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1)
Hello, So, it seems you are configuring as such: LAN1: 10.aaa.bbb.ccc/8 LAN2: 10.xxx.yyy.zzz/8 This is not right, since /8 means a netmask of 255.0.0.0, making the network portion of each subnet only the first octet... thus the same subnet. Two devices with configured with the same subnet, and on two different physical networks will not work. You should try a netmask of 255.128.0.0, or /9 (assuming you really need all those IPs on each network). That will correct differentiate the subnets and allow routing to occur ;) We can get into separating your LANs to disallow your desired access after this is working. Thanks, Adrian - Original Message - From: Tortise tort...@paradise.net.nz To: discussion@pfsense.com Sent: Saturday, February 28, 2009 12:05:17 AM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] WAN LAN1 and LAN2 (OPT1) Hi I have been trying to setup a WAN and two LAN. (3 NIC's) I want LAN1 to be able to access LAN2 but not the other way around. The idea is that LAN1 is less public than LAN2. i.e. visitors can connect to the Public LAN2 and browse the Internet etc while not having any access to LAN1 LAN 2 will have a LAN printer on it, as an example, which can receive print jobs from both LAN1 and LAN2. WAN is a static IP to Cable. LAN1 is using 10.xxx.yyy.zzz 8 and OPT was intended to use 10.aaa.bbb.ccc 8 however enabling this seems to make it all fall over, ie I lose Internet connection from LAN things become unresponsive. As an aside I tried editing /conf/config.xml however it would not save from the terminal window, does one have rights to edit the config there? I was using the ee editor. Has anyone done this sort of thing and what am I missing to get it working? In anticipation many thanks indeed. Kind regards David - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
I think he understood, but was suggesting other virtualization ideas that he felt would be a more rewarding use of developer resources. To me, it sounds like you want the feature set of pfsense available on a platform that runs virtual machines... for example, having a pfSense option in VMware to compliment the NAT and HostOnly networking options. I don't think it's a bad idea, I just don't think it should be a direction pfSense travels. I think pfSense is an amazing project that has pushed its way past the usefulness of several commercial offerings, and that diluting it with additions to virtualize on top of it would take away from its core purpose. If there are situations that merit combining all these features (pfSense, VMs) into one device, perhaps there's also another solution that would allow them to be separate, and still solve the problem? -Adrian - Original Message - From: pfsense sense pfse...@kavadas.org To: discussion@pfsense.com Sent: Wednesday, January 28, 2009 5:13:42 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] xen aware pfsense. multiple concurrent PFSense instances no, you have also missed my point... i'm not interested in vistualizing pfsense my idea was to provide VT options, a dom0, along side pfsense... as it is available in Linux. | OS -- service (file) cloud -- pfsense -- VT -- | OS -- service (mail) | OS -- service (database) On Wed, Jan 28, 2009 at 7:38 PM, Greg Hennessy greg.henne...@nviz.net wrote: As the others have said, it depends on what you mean by 'integrate' Ignoring the lack of Xen dom0 support in FreeBSD for a moment. Utilising VT technology to deliver physical as well as logical isolation of multiple concurrent PFSense instances in a manner analagous to Fortinet VDOM : http://kc.forticare.com/default.asp?id=2065Lang=1SID = or Juniper VSYS : http://www.juniper.net/solutions/literature/white_papers/200103.pdf Does have a certain attraction from a managed service perspective. Hosting applications within domUs running on PFSense. A complete waste of time. Greg From: pfsense sense [ pfse...@kavadas.org ] Sent: 28 January 2009 00:42 To: discussion@pfsense.com Subject: [pfSense-discussion] xen aware pfsense. has anyone considered the possibility of intergrating xen with pfsense ? i might be loosing my mind but wouldn't it be nice to have a pfsense running on harware and a vistualization environemnt that allow us to install our OS's of choice perfectly protected behind pfsense ? does anything else think it's a good idea ? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] xen aware pfsense.
Something akin to this idea was discussed a while ago, and the best practice would be to steer clear of it. It's not always advantageous to put all your eggs in one basket (sorry for the overused analogy). Ideally, if you need something as complex as what pfSense provides, you would be better off implementing physically separate devices. Combining them all creates too great a point of failure, and dilutes the goals of pfSense development. This is my experience from my background. Thanks, Adrian - Original Message - From: pfsense sense pfse...@kavadas.org To: discussion@pfsense.com Sent: Tuesday, January 27, 2009 7:42:18 PM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] xen aware pfsense. has anyone considered the possibility of intergrating xen with pfsense ? i might be loosing my mind but wouldn't it be nice to have a pfsense running on harware and a vistualization environemnt that allow us to install our OS's of choice perfectly protected behind pfsense ? does anything else think it's a good idea ? - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Website filtering with pfSense on alix
Hello, It certainly isn't a replacement for pfSense, but untangle [http://www.untangle.com/] is pretty useful. I'm running for some clients in bridging mode between pfSense and their internal network. It has much of the same functionality Barracuda boxes tout. It emails reports on usage, and has an interesting Java UI. Good luck! -Adrian - Original Message - From: Rainer Duffner [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Thursday, August 28, 2008 10:27:16 AM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Website filtering with pfSense on alix Gary Buckmaster schrieb: Mark Dueck wrote: Hi everyone, Is it possible to do website filtering on an Alix board? I setup some businesses with gateways using squid and dansguardian to blanket block the internet, and then allowing access on a per ip basis or allow certain websites for the rest of the users. Is this possible on an alix board using a CF by taking of caching, but using the dansguardian? I have see others asking the same, but not seen any replies. Or can this be setup using rules? Thanks. Mark, No, the embedded platform does not work with packages. Further, squid is an extreme resource hog and would kill most Alix board resources even under fairly light load. Lastly, Dansguardian isn't licensed to be free for commercial use, so you may well be violating their license by installing it for businesses. -Gary Well, with rules only, I guess it would work if you only have a handful of websites (B2B scenario) that are OK to visit. Rainer
Re: [pfSense-discussion] Setup advice wanted, devices for public library
I'll second that. Security is the goal behind a device running pfSense or any other suite of software for filtering and controlling traffic. As for the original poster, I would recommend netgate.com: ALIX with 3xRJ45, 512MB CF, mini PCI for 802.11...: http://www.netgate.com/product_info.php?cPath=60_88products_id=650 802.11 mini PCI cards: http://www.netgate.com/index.php?cPath=27_86 Chris got me hooked on them (I ordered 2 the same day I saw his reference), and they are solid little workhorses. They would satisfy the 4 interface requirement perfectly. Good luck! -Adrian - Original Message - From: Gary Buckmaster [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, August 5, 2008 2:52:33 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Setup advice wanted, devices for public library This question comes up from time to time and is perpetually (and with great gusto) shot down. Running services such as Samba, ftpds, et al, on your firewall are not considered part of best security practices and are sternly advised against. A firewall should always serve as a stand-alone device. If you require samba for your network, best practices dictate installing it on its own box. Richard Davis wrote: I saw your pfSense post about wanting to run Samba on the firewall. Did you ever get a resolution? I'm thinking of doing it that myself and I was curious if it worked out for you. Any help would be appreciated. Richard [EMAIL PROTECTED] -Original Message- From: Josh Stompro [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 5:26 PM To: discussion@pfsense.com Subject: [pfSense-discussion] Setup advice wanted, devices for public library I am trying to get things organized to deploy firewalls in 19 public libraries and 1 headquarters. I initially was using IPcop but really needed some of the features that pfSense was offering. Currently I am looking to buy 21 FX5620 (the one Scott mentioned on the pfSense blog) from Abiatech.com (site down, email abiatech (at) sbcglobal.net for info) for around $390 each. I was going to go with Lex booksized pc (CV860A-3R5F) from synertrontech.com (about $260 each with no memory), but I really need 4 interfaces for what I want to do. Each branch would use the interfaces like this (with some differences due to size of the library) 1 - Wan 1 - Staff PC (Lan,dhcp, may use the other 2 ports in bridged mode for staff machines, so I don't need an extra or managed switch, High Priority) 1 - Public PC (Opt1, dhcp, throttled low priority) 1 - Public Wireless (Opt2, Captive portal, dhcp, Throttled low priority) Currently it isn't' possible to traffic shape more than 2 interfaces with pfSense so I think that part of the plan will have to wait, I would only throttle the public wireless interface to start with, and the others would just have a free run. A main goal is to protect the staff machines from the public machines and the wireless and make sure they always have the bandwidth they need for our core circulation application to remain responsive. I also want to setup vpn links between our staff machines in the branches and headquarters so I can get everyone on one active directory. I was planning on doing a mix of Hard drive and CF setups, hard drives in a few larger branches where we may want to run squid filtering or have a local samba share. In most of the other locations I would rather go with CF so there are no moving parts. I am looking at Kingston Elite Pro CF cards, 512mb for $30 dollars, I saw them mentioned on the list. Does anyone have any recommendations of other brands. Is there really any point to getting a larger CF card? IS 64 or 128 sufficient when going with CF since I wouldn't want to be doing anything read or write intensive with them anyway? Anyone have recommendations for 2.5 inch hard drives for this sort of application? Has anyone thought of how a pfSense manager would work, something that would control a large deployment of pfSense Firewalls. Thank you Josh
Re: [pfSense-discussion] Setup advice wanted, devices for public library
Whoops, typed ALIX on the wrong line ;) - Original Message - From: Adrian Wenzel [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, August 5, 2008 3:35:16 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Setup advice wanted, devices for public library I'll second that. Security is the goal behind a device running pfSense or any other suite of software for filtering and controlling traffic. As for the original poster, I would recommend netgate.com: ALIX with 3xRJ45, 512MB CF, mini PCI for 802.11...: http://www.netgate.com/product_info.php?cPath=60_88products_id=650 802.11 mini PCI cards: http://www.netgate.com/index.php?cPath=27_86 Chris got me hooked on them (I ordered 2 the same day I saw his reference), and they are solid little workhorses. They would satisfy the 4 interface requirement perfectly. Good luck! -Adrian - Original Message - From: Gary Buckmaster [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, August 5, 2008 2:52:33 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Setup advice wanted, devices for public library This question comes up from time to time and is perpetually (and with great gusto) shot down. Running services such as Samba, ftpds, et al, on your firewall are not considered part of best security practices and are sternly advised against. A firewall should always serve as a stand-alone device. If you require samba for your network, best practices dictate installing it on its own box. Richard Davis wrote: I saw your pfSense post about wanting to run Samba on the firewall. Did you ever get a resolution? I'm thinking of doing it that myself and I was curious if it worked out for you. Any help would be appreciated. Richard [EMAIL PROTECTED] -Original Message- From: Josh Stompro [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 5:26 PM To: discussion@pfsense.com Subject: [pfSense-discussion] Setup advice wanted, devices for public library I am trying to get things organized to deploy firewalls in 19 public libraries and 1 headquarters. I initially was using IPcop but really needed some of the features that pfSense was offering. Currently I am looking to buy 21 FX5620 (the one Scott mentioned on the pfSense blog) from Abiatech.com (site down, email abiatech (at) sbcglobal.net for info) for around $390 each. I was going to go with Lex booksized pc (CV860A-3R5F) from synertrontech.com (about $260 each with no memory), but I really need 4 interfaces for what I want to do. Each branch would use the interfaces like this (with some differences due to size of the library) 1 - Wan 1 - Staff PC (Lan,dhcp, may use the other 2 ports in bridged mode for staff machines, so I don't need an extra or managed switch, High Priority) 1 - Public PC (Opt1, dhcp, throttled low priority) 1 - Public Wireless (Opt2, Captive portal, dhcp, Throttled low priority) Currently it isn't' possible to traffic shape more than 2 interfaces with pfSense so I think that part of the plan will have to wait, I would only throttle the public wireless interface to start with, and the others would just have a free run. A main goal is to protect the staff machines from the public machines and the wireless and make sure they always have the bandwidth they need for our core circulation application to remain responsive. I also want to setup vpn links between our staff machines in the branches and headquarters so I can get everyone on one active directory. I was planning on doing a mix of Hard drive and CF setups, hard drives in a few larger branches where we may want to run squid filtering or have a local samba share. In most of the other locations I would rather go with CF so there are no moving parts. I am looking at Kingston Elite Pro CF cards, 512mb for $30 dollars, I saw them mentioned on the list. Does anyone have any recommendations of other brands. Is there really any point to getting a larger CF card? IS 64 or 128 sufficient when going with CF since I wouldn't want to be doing anything read or write intensive with them anyway? Anyone have recommendations for 2.5 inch hard drives for this sort of application? Has anyone thought of how a pfSense manager would work, something that would control a large deployment of pfSense Firewalls. Thank you Josh
Re: [pfSense-discussion] Setup advice wanted, devices for public library
Wow... sorry to spam the list with answers to 2.5 year old questions. Hope someone else found it informative. Things you read, like dates, get delayed a bit traversing the neural pathways when all you're thinking about is your cousin with Leukemia who just had a stroke. Sorry. Those enclosures from netgate.com are nice though, good for branding. -Adrian - Original Message - From: Adrian Wenzel [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, August 5, 2008 3:35:16 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Setup advice wanted, devices for public library I'll second that. Security is the goal behind a device running pfSense or any other suite of software for filtering and controlling traffic. As for the original poster, I would recommend netgate.com: ALIX with 3xRJ45, 512MB CF, mini PCI for 802.11...: http://www.netgate.com/product_info.php?cPath=60_88products_id=650 802.11 mini PCI cards: http://www.netgate.com/index.php?cPath=27_86 Chris got me hooked on them (I ordered 2 the same day I saw his reference), and they are solid little workhorses. They would satisfy the 4 interface requirement perfectly. Good luck! -Adrian - Original Message - From: Gary Buckmaster [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, August 5, 2008 2:52:33 PM GMT -05:00 US/Canada Eastern Subject: Re: [pfSense-discussion] Setup advice wanted, devices for public library This question comes up from time to time and is perpetually (and with great gusto) shot down. Running services such as Samba, ftpds, et al, on your firewall are not considered part of best security practices and are sternly advised against. A firewall should always serve as a stand-alone device. If you require samba for your network, best practices dictate installing it on its own box. Richard Davis wrote: I saw your pfSense post about wanting to run Samba on the firewall. Did you ever get a resolution? I'm thinking of doing it that myself and I was curious if it worked out for you. Any help would be appreciated. Richard [EMAIL PROTECTED] -Original Message- From: Josh Stompro [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 28, 2006 5:26 PM To: discussion@pfsense.com Subject: [pfSense-discussion] Setup advice wanted, devices for public library I am trying to get things organized to deploy firewalls in 19 public libraries and 1 headquarters. I initially was using IPcop but really needed some of the features that pfSense was offering. Currently I am looking to buy 21 FX5620 (the one Scott mentioned on the pfSense blog) from Abiatech.com (site down, email abiatech (at) sbcglobal.net for info) for around $390 each. I was going to go with Lex booksized pc (CV860A-3R5F) from synertrontech.com (about $260 each with no memory), but I really need 4 interfaces for what I want to do. Each branch would use the interfaces like this (with some differences due to size of the library) 1 - Wan 1 - Staff PC (Lan,dhcp, may use the other 2 ports in bridged mode for staff machines, so I don't need an extra or managed switch, High Priority) 1 - Public PC (Opt1, dhcp, throttled low priority) 1 - Public Wireless (Opt2, Captive portal, dhcp, Throttled low priority) Currently it isn't' possible to traffic shape more than 2 interfaces with pfSense so I think that part of the plan will have to wait, I would only throttle the public wireless interface to start with, and the others would just have a free run. A main goal is to protect the staff machines from the public machines and the wireless and make sure they always have the bandwidth they need for our core circulation application to remain responsive. I also want to setup vpn links between our staff machines in the branches and headquarters so I can get everyone on one active directory. I was planning on doing a mix of Hard drive and CF setups, hard drives in a few larger branches where we may want to run squid filtering or have a local samba share. In most of the other locations I would rather go with CF so there are no moving parts. I am looking at Kingston Elite Pro CF cards, 512mb for $30 dollars, I saw them mentioned on the list. Does anyone have any recommendations of other brands. Is there really any point to getting a larger CF card? IS 64 or 128 sufficient when going with CF since I wouldn't want to be doing anything read or write intensive with them anyway? Anyone have recommendations for 2.5 inch hard drives for this sort of application? Has anyone thought of how a pfSense manager would work, something that would control a large deployment of pfSense Firewalls. Thank you Josh
Re: [pfSense-discussion] Port forward back from internal network
What you're looking for is under System - Advanced, labeled Disable NAT Reflection. Uncheck this box, save, and pfsense will automatically create rules to redirect traffic back to localhost hosts when accessed by the external IP. pfsense uses netcat for this, however, unlike Linux and iptables (which can handle this without funky rules), and there's a 20 second timeout on connections with no activity. So, if you're doing ssh, you'll have to send keep-alive's to avoid being disconnected. Cheers, Adrian - Original Message - From: Johan Gunnarsson [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Tuesday, June 3, 2008 7:28:58 AM GMT -05:00 US/Canada Eastern Subject: [pfSense-discussion] Port forward back from internal network I have port forwarding set up on my pfsense box to acess an imap-server on the network connected to my LAN interface. Everything works well when I'm using it from the outside: [EMAIL PROTECTED]:~$ telnet mail.example.com 143 Trying 1.2.3.4... Connected to pfsense.example.com. Escape character is '^]'. * OK Dovecot ready. However some of my applications running on machines on the internal network need to access the imap server using the outside hostname and this does not work. pfSense does not seem to understand that traffic with the destination address of the WAN interface originating from the network connected to the LAN interface should be port forwarded in the same way as connections from the outside. What is the *right* way to solve this? Right now i just use an entry in the hosts file to make the connections go directly to the internal ip but that's not the solution I'm looking for. -- Med vänliga hälsningar / Regards Johan Gunnarsson Xcerion AB Xcerion AB Drottninggatan 33 Direct: +46 709-45 08 57 Box 569 Office: +46 13-21 44 00 SE-581 07 Linköping xcerion.com http://www.xcerion.com[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Please note that this message may contain confidential information. Unless explicitly so designated this e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer. The views expressed in this email may not be the policy or view of Xcerion AB.
Re: [pfSense-discussion] Interface alias
Hello, Look under the menus Firewall - Virtual IPs. Add a virtual IP, leaving the default Proxy ARP for type. Cheers, Adrian - Original Message - From: Antonio Basti [EMAIL PROTECTED] To: discussion@pfsense.com Sent: Monday, October 22, 2007 11:26:47 AM (GMT-0500) America/New_York Subject: [pfSense-discussion] Interface alias How can i configure interface alias? I wish to have on the same interface more ip address of different subnet, it is possible ? Thanks
