Re: [pfSense-discussion] Known PFsense Limits?
On 12/15/06, Odette <[EMAIL PROTECTED]> wrote: FYI, I've successfully substituted Linux-iptables with PFsense on Soekris net4801 using 5 eth ports and everything have been running fine for more than 30 days. About the rule translation nightmare: aliases and rules optimization permitted me to convert the 1000 lines in about 50 rules. Great! I think it would be a great enhacement to be able to define "aliases of aliases" to reduce further more the ruleset managing complexity. Yes, agree'd. I would also like to see this in a future version. Thanks again to everybody involved in PFsense dvelopment and support! Glad that it worked out for you. Scott
Re: [pfSense-discussion] Known PFsense Limits?
FYI, I've successfully substituted Linux-iptables with PFsense on Soekris net4801 using 5 eth ports and everything have been running fine for more than 30 days. About the rule translation nightmare: aliases and rules optimization permitted me to convert the 1000 lines in about 50 rules. Great! I think it would be a great enhacement to be able to define "aliases of aliases" to reduce further more the ruleset managing complexity. Thanks again to everybody involved in PFsense dvelopment and support! Odette Alle 16:20, martedì 6 giugno 2006, Odette ha scritto: > Hi all, > > I need to substitute our production firewall, and I'd like to use PFsense > which I've already successfully used for home or small office environments. > > The solution I'm going to substitute is based on Linux-iptables which > requires more than 1000 rules. I need more than 25 static routes, and 5 > VPNs. > > Furthermore, in the next future we are migrating 2 of 3 network branches on > Gbit. > > I'd like to try with PFsense, but my boss (I'm sure) will kill me in the > event I spend half a week in setting up the new PFsense and writing down > all the rules to see that PFsense is not the right solution. > > Is there a rules number limit or a session number limit implemented in > PFsense? > > Does somebody have some expertize in similar situations? > > Anybody able to supply info or suggenstions? > > Tanks in advance > > Odette
Re: [pfSense-discussion] Known PFsense Limits?
Sure. I posted on both the mailing lists because M0n0wall and PFsense are the two projects I'm mainly interested in. I've been playing successfully with both M0n0wall end PFsense: I'm using m0n0 where all the features added in PFsense are not needed, because I feel (note that this is my personal feeling) M0n0 should be more stable, and because a firewall should be as light and small as possible. Sometimes the features available in PFSense have been the added value of the solution. About the substitution I'm planning: I would benefit of the PFSense added features, but I also need a very stable platform. This is why I'm investigating both the solutions. The third and last opportunity I'm keeping in my mind as an alternative (in case I'll see M0n0 and/or PFsense will not be the right solution to my problems) is to build a copule of Gentoo boxes with FWBuilder on iptables http://sourceforge.net/projects/fwbuilder This third solution gives me more flexibility, but requires more and more time to be ready and a bigger maintenance effort. Odette P.S.: I did not post the message on other places ;-) And I hope neither I will. If I will means that I spent much time on not suitable targets... and that my boss is going to be a :-) Alle 17:09, martedì 6 giugno 2006, Scott Ullrich ha scritto: > Dejavu. I just saw this exact message on the m0n0wall with > s/pfSense/m0n0wall/. > > On 6/6/06, Odette <[EMAIL PROTECTED]> wrote: > > Hi all, > > > > I need to substitute our production firewall, and I'd like to use > > PFsense which I've already successfully used for home or small office > > environments. > > > > The solution I'm going to substitute is based on Linux-iptables which > > requires more than 1000 rules. I need more than 25 static routes, and 5 > > VPNs. > > > > Furthermore, in the next future we are migrating 2 of 3 network branches > > on Gbit. > > > > I'd like to try with PFsense, but my boss (I'm sure) will kill me in the > > event I spend half a week in setting up the new PFsense and writing down > > all the rules to see that PFsense is not the right solution. > > > > Is there a rules number limit or a session number limit implemented in > > PFsense? > > > > Does somebody have some expertize in similar situations? > > > > Anybody able to supply info or suggenstions? > > > > Tanks in advance > > > > Odette
Re: [pfSense-discussion] Known PFsense Limits?
Alle 17:00, martedì 6 giugno 2006, Holger Bauer ha scritto: > There are some limitations of pfSense 1.0 that maybe don't apply to your > setup (also just a quick shot from what comes to my mind at once): > > - The ftp-helper will only work at WAN when using multiwan/loadbalancing OK > - loadbalancing only works for connections running through pfSense > (services that run at the firewall directly like the squid package can't > use loadbalancing or multiwan) OK > - NAT reflection only works for portranges > with less than 500 ports and not for 1:1 NATs OK > - not all services work well > with loadbalancing. this however is NOT a pfSense problem but poor protocol > design or poor application code at the clientside. Do you have news about Citrix > - you need static gateways to use the loadbalancing pool for outgoing > loadblancing OK > - trafficshaping only works for 2 interfaces correctly (at least from what > you can do with the webgui) OK > - if you run CARP (which is something that you > should consider for an install of that size) each node needs a dedicated IP > that can't be shared/handed over, however they still can be forwarded or > used on the single node. 10x > - after CARP failover all already established > connections will be in the default queues OK > - IPSEC only will work with at > least one static IP at one end OK > - Routing via IPSEC needs parallel tunnels to work OK > - shaping and filtering inside IPSEC tunnels doesn't work (however you can > filter traffic incoming at the end before the traffic goes into the tunnel > if you control both ends) OK > - you only can bridge wireless interfaces to > another interface if the interface is in hostap mode 10x > - you only can have a > bridge group with 2 interfaces 10x > - traffic shaping won't work on a bridge OK > - captive portal can only be enabled at one interface OK > - DynDNS can only be used for the original WAN interface OK > > Several of these limitations are already fixed in the head release or seem > to be fixable but need time to be implemented/tested. Keep in mind this is > Version 1.0 and it's feature frozen for several month already while > developement to the head codetree continued. We absolutley don't recommend > to run HEAD atm and we don't support it either just in case you want to ask > why not run HEAD ;-) Suicide is not my hobby ;-) > > > Concerning Hardware: > > - You should consider using some highend machines with a fast PCI bus as > all traffic has to pass the bus and the CPU and you plan to run several > IPSEC tunnels Sure > - like Bill said, each state takes a bit of RAM. You should > consider this when calculating your hardware > > Holger > 10x very much to everyone for providing feedback so quickly. To the maccaroni-eaters (AKA mandolino-players, pizza-eaters etc.) like me: Grazie anche a te Angelo > > -Original Message- > > From: Odette [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 06, 2006 4:20 PM > > To: discussion@pfsense.com > > Subject: [pfSense-discussion] Known PFsense Limits? > > > > > > Hi all, > > > > I need to substitute our production firewall, and I'd like > > to use PFsense > > which I've already successfully used for home or small office > > environments. > > > > The solution I'm going to substitute is based on > > Linux-iptables which requires > > more than 1000 rules. I need more than 25 static routes, and 5 VPNs. > > > > Furthermore, in the next future we are migrating 2 of 3 > > network branches on > > Gbit. > > > > I'd like to try with PFsense, but my boss (I'm sure) will > > kill me in the event > > I spend half a week in setting up the new PFsense and writing > > down all the > > rules to see that PFsense is not the right solution. > > > > Is there a rules number limit or a session number limit > > implemented in > > PFsense? > > > > Does somebody have some expertize in similar situations? > > > > Anybody able to supply info or suggenstions? > > > > Tanks in advance > > > > Odette > > > Virus checked by G DATA AntiVirusKit
Re: [pfSense-discussion] Known PFsense Limits?
Dejavu. I just saw this exact message on the m0n0wall with s/pfSense/m0n0wall/. On 6/6/06, Odette <[EMAIL PROTECTED]> wrote: Hi all, I need to substitute our production firewall, and I'd like to use PFsense which I've already successfully used for home or small office environments. The solution I'm going to substitute is based on Linux-iptables which requires more than 1000 rules. I need more than 25 static routes, and 5 VPNs. Furthermore, in the next future we are migrating 2 of 3 network branches on Gbit. I'd like to try with PFsense, but my boss (I'm sure) will kill me in the event I spend half a week in setting up the new PFsense and writing down all the rules to see that PFsense is not the right solution. Is there a rules number limit or a session number limit implemented in PFsense? Does somebody have some expertize in similar situations? Anybody able to supply info or suggenstions? Tanks in advance Odette
RE: [pfSense-discussion] Known PFsense Limits?
There are some limitations of pfSense 1.0 that maybe don't apply to your setup (also just a quick shot from what comes to my mind at once): - The ftp-helper will only work at WAN when using multiwan/loadbalancing - loadbalancing only works for connections running through pfSense (services that run at the firewall directly like the squid package can't use loadbalancing or multiwan) - NAT reflection only works for portranges with less than 500 ports and not for 1:1 NATs - not all services work well with loadbalancing. this however is NOT a pfSense problem but poor protocol design or poor application code at the clientside. - you need static gateways to use the loadbalancing pool for outgoing loadblancing - trafficshaping only works for 2 interfaces correctly (at least from what you can do with the webgui) - if you run CARP (which is something that you should consider for an install of that size) each node needs a dedicated IP that can't be shared/handed over, however they still can be forwarded or used on the single node. - after CARP failover all already established connections will be in the default queues - IPSEC only will work with at least one static IP at one end - Routing via IPSEC needs parallel tunnels to work - shaping and filtering inside IPSEC tunnels doesn't work (however you can filter traffic incoming at the end before the traffic goes into the tunnel if you control both ends) - you only can bridge wireless interfaces to another interface if the interface is in hostap mode - you only can have a bridge group with 2 interfaces - traffic shaping won't work on a bridge - captive portal can only be enabled at one interface - DynDNS can only be used for the original WAN interface Several of these limitations are already fixed in the head release or seem to be fixable but need time to be implemented/tested. Keep in mind this is Version 1.0 and it's feature frozen for several month already while developement to the head codetree continued. We absolutley don't recommend to run HEAD atm and we don't support it either just in case you want to ask why not run HEAD ;-) Concerning Hardware: - You should consider using some highend machines with a fast PCI bus as all traffic has to pass the bus and the CPU and you plan to run several IPSEC tunnels - like Bill said, each state takes a bit of RAM. You should consider this when calculating your hardware Holger > -Original Message- > From: Odette [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 06, 2006 4:20 PM > To: discussion@pfsense.com > Subject: [pfSense-discussion] Known PFsense Limits? > > > Hi all, > > I need to substitute our production firewall, and I'd like > to use PFsense > which I've already successfully used for home or small office > environments. > > The solution I'm going to substitute is based on > Linux-iptables which requires > more than 1000 rules. I need more than 25 static routes, and 5 VPNs. > > Furthermore, in the next future we are migrating 2 of 3 > network branches on > Gbit. > > I'd like to try with PFsense, but my boss (I'm sure) will > kill me in the event > I spend half a week in setting up the new PFsense and writing > down all the > rules to see that PFsense is not the right solution. > > Is there a rules number limit or a session number limit > implemented in > PFsense? > > Does somebody have some expertize in similar situations? > > Anybody able to supply info or suggenstions? > > Tanks in advance > > Odette > Virus checked by G DATA AntiVirusKit
Re: [pfSense-discussion] Known PFsense Limits?
Odette wrote: I need to substitute our production firewall, and I'd like to use PFsense which I've already successfully used for home or small office environments. The solution I'm going to substitute is based on Linux-iptables which requires more than 1000 rules. I need more than 25 static routes, and 5 VPNs. Furthermore, in the next future we are migrating 2 of 3 network branches on Gbit. The challenge is multiple-faced. performance-wise, just use a decent modern hardware and you'll have no trouble routing/filtering multiple Gbit networks. You might have troubles using 10GBps NICs at full pipe capacity, though you're not going to solve such problems using Linux either. Just beware that encrypted VPN trafic requires many processor cycles, if you need high -sustained- bandwidth VPNs, find a HW crypto accelerator. feature-wise, the Linux routing capabilities are more advanced than what's available in BSD. If you are using policy routing via 'ip route' multiple routing tables, you may have to plan in advance (and test) how your topology can be implemented in pfSense. Unfortunately, this mean you have to actually try and configure your test-firewall before you can know whether pfSense is your best choice or not. Angelo Turetta
RE: [pfSense-discussion] Known PFsense Limits?
. > > The solution I'm going to substitute is based on > Linux-iptables which requires more than 1000 rules. You have my deepest sympathies, it must be a nightmare to manage. > Is there a rules number limit or a session number limit > implemented in PFsense? Nothing which isnt documented already in http://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath =FreeBSD+6.0-stable&format=html in particular 'set limit'. The only real limits I've found are how much memory and CPU you can throw at the problem. If I was to hazard a guess, I would reckon that your 1000 iptables rules will condense down to perhaps half that amount or less once you take advantage of features such as Tables. You will get a much better idea by posting here http://forum.pfsense.com/ It's bit more active there than the mailing list. Throughput wise, I've deployed PF on FreeBSD into production roles where it runs stateful packet filtering at close to gig-e wire speed. Greg
Re: [pfSense-discussion] Known PFsense Limits?
On 6/6/06, Odette <[EMAIL PROTECTED]> wrote: Hi all, I need to substitute our production firewall, and I'd like to use PFsense which I've already successfully used for home or small office environments. The solution I'm going to substitute is based on Linux-iptables which requires more than 1000 rules. I need more than 25 static routes, and 5 VPNs. Furthermore, in the next future we are migrating 2 of 3 network branches on Gbit. I'd like to try with PFsense, but my boss (I'm sure) will kill me in the event I spend half a week in setting up the new PFsense and writing down all the rules to see that PFsense is not the right solution. Seems like the effort falls under research and development. At least in my shop, that wouldn't be considered a waste of time as it can vette the existing design (which obviously is considered inadequate), determine what if any use pfSense has to us, and whether we need to keep looking. There aren't any free answers - you'll have to take the time to try out the solution you believe will work for you. Is there a rules number limit or a session number limit implemented in PFsense? Not per se. Do you really have 1000 rules, or are there numerous duplicates with only source/destination IPs (or ports) changed? You may be able to shrink that rule base down considerably with pfSense. The only concern I'd have with the number is the speed of the webGUI - depending on how many interfaces you have, displaying 1000 rules on a single screen could be bad (some day I'll have to generate a test bed that stresses out the webGUI so we can try and improve the speed). Also, you may or may not want to increase the state table limit which defaults to 10K state entries. There are 2-3 (depending on NAT) state table entries for every connection through your firewall. More info on state table sizes can be found in other threads on this list or the forum (I've answered this a few times) Does somebody have some expertize in similar situations? Can't speak for pfSense in a large install, but the underlying packet filter engine works like a champ in my commercial installs and those are couple thousand rule machines (text files for editing...I'm not relishing converting those machines to pfSense). --Bill
[pfSense-discussion] Known PFsense Limits?
Hi all, I need to substitute our production firewall, and I'd like to use PFsense which I've already successfully used for home or small office environments. The solution I'm going to substitute is based on Linux-iptables which requires more than 1000 rules. I need more than 25 static routes, and 5 VPNs. Furthermore, in the next future we are migrating 2 of 3 network branches on Gbit. I'd like to try with PFsense, but my boss (I'm sure) will kill me in the event I spend half a week in setting up the new PFsense and writing down all the rules to see that PFsense is not the right solution. Is there a rules number limit or a session number limit implemented in PFsense? Does somebody have some expertize in similar situations? Anybody able to supply info or suggenstions? Tanks in advance Odette
