On 03/31/2017 02:15 PM, Jim Thompson wrote:
I claim that a simple "fill the pipe with large packets" test is
useless to understand the performance of the system. All the work is
on a per-packet rather than per byte basis, unless you don't have DMA
or are doing some type of DPI.
I
(My last email seemed to go to the wrong area. Hope you don't mind if I
try again...)
On 03/28/2017 10:32 AM, compdoc wrote:
Of the cpus I had to test, only an Intel i5-2400 (sandy bridge) and a
newer model AMD APU could keep up.
I wanted to clarify what I said before. You don't need
On 03/28/2017 10:32 AM, compdoc wrote:
Of the cpus I had to test, only an Intel i5-2400 (sandy bridge) and a
newer model AMD APU could keep up.
I should clarify what I said. You don't need an i5. Any sandy bridge
class cpu, or newer has the ability. Including the 4/8 core Atoms and
sandy
>though the web interface is incredibly slow.
I think I remember that if your CPU doesn't support a certain built-in
feature, the gui can be slow.
But then it could be something else. Is cpu use high?
___
pfSense mailing list
>I'd suggest that before you slag programs, you not rely on old, outdated,
>biased information.
Spinrite 6 is a twelve year program that seemed cool back in the day, but I
would never recommend it to anyone now.
Repairing computers for a living, Im always on the lookout for useful
>>Coming back tonight to do memtest, SpinRite on the SSD, etc...,
Spinrite on an ssd is a terrible idea. It's an ancient program thats even a
bad idea to use on hard drives.
It doesn't even work on drives larger than 1TB, because it was written in a
time when drives were not that big. And there
I didn't even realize that Nut was back. That's great.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
and Discussion Mailing List
Subject: Re: [pfSense] How to determine supported packages without
installing
On 2016-Jun-17, at 2:35 PM, compdoc <comp...@hotrodpc.com> wrote:
> I think this is complete:
> <snip'd>
Thanks. Looks like I can proceed with an update to 2.3.
Regardless, I still
I think this is complete:
2.3.1-RELEASE-p5 (amd64)
built on Thu Jun 16 12:53:15 CDT 2016
FreeBSD 10.3-RELEASE-p3
arping 1.2.2_1
AutoConfigBackup1.45
Avahi 1.11_2
Backup 0.4_1
bind9.10_8
blinkled0.4.7_1
Cron0.3.6_2
darkstat3.1.2_1
freeradius2 1.7.3_1
> How do you have Snort configured to differentiate between incoming and
> outgoing traffic?
I guess used a poor choice of words. It's mainly 'HTTP Inspect' that’s the
problem. It watches any http traffic, which is mainly outgoing in our case.
On the Services / Snort / Interfaces page,
>Maybe is suricata better? What are the difference?
I've never tried suricata so I cant say if its better, but snort works
pretty well. There is one problem with snort, however. It can watch incoming
traffic as well as outgoing traffic.
But when snort watches outgoing traffic, it flags and
> Using Intel E3-1270s and Intel 10G Nics
I can't point to a specific setup, but something to look at...
Your xeon is a sandy bridge with a max transfer rate of 5 GT/s, which is
very nice but the new Skylake cpus are 8 GT/s.
Also, there's always a possibility of equipment failure/setup
>> The top10-2.txt file has last been updated in July 2015 according to
>> my curl command and is not auto-documented.
I find I'm only using "http://www.malwaredomainlist.com/hostslist/ip.txt;
these days.
Am I already hacked?
___
pfSense mailing
>Does installing pfSense, especially, using the "Quick/Easy Install option",
allow for installation so as to allow for multiple boot options
No, it will erase the hard drive and set up a freebsd file system. Might be
worth using another drive altogether to preserve the old drive, or use
> This message never made it to the list
Received this one...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Thanks for your response, but my installation is on
a physical machine, and there was no disk space issue.
Be sure to check the hard drive's SMART info. It's the best way to tell if
the drive is failing.
___
pfSense mailing list
A lot of good info in these posts, but no real hardware recommendations...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Does anyone have any recommendations for small office access points?
I use a Zyxel WAP3205 v1, which was fairly inexpensive. I use pfSense to
provide DHCP and rules for the clients, and have the features in the WAP
that are said to be easy to hack disabled. (like WPA Compatible, and WPS)
So,
I ended up spending over an hour trying to get that little system
to pick up a DHCP address for their Comcast router.
Once upon a time, Comcast used to install their modems and register the mac
address of the NIC of the customer's computer. Sort of a way of preventing
their customers from
I updated to 2.2.3 over the weekend, and now my tunnel no longer works
correctly, even though my settings havent changed.
The same thing happened to me. I had to change the Encryption algorithm from
AES256 to 3DES to get it to work.
There's talk this will be fixed in the next release.
There is an oncology clinic using a Juniper SSG5. They have a couple of
ipsec connections that require policy-based routing with mapped IP
addresses. (MIP)
I can't provide that with pfSense, but I do want to use pfSense to give them
protection like squid w/ antivirus, and snort, and pfblocker.
The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure' returned exit
code '1'
...
squid: ERROR: No running copy'
If you type the following on the command line, do you get any output?
squid -k shutdown
Use your browser to start squid again.
useful log:
/var/squid/logs/cache.log
peer client ID returned doesn't match my proposal
I have two ipsec tunnels and after the upgrade, for one tunnel I had to
change the 'Peer identifier' on my side to use the IP address it was seeing.
Been working great since.
___
pfSense mailing
Is there any advantage or disadvantage to using the the two port on a dual
port NIC vs. one port each on two different dual port NICs?
Hopefully, the dual-port Intel Nics are pci-e, and so will be the fastest.
The legacy Intel NIC could be PCI, and will be a bit faster than the Marvel
nics.
I
Where is a good place to monitor for package updates for 2.2?
If you click the text in the Status column on the Available Packages tab,
you're taken to a page that shows the change logs for that package.
___
pfSense mailing list
The link I'm working with is:
http://www.malwaredomainlist.com/hostslist/ip.txt
When an alias is created with this url, do you know where the list is stored
on pfSense? I just want to see if I've created the alias correctly and that
the list matches the ip addresses in the url.
Thanks
Do have more of you had similar problems ?
I upgraded one firewall and everything works fine except that I use the squid
and HAVP packages together, but HAVP is broken. Running commands like clamd
and freshclam don't work.
I don't know how to file a bug report so I created a topic in the
It is only pfSense 2.2, that has this not usuable speed from other VM's
in the Xenserver.
I installed xenserver with a pfSense guest on a machine, and had the same
problem. Traffic from hosts on the lan through the pfSense guest to the wan
is nice and fast, but traffic from other guests through
Can anyone give me a description of, how to change driver ?
Well, you would need to change the NIC itself. I haven't tried this, but the
following url explains the problem and might help fix the problem.
http://www.netservers.co.uk/articles/open-source-howtos/citrix_e1000_gigabit
I switched
Is it impossible to try to improve on pfSense 2.2's problem in pfSense
You might not be the only person having the problem, but I haven't
researched to know for sure.
Sometimes, it's possible to do the work and discover the problem yourself.
There are a few areas of experimentation that might
Bottom line, squid and SSD are not a good combo.
Ive used several SSDs over the years running pfSense and linux and windows
OSes. Work just like hard drives, except might actually be more reliable.
There is one exception: none of the SSDs I used were PC Engines.
Any thoughts on this? Is this known not to work?
If you know vi commands, you can type:
sudo virsh edit pfSense (substitute the actual VM name)
Look for the line like:
type arch='x86_64' machine='pc-i440fx-trusty'hvm/type
This line will be different depending on the version of KVM and the
Things will get outrageous soon with the advent of M.2 PCI SSDs on a x4
connection.
The speeds of m.2 on x4 do look amazing, but the prices and sizes of them
probably means that not many people will be tossing them into their
firewalls anytime soon.
For projects like firewalls, and to
I can't seem to make an install CD. I downloaded the ISO, unzipped
it from the gz file using 7-ZIP, and burnt the disk image using win7.
Those are the same tools I use to create bootable CDs/DVDs. Windows 7 can burn
an iso without having to install any programs.
I would have to
A proven hardware platform, available in the UK with at least 6 physical
network ports, I can probably justify buying
Not much info. Got an url for that?
___
List mailing list
List@lists.pfsense.org
Thanks for that link, none of it seems to apply as the box is not booting
from the media at all, says there is not a bootable media present
Just a shot in the dark, but is there a bios/firmware update for your system?
Sometimes they correct problems they find after its been sold for a
I've been trying to install 2.1.5 into a
http://www.mini-itx.com/store/~FX5624
The specs look ok. I would think it supports most 'nix distros.
Unfortunately, that website doesn’t say if it supports booting from USB. Does
the manual say it can?
I've tried several ways to write
be an excellent buy.
More so, because of the tuned software and support they'd be getting along with
it.
compdoc
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
I am well-aware of Olivier’s work in this area, as are many in the FreeBSD
community.
There is no proof, except that which is documented and reproducible. We're
doing something like science here.
Hmm, proof. Well, maybe a scientist like yourself can appreciate my concern
over this
The difference between Olivier's setup and ours (assuming pfsense 2.1.1+), is
tuning
The only way to prove what you say is with numbers. Tuning pfSense won't fix
this hardware problem, *if* it exists in your boards.
As I said in my original post, I'm know the C2758 is capable
do you realize who you’re arguing with compdoc?
Yeah, I'm arguing with a guy that not only attacked me for suggesting a person
be careful about buying certain hardware, he also attacked the work of Olivier
from BSDRP.
___
List mailing
When I speak of the C2758, I speak of the product sold at the pfSense store,
as sold by the pfSense store, not the generic pfsense release running on
some
brand of board@.
I was speaking of a C2758 board that was tested by someone else, and which
wasn’t able to reach Ethernet's
I am well-aware of Olivier’s work in this area, as are many in the FreeBSD
community.
You’ve failed to disprove anything I've said, even the part about tools.
You’re still assigning fault to pfSense
Not at all. But it would be nice if any of this pleasant banter becomes useful
as close to wirespeed as possible, be happy with a C2758. ?
Very
That C2758 has nice specs and should be able to keep up, however there seems to
be a throughput problem on at least one brand of board running the C2758. (I
think it’s more a problem with the nics than the cpu)
I
Stefan Fuhrmann, here's my settings. They work well for me, but there may be
some fine-tuning you should do...
First, I choose the rules on the Global Settings tab. I applied for a free
Oinkmaster Code, which I use on a few firewalls. Then I set the Removed
Blocked Hosts Interval to 15
And then an email should be sent, which it is not being sent.
-Jason
On a firewall with two wan connections, one connection is faster than the
other so I use one for incoming connections and one for outgoing.
User's outgoing traffic is routed to the gateway that's working using
gateway groups.
Here is a good place to start regarding Suricata or Snort.
http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/
Is the free to use version of Snort going away? I scanned the page mentioned
above but it seems unclear.
Suricata sounds like an excellent
The Pfsense firewall has to be setup as BRIDGE if want to put it between the
router and the corporate firewall ???
Connect like this?
www - isp router - pfSense - corporate firewall - lan
Don’t think you have to use bridge mode. Can Snort work in bridge mode?
But you say: one interface for WAN, a second for
LAN...and which interface is for managing ???
You manage with a browser from LAN, and optional also from the WAN port. And
with ssh from the LAN.
___
List mailing list
List@lists.pfsense.org
do I have to have 3 network interfaces or 2 interfaces are enough to
implement the IPS?
With Snort, just need one for wan, one for lan. That’s all. I use a 3rd for
wifi at home.
The office is a virtual machine with two wan ports, one lan, one wifi, and one
connection for the host.
I need a recommandation for following setup:
pfsense-cluster
loadbalancers
webservers
I can't help with these.
There are some thousend visits per day and I want to secure with
pfsense and snort. Snort runs on lan-site.
In the moment there are several thousend alerts per day!
Why not try the upgrade. Maybe the problem will go away..
There are also three settings for apinger that can be useful: Alternative
monitor IP, Probe Interval, and Down
Is this a new install, or a machine that recently developed a problem?
I have tried the alternate IP. No change. Not sure what the other two do?
Some connections might be slow to respond occasionally, or not handle
constant pings well. You can send fewer pings, (every 3 seconds for
instance) and wait a longer period of time before declaring the link is
down.
Jason M. wrote:
I'm using the PFW201 hardware from Tranquilnet
According to Tranquilnet:
*Note: These units may run hot to the touch and we recommend eith a wall
mount or to place them on a cool, dry and hard surface with proper air flow
I can build systems that are much faster and more
OPT1 interface - actually has the VM's WAN MAC address (the second
interface rather than the third interface)
If you haven't yet, you might want to reassign interfaces on the console
login screen. The Option is number (1) in the list.
Then reboot.
em1 third MAC address (up) -- shouldn't that be the second MAC address?
Are you saying two interfaces have the same mac address even after
reassignment? That's not right.
___
List mailing list
List@lists.pfsense.org
I use squid and squid guard
I don't think anything in squid would block, but check to make sure
everything is set to zero and only 'Throttle only specific extensions' is
checked on this page: Proxy server: Traffic management
You mentioned HAVP in another post and some downloads don't work
With Squid disabled, fail over works as expected.
In the lab I created to test this machine, I have squid with havp set to
transparent. Also have snort. I don’t use squidguard.
If I disconnect wan #1, most browsers will time out. But I can often just
refresh to get them going again.
graphics type='vnc' port='5901' autoport='yes'/
By the way, if you ever install vncserver, that port used for the VM will
cause a conflict
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
Did you ever had troubles with virtio drivers?
I have a pfSense guest that runs fine with all virtio drivers (lan,storage)
but you might want to switch back to IDE just to see if your virtio storage
driver is causing the issue.
Your xml file looks very much like a pfSense guest I have running
The VM is configured with VirtIO disks, emulated e1000 network cards.
I use kvm and have had no problems running any of the 2.1 releases. I'm
building a VM server right now that will run pfSense and one other guest OS.
I have used the virtio drivers for nics, storage, and memory ballooning, but
I have a PFsense box on a 50/5 DSL connection
How much swap is being used? What is swap stored on?
Any overheating of the nic or cpu? What happens if you disable or remove squid?
I have no experience with HT and pfSense. Sometimes HT can help and sometimes
it can hinder. Try
Will I have any problems if I install a new version of pfsense on one
machine and then move the hard drive to another machine?
You probably will have some problem. Let us know how it goes...
___
List mailing list
List@lists.pfsense.org
Even if adding more memory corrects the issue, I still don't like to know
that pfsense can suddenly die and leave no clues behind :-|.
pfSense is pretty stable. I've tested it in many VMs and 'bare metal' systems
and it doesn’t freeze on me. Of course, I might not be using the same
You may want to make sure the DHCP server is disabled on the modem
completely.
It's a cable modem that I guess is in bridge mode, and they don't let me
mess with settings. Anyway, I think the DHCP server is in their headend
somewhere.
I'm just glad it's not like the old days when Comcast
I called Comcast and had them remotely reboot the modem.
Whenever I connect a different network card to my home Comcast modem, I have
to power cycle the modem for it come up. I think it keys off the MAC address
of the old card, and won't accept the new one until then. I get a new IP
address
However, after about 10 minutes the gateway went offline and I lost access to
the internet.
I recently had much the same thing happen, but with a wired dual-port network
card. It turned out to the nic.
___
List mailing list
I tried installing a firewall for customer who uses Cbeyond for phones and
internet service. I had Cbeyond set their equipment to bridge mode,
disabling NAT and DHCP.
Everything seemed to work for a while so I left their office, but I soon got
a call saying they couldn't browse the web.
In the
I found that I had problems with FreeBSD using pf + virtio under KVM
Virtio in KVM works fine with pfSense, but you have to modify
the/boot/loader.conf.local file to enable the drivers. And if you load the
storage drivers, you have to modify /etc/fstab.
I can install pfsense fine, and manually set up a LAN IP address on
vboxnet0 so that I can get into the web and use Diagnostics
Backup/Restore to upload an existing XML config. But then the VM
refuses to boot properly...
What if you were to install pfSense in the new environment and save
How would I pull that off?
Computers have several common points of failure. They are the power supply,
the motherboard, RAM, cooling fans, and the hard drive.
Fans are easy - just make sure they are spinning at the proper speed. This
includes the fan inside the PSU.
If the motherboard
So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3)
on a motherboard with a brand new chipset (Intel C222) and CPU
(e.g. Core i3 / Haswell) it should work, eventhough FreeBSD 8.3 is
older than those technologies and might not fully support the chipset
yet (e.g. due to
Any thoughts??
May not answer your question, but you did ask...
I set up my first ipsec tunnel with pfSense and it has been wonderful, but I
had to set System menu Advanced Miscellaneous tab Enable MSS clamping
on VPN traffic, and set it to 1375 before I got a stable connection. Before
All my OpenVPN services report an error contacting the daemon, both on the
status page (as in print-screen) and also on the dashboard page.
I'm getting this error as well.
___
List mailing list
List@lists.pfsense.org
I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription,
including immediate PDF download to the updated 2.1 book for
subscribers!
I assume this is why snapshots.pfsense.org is offline
At least the .iso for the LiveCD is downloading very quickly. Is it possible
to restore a
I switched out the memory and the SSD,
But did you test the ram? Make sure the ram doesn't require a special
voltage - this is usually written on the sticker on the ram. And run
memtest86 on it overnight. And suspect the ssd - try a small hdd. I like to
use laptop drives as boot drives for my
76 matches
Mail list logo
