Re: [pfSense] NIC support
I am well-aware of Olivier’s work in this area, as are many in the FreeBSD community. There is no proof, except that which is documented and reproducible. We're doing something like science here. Hmm, proof. Well, maybe a scientist like yourself can appreciate my concern over this direct quote from the BSD Router Project, of which you are so well-aware: Intel Rangeley: Atom C2758 (8 cores) at 2.4GHz Embedded Intel i354 4-port gigabit Ethernet 8Gb of RAM Debugging slow throughput in progress… With the default value of igb(4) drivers that use all 8 cores, this system is not able to received more than 585Kpps (far from the gigabit line-rate 1.488Mpps) on one port ?!?! Last modified: 2014/03/13 20:16 by olivier As I said in my original post, I'm know the C2758 is capable according to its specs, however buyer beware... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] 32bit to 64bit load config?
Good morning, I have a Pfsense 32bit running currently on a vmware host and am going to create a new one, but 64bit and using the 64bit install. If I replicate the hardware on the vm, except I'm going to add more ram and cpu's to the host, is there any config issues to restore the 32bit backup to a 64bit install? Also, this machine is also currently running 2.0.2, can I restore the config to the latest, or should I install the new as 2.0.2, then upgrade after restored? Thanks ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
On Oct 16, 2014, at 2:06 AM, compdoc comp...@hotrodpc.com wrote: I am well-aware of Olivier’s work in this area, as are many in the FreeBSD community. There is no proof, except that which is documented and reproducible. We're doing something like science here. Hmm, proof. Well, maybe a scientist like yourself can appreciate my concern over this direct quote from the BSD Router Project, of which you are so well-aware: Intel Rangeley: Atom C2758 (8 cores) at 2.4GHz Embedded Intel i354 4-port gigabit Ethernet 8Gb of RAM Debugging slow throughput in progress… With the default value of igb(4) drivers that use all 8 cores, this system is not able to received more than 585Kpps (far from the gigabit line-rate 1.488Mpps) on one port ?!?! Last modified: 2014/03/13 20:16 by olivier As I said before, I am aware of Olivier's work. That you are concerned is understandable, but also immaterial, as it is clear from this thread that your understanding of the issues, tools(!), terms of art and resolutions is limited. The concern I have is not your lack of understanding. We all lack knowledge. It's what comes next that marks the difference between progress and the crabs in a bucket mentality that often impedes progress. Here, you perform an act commonly known as I read it on the Internet (so it must be true.) The difference between Olivier's setup and ours (assuming pfsense 2.1.1+), is tuning. It's well-understood that the default install isn't optimal. We addressed this earlier in the year. Since then we've been concentrating more on a proper test infrastructure, (Conductor), support for AES-GCM mode for IPSec, (with support for AES-NI acceleration), and measuring the performance of pf with the on-chip performance counters. The first result of the pf performance work is an improved (at least 9% faster with 95% confidence) hash function for pf. A second result (not yet available in pfSense as it requires work from FreeBSD -HEAD) yields another 25% improvement compared to the stock pf in 10.0/10.1. Work continues. As I said in my original post, I'm know the C2758 is capable according to its specs, however buyer beware... Again with the insult and denigration. Do you own a C2758? Jim___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] debugger on panic
Is there any reason I would want to keep debug.debugger_on_panic set to 1 on my production firewall? Would the right way to set it to 0 be to add a line to /boot/loader.conf.local? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] OpenVPN Per User policy
I have spent way too many hours scouring the net for info and need a little direction here ... I'm trying to set up security for my OpenVPN connections. I would like to use Radius or LDAP but need to have user-level policies. The stock solution for this problem appears to be Client Specific Overrides (CSO) but they have a couple drawbacks that I can see, including: * Data replication ... prefer centralized authentication * Apparently confines each user to a single active connection * Unless I am missing something here (I hope) * ?? Unable to assign a DHCP range assigned to the CSO ?? * New connection uses same IP as established connection ... effectively shuts down established connection * *** I hope that this problem is a mis-config on my part *** * I read that v2.1 (at least) supports avpairs with Radius (I believe) but am unable to find specific information on how to use it. * Would this feature allow me to accomplish my goal? * are ACL's handled appropriately? Where can I find more information? Paul ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
The difference between Olivier's setup and ours (assuming pfsense 2.1.1+), is tuning The only way to prove what you say is with numbers. Tuning pfSense won't fix this hardware problem, *if* it exists in your boards. As I said in my original post, I'm know the C2758 is capable according to its specs, however buyer beware... Again with the insult and denigration. Is it an insult that I think Intel's cpu is capable? Or is it that I suggest a person be cautious when buying these products? That you are concerned is understandable, but also immaterial, as it is clear from this thread that your understanding of the issues, tools(!), terms of art and resolutions is limited. ... Here, you perform an act commonly known as I read it on the Internet (so it must be true.) This is a much better example of insult and denigration. You don’t know me, my methods, or my thinking. Do you own a C2758? Have you actually bothered to read anything I've said in this conversation? It's time to end this nonsense. Prove what you say, or shut up. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
I mostly lurk on this mailing list for the informative discussions, and while this thead is amusing to follow, do you realize who you’re arguing with compdoc? Have you looked at the last part of his email address? If Jim tells us his version of that hardware will do it, I’ll take his word for it barring someone having real proof otherwise. Maybe you need to get one of his boards and run some real tests on it, then report back to the list with what you found. From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of compdoc Sent: Thursday, October 16, 2014 11:15 AM To: 'pfSense Support and Discussion Mailing List' Subject: Re: [pfSense] NIC support The difference between Olivier's setup and ours (assuming pfsense 2.1.1+), is tuning The only way to prove what you say is with numbers. Tuning pfSense won't fix this hardware problem, *if* it exists in your boards. As I said in my original post, I'm know the C2758 is capable according to its specs, however buyer beware... Again with the insult and denigration. Is it an insult that I think Intel's cpu is capable? Or is it that I suggest a person be cautious when buying these products? That you are concerned is understandable, but also immaterial, as it is clear from this thread that your understanding of the issues, tools(!), terms of art and resolutions is limited. ... Here, you perform an act commonly known as I read it on the Internet (so it must be true.) This is a much better example of insult and denigration. You don’t know me, my methods, or my thinking. Do you own a C2758? Have you actually bothered to read anything I've said in this conversation? It's time to end this nonsense. Prove what you say, or shut up. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
On Oct 16, 2014, at 11:14 AM, compdoc comp...@hotrodpc.com wrote: The difference between Olivier's setup and ours (assuming pfsense 2.1.1+), is tuning The only way to prove what you say is with numbers. Tuning pfSense won't fix this hardware problem, *if* it exists in your boards. Your assumption (that there is a hardware problem) is unwarranted. The problem is that FreeBSD (especially FreeBSD 8.3, upon which the current “release” version of pfSense software (v2.1.5) is based), is not well-tuned to multi-core hardware. We took certain steps to fix the problem (as well as it can be fixed on 8.3) and are working to improve the situation for both FreeBSD and pfSense. (FreeBSD 10 is better than 8.3, but, as Olivier also discovered, imperfect.) There is a lot of work to do in this area, including enabling RSS (for forwarding, there is recent work for reception in FreeBSD -HEAD), thread pinning, additional work on a per-core copy of the state table, more work on flow-table, etc. It’s all roughly planned, and the subject of some discussion while I have all the pfSense coreteam in Austin this week to discuss this, and what we’re going to do after the 2.2 release of pfSense. As I said in my original post, I'm know the C2758 is capable according to its specs, however buyer beware... Again with the insult and denigration. Is it an insult that I think Intel's cpu is capable? Or is it that I suggest a person be cautious when buying these products? Is your position that you are unaware of the meaning of “Caveat emptor”, and it’s history in both English common law and statutory law in all 50 United States? (Apologies to readers outside the US, but OP is based in Denver, CO, so the point stands.) You might wish to perform an Internet search for “buyer beware” and see the type of thing that comes up, and then reconsider my reaction in light of same. You may also wish to review Laidlaw v. Organ, 15 U.S. 178 (1817)” if you still don’t know what I’m talking about. Your noisy attempts at persuasion of the consumer base actually require the vendor (that’s me) to respond. (Never mind the whole “silence is assent” attitude that many hold.) You gave some results of some tests you performed on an AMD A8-7600 and an i5-2400. I asked for additional details, and you refused to provide any. You asserted that pfSense crashes under load. (You reported that this “was tested by someone else”) I asked for details, and you refused to provide any. You asserted that BSDRP is a “tool to test hardware”. You stated that it “has very little overhead and runs on freebsd.” The reality is that BSDRP is a slightly customized distribution of FreeBSD, it doesn’t “run on FreeBSD”, it *is* FreeBSD, as packaged by Olivier to suit his purposes at Orange. This is a good thing. That you’ve repurposed it to “test your hardware” is also fine, but your assertion that BSDRP is “a tool to test hardware” is still false. Many people use screwdrivers as levers. This doesn’t mean that their usage is correct, nor does it make “a screwdriver is a tool to open paint cans” true. Do you own a C2758? Have you actually bothered to read anything I've said in this conversation? It's time to end this nonsense. Prove what you say, or shut up. Fair warning: Being rude will eventually get you removed from the list. Published numbers are forthcoming, as soon as we’re ready to make the results public. I’ve already exposed the tools we’re using, and some of the improvements we’ve seen. There is a long history in the project of people making-up benchmark numbers to suit their agenda. There is also a long history in the project of people posting ‘fixes’ for various issues, including performance issues, where these ‘fixes’ have nothing to do with the actual issue. The number of times I’ve seen recommendations to sysctl -w kern.ipc.maxsockbuf=huge number” or to set the TCP/UDP default buffer sizes, or set window scaling in an attempt to increase forwarding performance through ‘pf' makes me cringe. (recent reference: https://forum.pfsense.org/index.php?topic=71949.0) There are a number of things currently in pfSense that do not lend to absolute performance. mbuf tags and ALTQ are two examples. ALTQ is about a 10% impact on PPS performance. mbuf tags are the work of the devil. FreeBSD’s penchant for looking up the ARP entry for every single packet (even though it just looked up the ARP entry for the last packet, which was to the same destination) is also a problem. There are some great results from Luigi Rizzo (actual author of the pkt-gen tool) on putting ipfw (the competing packet filter in FreeBSD) over netmap, reaching 7-10Mpps. We will explore pf over netmap (again, after we get pfSense 2.2 released), and hope for similar results. The point is, we’re focused on it (especially after we get pfSense 2.2 released, such that work we do on pfSense can be
Re: [pfSense] NIC support
do you realize who you’re arguing with compdoc? Yeah, I'm arguing with a guy that not only attacked me for suggesting a person be careful about buying certain hardware, he also attacked the work of Olivier from BSDRP. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
On Oct 16, 2014, at 12:45 PM, compdoc comp...@hotrodpc.com wrote: do you realize who you’re arguing with compdoc? Yeah, I'm arguing with a guy that not only attacked me for suggesting a person be careful about buying certain hardware, he also attacked the work of Olivier from BSDRP. I never attacked Olivier. I have a ton of respect both for him and BSDRP. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
