Re: [pfSense] PBI packaging: BGPd vs OSPFd
On Sunday, September 15, 2013 10:21:55 PM Adam Thompson wrote: > I'm thinking that if you need advanced features, go buy a > Cisco/Juniper. But if you need basic (or even just > homogenous) functionality, pfSense ought to be a > good-enough platform. It's really close right now but > not having redistribution is a roadblock, at least for > me. -Adam As I'd mentioned, our backbone (routers) already run IS-IS. The need for Quagga is for Anycast DNS. I consider HMAC-MD5 authentication in IS-IS a basic requirement, but this is badly broken in Quagga. Mark. signature.asc Description: This is a digitally signed message part. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
Fantastic job all, keep up the great work! My team and I are extremely appreciative as always. James -Original Message- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: September-15-13 2:50 AM To: pfSense support and discussion; d...@lists.pfsense.org Subject: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available! I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription, including immediate PDF download to the updated 2.1 book for subscribers! Check out the announcements on our blog. http://blog.pfsense.org/?p=712 - 2.1-RELEASE http://blog.pfsense.org/?p=718 - Gold Subscription Thanks for your support! Chris ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
I'm thinking that if you need advanced features, go buy a Cisco/Juniper. But if you need basic (or even just homogenous) functionality, pfSense ought to be a good-enough platform. It's really close right now but not having redistribution is a roadblock, at least for me. -Adam Mark Tinka wrote: >On Sunday, September 15, 2013 07:35:27 PM Jim Pingle wrote: > >> I agree. From what I have done with Quagga on OSPF, it's >> been pretty straightforward and simple and tends to just >> work and work well. >> >> It isn't without its quirks, but I've never been sure if >> those are actually quirks in Quagga or the way we >> generate configurations for it. > >IS-IS in Quagga is very, very broken to the point of not >really being usable. > >We're an IS-IS shop in the backbone, but with Anycast DNS, >we've had to run OSPF on DNS servers with Quagga/Zebra, and >redistribute that into our IS-IS backbone. > >I don't know of any decent, non-router implementation of IS- >IS at the moment. Then again, corporate networks generally >depend on OSPF anyway. > >OSPFv3 isn't as feature-rich in Quagga as it is in routers, >but if you can do away with some of those features, it'll >work and inter-op. > >Mark. > >___ >List mailing list >List@lists.pfsense.org >http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
On Sunday, September 15, 2013 10:12:48 PM Adam Thompson wrote: > What happened to all the work Google was doing on IS-IS > in Quagga? -Adam Still ongoing, but shipping code is not usable still. Mark. signature.asc Description: This is a digitally signed message part. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
What happened to all the work Google was doing on IS-IS in Quagga? -Adam Mark Tinka wrote: >On Sunday, September 15, 2013 07:35:27 PM Jim Pingle wrote: > >> I agree. From what I have done with Quagga on OSPF, it's >> been pretty straightforward and simple and tends to just >> work and work well. >> >> It isn't without its quirks, but I've never been sure if >> those are actually quirks in Quagga or the way we >> generate configurations for it. > >IS-IS in Quagga is very, very broken to the point of not >really being usable. > >We're an IS-IS shop in the backbone, but with Anycast DNS, >we've had to run OSPF on DNS servers with Quagga/Zebra, and >redistribute that into our IS-IS backbone. > >I don't know of any decent, non-router implementation of IS- >IS at the moment. Then again, corporate networks generally >depend on OSPF anyway. > >OSPFv3 isn't as feature-rich in Quagga as it is in routers, >but if you can do away with some of those features, it'll >work and inter-op. > >Mark. > >___ >List mailing list >List@lists.pfsense.org >http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
On Sunday, September 15, 2013 07:35:27 PM Jim Pingle wrote: > I agree. From what I have done with Quagga on OSPF, it's > been pretty straightforward and simple and tends to just > work and work well. > > It isn't without its quirks, but I've never been sure if > those are actually quirks in Quagga or the way we > generate configurations for it. IS-IS in Quagga is very, very broken to the point of not really being usable. We're an IS-IS shop in the backbone, but with Anycast DNS, we've had to run OSPF on DNS servers with Quagga/Zebra, and redistribute that into our IS-IS backbone. I don't know of any decent, non-router implementation of IS- IS at the moment. Then again, corporate networks generally depend on OSPF anyway. OSPFv3 isn't as feature-rich in Quagga as it is in routers, but if you can do away with some of those features, it'll work and inter-op. Mark. signature.asc Description: This is a digitally signed message part. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
Here in California, auto update worked like a charm on my home Alix embedded system. Went from 203 to 210 on 15 sept 2013 around noon. Yudhvir On Sun, Sep 15, 2013 at 11:52 AM, Christian Borchert wrote: > Thanks everyone for all the work! > --Original Message-- > From: Chris Buechler > Sender: list-boun...@lists.pfsense.org > To: pfSense support and discussion > To: d...@lists.pfsense.org > ReplyTo: pfSense support and discussion > Subject: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available! > Sent: Sep 15, 2013 4:50 AM > > I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription, > including immediate PDF download to the updated 2.1 book for > subscribers! > > Check out the announcements on our blog. > > http://blog.pfsense.org/?p=712 - 2.1-RELEASE > http://blog.pfsense.org/?p=718 - Gold Subscription > > Thanks for your support! > > Chris > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > > > Sent via BlackBerry from T-Mobile > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
Thanks everyone for all the work! --Original Message-- From: Chris Buechler Sender: list-boun...@lists.pfsense.org To: pfSense support and discussion To: d...@lists.pfsense.org ReplyTo: pfSense support and discussion Subject: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available! Sent: Sep 15, 2013 4:50 AM I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription, including immediate PDF download to the updated 2.1 book for subscribers! Check out the announcements on our blog. http://blog.pfsense.org/?p=712 - 2.1-RELEASE http://blog.pfsense.org/?p=718 - Gold Subscription Thanks for your support! Chris ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Sent via BlackBerry from T-Mobile ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
On Sun, Sep 15, 2013 at 10:53 AM, Adam Thompson wrote: > > I assume this is why snapshots.pfsense.org is offline (or at least not > answering) right now? There aren't any snapshots to be had, so it's just pointing to a "Check back later" page at the moment. For those who were tracking snapshots via auto-update, once a stable release lands, if you want to upgrade to it via auto-update you have to change your update URL to the stable release URL. System>Firmware, Settings tab, pick the appropriate architecture from the drop down. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] wrongly blocking traffic as bogons?
Am 15.09.2013 02:22, schrieb Chris Buechler: > On Fri, Sep 13, 2013 at 1:38 PM, Klaus Lichtenwalder > wrote: >> Hi, >> >> in the last few weeks I experience the effect that my pfsense box >> suddenly blocks most of the outgoing traffic via the bogon rule. At >> least I interprete it that way: >> Sep 13 20:32:59 alix pf: 00:00:00.000133 rule 2/0(match): block out on >> pppoe0: (tos 0x0, ttl 63, id 60691, offset 0, flags [DF], proto TCP (6), >> length 638) >> Sep 13 20:32:59 alix pf: 188.174.130.182.36379 > >> 209.148.46.131.9001: Flags [P.], ack 3301271548, win 331, options >> [nop,nop,TS val 2350771209 ecr 928279666], length 586 >> > > Bogons cannot block traffic out of WAN. What rule actually blocked the > traffic? It's most likely normal out of state traffic if you aren't > actually having connectivity problems, though that seems like quite a > bit for any network where an ALIX is adequate. I was under this asumption, as in RRD it's flagged as out-block, and on WAN Rule 2 is the bogons rule. But I remember. Rules are "going into the interface", not out... But the messages are "rule 2/0(match): block out on pppoe0"? How do I find out which rule is hit, then? I do have a 18Mbps/1Mbps link, with in getting max 12Mbps, but out being quite exactly those 1Mbps. I checked those connections (some, there were like 100K dropped packets... in the 1week RRD, it's 723MB blocked, with a maximum 561kbs) It's quote sporadic, though Klaus -- Klaus Lichtenwalder, Dipl. Inform., http://www.lichtenwalder.name/ PGP Key fingerprint: 9A3B 83AF B18E CEA0 C8DC 000D 8860 42B5 E5F6 7CAE ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
On 9/15/2013 1:31 PM, Jim Thompson wrote: > > On Sep 15, 2013, at 12:30 PM, Jim Pingle wrote: > >> On 9/15/2013 1:17 PM, Adam Thompson wrote: >>> If we mix Quagga and BIRD, don't we wind up with fragmentation problems >>> very similar to what we have now? >> >> No because as far as I can see BIRD's binaries are bird, birdc, and >> birdcl. It doesn't have a dedicated daemon process for each type of routing. > > I want to like bird, I really do. > > But it’s Quagga that has gotten all the runtime in real networks, and > attention to its codebase lately. I agree. From what I have done with Quagga on OSPF, it's been pretty straightforward and simple and tends to just work and work well. It isn't without its quirks, but I've never been sure if those are actually quirks in Quagga or the way we generate configurations for it. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
On Sep 15, 2013, at 12:30 PM, Jim Pingle wrote: > On 9/15/2013 1:17 PM, Adam Thompson wrote: >> If we mix Quagga and BIRD, don't we wind up with fragmentation problems very >> similar to what we have now? > > No because as far as I can see BIRD's binaries are bird, birdc, and > birdcl. It doesn't have a dedicated daemon process for each type of routing. I want to like bird, I really do. But it’s Quagga that has gotten all the runtime in real networks, and attention to its codebase lately. jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
On 9/15/2013 1:17 PM, Adam Thompson wrote: > If we mix Quagga and BIRD, don't we wind up with fragmentation problems very > similar to what we have now? No because as far as I can see BIRD's binaries are bird, birdc, and birdcl. It doesn't have a dedicated daemon process for each type of routing. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
If we mix Quagga and BIRD, don't we wind up with fragmentation problems very similar to what we have now? Quagga's BGP must be at least functional since Vyatta uses it... -Adam Jim Pingle wrote: >On 9/15/2013 12:50 PM, Adam Thompson wrote: >> Is BGPd in Quagga likely to be a huge PITA? If not, I'll probably take a >> stab at integrating it into the GUI. If I can figure out how to build >> packages, anyway. (I'd prefer OpenOSPFd instead of Quagga, but that seems >> like a dead duck in pfSense now.) >> I do now need a more-capable router than what pfSense gives me, in the sense >> that I need to be able to run EGPs and IGPs simultaneously. >> -Adam > >I haven't heard much either way about Quagga's BGP capabilities to be >honest. It may not be too hard to add into our GUI, but the main problem >there will be that we would need to rename the package to simply >"Quagga" rather than "Quagga OSPF" but that can be handled on way or >another. > >Ermal seems to really like BIRD as well, he's mentioned several times >that it would be good to have as a package. > >Jim > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
On 9/15/2013 12:50 PM, Adam Thompson wrote: > Is BGPd in Quagga likely to be a huge PITA? If not, I'll probably take a > stab at integrating it into the GUI. If I can figure out how to build > packages, anyway. (I'd prefer OpenOSPFd instead of Quagga, but that seems > like a dead duck in pfSense now.) > I do now need a more-capable router than what pfSense gives me, in the sense > that I need to be able to run EGPs and IGPs simultaneously. > -Adam I haven't heard much either way about Quagga's BGP capabilities to be honest. It may not be too hard to add into our GUI, but the main problem there will be that we would need to rename the package to simply "Quagga" rather than "Quagga OSPF" but that can be handled on way or another. Ermal seems to really like BIRD as well, he's mentioned several times that it would be good to have as a package. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
I like that idea. I basically need Vyatta without the corporate... issues that goes along with it. I'm currently using OpenBSD, which works well. However, I'm lazy and would very much like to avoid having to maintain a network of OpenBSD boxen if something with a nice, easy GUI exists. -Adam Jim Thompson wrote: > > > >On Sep 15, 2013, at 11:50 AM, Adam Thompson wrote: > >> Is BGPd in Quagga likely to be a huge PITA? If not, I'll probably take a >> stab at integrating it into the GUI. If I can figure out how to build >> packages, anyway. (I'd prefer OpenOSPFd instead of Quagga, but that seems >> like a dead duck in pfSense now.) > >I strongly prefer Quagga over OpenBSD’s “solution”, but mostly because ISC has >gotten behind it. >https://github.com/opensourcerouting/quagga > >> I do now need a more-capable router than what pfSense gives me, in the sense >> that I need to be able to run EGPs and IGPs simultaneously. > >Perhaps we need a separate ‘pro routing’ product/project that eliminates a lot >of the “home network” functionality that doesn’t belong on a box that core to >forwarding packets. > >Jim > >> -Adam >> >> Jim Pingle wrote: >> >>> On 9/15/2013 11:58 AM, Adam Thompson wrote: Reading the release notes for 2.1 reminded me of something... shouldn't the use of PBI packaging now automagically resolve the conflicts between OpenBGPd/OpenOSPFd and Quagga? >>> >>> Somewhat. >>> >>> The actual calls to the binaries in their respective packages use the >>> links in /usr/local/(s)bin/ so they still conflict since the links from >>> one PBI will clobber the links from another. >>> >>> If the packages were adjusted to call the binaries from their isolated >>> PBI dirs, then it may be OK, though since the actual binary names are >>> the same (e.g. bgpd) some things such as the service status may not >>> reflect the right status. >>> >>> Jim >> ___ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list > >___ >List mailing list >List@lists.pfsense.org >http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
On Sep 15, 2013, at 11:50 AM, Adam Thompson wrote: > Is BGPd in Quagga likely to be a huge PITA? If not, I'll probably take a > stab at integrating it into the GUI. If I can figure out how to build > packages, anyway. (I'd prefer OpenOSPFd instead of Quagga, but that seems > like a dead duck in pfSense now.) I strongly prefer Quagga over OpenBSD’s “solution”, but mostly because ISC has gotten behind it. https://github.com/opensourcerouting/quagga > I do now need a more-capable router than what pfSense gives me, in the sense > that I need to be able to run EGPs and IGPs simultaneously. Perhaps we need a separate ‘pro routing’ product/project that eliminates a lot of the “home network” functionality that doesn’t belong on a box that core to forwarding packets. Jim > -Adam > > Jim Pingle wrote: > >> On 9/15/2013 11:58 AM, Adam Thompson wrote: >>> Reading the release notes for 2.1 reminded me of something... shouldn't the >>> use of PBI packaging now automagically resolve the conflicts between >>> OpenBGPd/OpenOSPFd and Quagga? >> >> Somewhat. >> >> The actual calls to the binaries in their respective packages use the >> links in /usr/local/(s)bin/ so they still conflict since the links from >> one PBI will clobber the links from another. >> >> If the packages were adjusted to call the binaries from their isolated >> PBI dirs, then it may be OK, though since the actual binary names are >> the same (e.g. bgpd) some things such as the service status may not >> reflect the right status. >> >> Jim > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
Is BGPd in Quagga likely to be a huge PITA? If not, I'll probably take a stab at integrating it into the GUI. If I can figure out how to build packages, anyway. (I'd prefer OpenOSPFd instead of Quagga, but that seems like a dead duck in pfSense now.) I do now need a more-capable router than what pfSense gives me, in the sense that I need to be able to run EGPs and IGPs simultaneously. -Adam Jim Pingle wrote: >On 9/15/2013 11:58 AM, Adam Thompson wrote: >> Reading the release notes for 2.1 reminded me of something... shouldn't the >> use of PBI packaging now automagically resolve the conflicts between >> OpenBGPd/OpenOSPFd and Quagga? > >Somewhat. > >The actual calls to the binaries in their respective packages use the >links in /usr/local/(s)bin/ so they still conflict since the links from >one PBI will clobber the links from another. > >If the packages were adjusted to call the binaries from their isolated >PBI dirs, then it may be OK, though since the actual binary names are >the same (e.g. bgpd) some things such as the service status may not >reflect the right status. > >Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
On 9/15/2013 12:05 PM, compdoc wrote: > Is it possible > to restore a backup from 2.0.3 to a fresh install of 2.1? I have it running > in a virtual machine, so there are 2 or 3 paths I can take. Yes, you can restore a config from any older version on 2.1. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] PBI packaging: BGPd vs OSPFd
On 9/15/2013 11:58 AM, Adam Thompson wrote: > Reading the release notes for 2.1 reminded me of something... shouldn't the > use of PBI packaging now automagically resolve the conflicts between > OpenBGPd/OpenOSPFd and Quagga? Somewhat. The actual calls to the binaries in their respective packages use the links in /usr/local/(s)bin/ so they still conflict since the links from one PBI will clobber the links from another. If the packages were adjusted to call the binaries from their isolated PBI dirs, then it may be OK, though since the actual binary names are the same (e.g. bgpd) some things such as the service status may not reflect the right status. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
> I assume this is why snapshots.pfsense.org is offline (or at least not > answering) right now? In the release announcement are links to upgrade binaries, not all the mirrors are populated yet, find one. In the same rel announcement is an upgrade guide link that explains how to perform the upgrade manually if you need to. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
> >I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription, > >including immediate PDF download to the updated 2.1 book for >> subscribers! >I assume this is why snapshots.pfsense.org is offline At least the .iso for the LiveCD is downloading very quickly. Is it possible to restore a backup from 2.0.3 to a fresh install of 2.1? I have it running in a virtual machine, so there are 2 or 3 paths I can take. I live near Denver, Colorado where everything is washing away, and this seems a nice project and good reason for staying indoors today. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] PBI packaging: BGPd vs OSPFd
Reading the release notes for 2.1 reminded me of something... shouldn't the use of PBI packaging now automagically resolve the conflicts between OpenBGPd/OpenOSPFd and Quagga? -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
> I'm happy to announce both 2.1-RELEASE, and our new Gold > Subscription, including immediate PDF download to the updated 2.1 > book for subscribers! I assume this is why snapshots.pfsense.org is offline (or at least not answering) right now? Something must be broken either at my end or yours, since auto-update just broke for me altogether. I'm hoping it's your end, otherwise I'm going to have some difficulties upgrading right away :-(. -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Heads up to the impatient - Package reinstallation during 2.1-RELEASE upgrade
Hello all, Just a small PSA to be patient during the initial reboot of your pfSense 2.1-RELEASE upgrade. In my case, I thought it had hung as the NTOP package reinstall seemed stuck at 80%. I was just about to call out here for help, when it woke up and finished gracefully. Anyway - just be prepared to wait several minutes - in my case over 10 - for NTOP to finish the reinstall. Steven ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription, including immediate PDF download to the updated 2.1 book for subscribers! Check out the announcements on our blog. http://blog.pfsense.org/?p=712 - 2.1-RELEASE http://blog.pfsense.org/?p=718 - Gold Subscription Thanks for your support! Chris ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list