Re: [pfSense] Firewall Hardware/Setup for Datacenter...

2015-02-06 Thread melvin
If you're going to have 2 systems you can cluster them and make anything you're 
running HA even without duplicate vms.

div Original message /divdivFrom: Chuck Mariotti 
cmario...@xunity.com /divdivDate:02/05/2015  22:22  (GMT-05:00) 
/divdivTo: pfSense Support and Discussion Mailing List 
list@lists.pfsense.org /divdivSubject: Re: [pfSense] Firewall 
Hardware/Setup for Datacenter... /divdiv
/div  Thanks… I am leaning that way I think… just trying to wrap my head 
around if it is worth trying to buy more ram + more storage (HW RAID) to make 
them ESXI worthy to run VMs, or if I should just keep it basic… the ESXI is 
tempting since I can at least make the secondary server do other stuff instead 
of just waiting for a failure on primary. Trying to think of a useful virtual 
machines to run that are not mission critical if a machine dies (since not 
raid), don’t have license to real-time replicate it on the VMWare side, but 
that might be useful for datacenter...
  
  
  
   From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jason Whitt
 Sent: February-05-15 3:23 PM
 To: pfSense Support and Discussion Mailing List
 Subject: Re: [pfSense] Firewall Hardware/Setup for Datacenter...
 
 
 
 
  I would add that for quot;data centerquot; workloads the apu's may not be 
 the best choice ... Those 8 core atoms are plenty for multi 1gig feeds and 
 the nic's are solid.

 
  
 
 
  
 Sent from my iPhone

 
  
 On Feb 5, 2015, at 12:38 PM, Jeremy Bennett jbenn...@hikitechnology.com 
 wrote:

 
Jason is correct. Those Supermicro boxes are awesome. Be careful when 
 ordering though... they want ECC memory. 

  
 
 
  The APUs from Netgate are nice too–the year of bundled support has already 
 saved my bacon a number of times. Well worth the cost.

 
 
  
 
  On Thu, Feb 5, 2015 at 9:19 AM, Jason Whitt jason.wh...@gmail.com wrote:

Ive ran as vm's using vmxnet3's as well as physical on these 
 http://m.newegg.com/Product/index?itemnumber=16-101-837

 
  
 
 
  Both are viable options.

 
  
 
 
  Jason
 
 Sent from my iPhone

 
  
 On Feb 5, 2015, at 11:11 AM, Walter Parker walt...@gmail.com wrote:

 
I've used pfSense in a VM on my ESXi application server. This is mostly to 
 firewall the Windows VMs from the Internet. 

  
 
 
  If you want fail-over, I'd suggest getting one of the new Netgate 
 (http://store.netgate.com/NetgateAPU2.aspx or 
 http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or pfSense 
 (https://www.pfsense.org/hardware/#pfsense-store) embedded systems with an 
 SSD. Then you can run a full install that supports package installs with a 
 power budget of ~10-15 Watts for the APU units. Then you have a choice of 
 getting a second HW unit for an additional $400 to $1000, or setting up 
 pfSense in a VM (not on a separate VMware server, on an existing VM server).

 
  
 
 
  The higher end HW systems on those pages are 8 core Atom systems built for 
 run pfSense (of course, the power requirements will be in the 100W range). 
 With an SSD, these systems should last for a long time with no issues.

 
  
 
 
  How much firewall horsepower do you need? What are your constrains (time, 
 money, space)?

 
  
 
 
  P.S. You can run packages on embedded in 2.2, you just want to be careful 
 not to run packages that would trash the SD card with too many writes. 

 
  
 
 
  
 
 
  Walter

 
 
  
 
  On Thu, Feb 5, 2015 at 9:40 AM, Chuck Mariotti cmario...@xunity.com wrote:

Have been using pfSense for years at our datacenter, very happy with it 
 running on old dedicate hardware with failover. The hardware is overdue to be 
 retired and I’m wondering what people are doing/recommending for a datacenter 
 setup. We want to use OpenVPN Server, IDS, dBandwidth, etc… so need to keep 
 out option open for the ability to run packages... behind it we are running 
 multiple servers and vCenter/ESXI servers.

  

 What’s the go-to setup for a datacenter these days?

  

 Do we stick with two dedicated boxes?
 Since we pay for power, nice to have lower power… So do we go as low as using 
 embedded hardware? It used to not be recommended for packages… still the case 
 I assume?

 So I’m leaning towards some of the newer SuperMicro Atom boxes (quad core, or 
 8 core!!??! etc…).

  

 But then I see so many people running pfSense in VMWare and I wonder if we 
 should consider this. Then I think about the hardware needs and VMWare 
 Licensing (would like to avoid)… and what else can I run on the hardware 
 along side without hurting pfSense from running properly, etc…

  

 If pfSense is setup to failover, that means the hardware can be cheap…. No 
 RAID needed.

 If dedicated, do I go with Hard Drives/SSD drives? USB? We need packages… can 
 I run it off of USB stick then or do I still need HDD/SSD?

  

 If setting up new hardware so can run pfSense as Virtual Machines… I would 
 need two VM Hosts running pfSense as VM’s so would have the failover... What 
 should we 

Re: [pfSense] Firewall Hardware/Setup for Datacenter...

2015-02-06 Thread Vick Khera
On Thu, Feb 5, 2015 at 12:40 PM, Chuck Mariotti cmario...@xunity.com
wrote:

 Do we stick with two dedicated boxes?
 Since we pay for power, nice to have lower power… So do we go as low as
 using embedded hardware? It used to not be recommended for packages… still
 the case I assume?

 So I’m leaning towards some of the newer SuperMicro Atom boxes (quad core,
 or 8 core!!??! etc…).


A couple of years ago I updated my data center systems to a pair of
SuperMicro systems from Silicon Mechanics. I bought their smallest boxes
(half depth) and had them custom configure them with a single SSD each and
16GB of RAM which was their minimum. I also had them put in the low-power
Xeon CPUs since I, too, pay for power.

I run two point to point OpenVPNs and a handful of road warrior VPN
connections. I don't run any other pfSense packages. There are about 25 or
so firewall rules and about that many aliases as well.

I've measured the outbound traffic peaking at over 200Mbps. I'm sure it can
do more but I just can't generate that much traffic naturally. I'm not
boding the NICs either -- these are just single gigabit ethernet
connections.

Last year I upgraded my main office firewall from an ALIX based twin
configuration to a pair of pfSense branded C2758. I think these are mighty
fine boxes and would be able to handle my data center traffic just fine as
well, had they been available at the time I needed them.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] CoDel QOS

2015-02-06 Thread WebDawg
Can someone tell me the proper way to apply CoDel QoS?

http://en.wikipedia.org/wiki/CoDel

https://forum.pfsense.org/index.php?topic=88162.0

I am getting conflicting answers on how it is applied.

From what I have read, you just turn it on, that is it.  No
parameters.  I was trying to find just the commands to apply it on a
normal freebsd box so I could understand if any of the options offered
along with it on the pfSense QoS form matter.  I did not have luck and
I assume I was just looking in all the wrong places.

Like I mentioned before everything I read says that it is
parameter-less.  But in the same reading it talked about RED and the
fact that it was built off of RED.  I can see how parameter-less means
that RED has many 'knobs and such'  but CoDel has none (excluding BW).
Still I think that this could be wrong though.

From what I read, it just needs enabled and only is concerned about
buffer times.  No BW, etc.

Last question:  In that forum post it was stated interface speed vs
connection speed would make a difference.  While I understand that
this does effect other types of QoS, from what I read, it does not
effect CoDel.

Can someone please explain this stuff?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense 2.2 (i386) - Soekris 6501-70 - Crashing once a day or so

2015-02-06 Thread Giles Coochey

On 29/01/2015 12:47, Giles Coochey wrote:
I was running pfsense 2.1.5 (i386) on my Soekris 6501-70 with an mSata 
disk drive without any problems.


I recently upgraded to pfsense2.2 (i386) and it appears to be crashing 
once a day or so.


Now that I've disabled read-only /var  /tmp it reports upon logging 
in whether I want to send the crash dumps to the developers - for 
which I'm saying 'yes' to.


Apart from that, I'm at a loss as to what the problem is, I can't read 
the crashdump lingo, but I wonder if these crash dumps are being 
received, and whether anyone else is experiencing an issue with 
Soekris 6501 hardware and pfsense 2.2 (i386)?


Well... no response to the mailing lists, one offline response 
effectively telling me that 2.2 is no good.


My Soekris eventually crashed and did not manage to boot up again, so 
I'm going to revert to 2.1.5.


I have tried installing 2.2 i386 onto my mSata drive, but it doesn't 
even post after the image is put to the mSata drive, so can only assume 
that 2.2 doesn't support the soekris 6501 hardware, or at least the 
mSATA ports.





___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold