Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-11-26 Thread Eero Volotinen 
Hi,

Looks like "online" upgrade (2.3.5 -> 2.4.2) trashes sg-8860 unit to
"non-working state". (ie. ssl libraries missing and so on)

Where I can file critical bug ticket? :D

--
Eero

2017-11-26 19:53 GMT+02:00 Daniel :

> I Updates 3 Firewalls all without any problems.
>
>
>
> Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" <
> list-boun...@lists.pfsense.org im Auftrag von eero.voloti...@iki.fi>:
>
> just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there
> any
> known issues?
>
> it's not so complex setup, but running as our hq main firewall. so,
> some
> ipsec and openvpn connections are running against it.
>
>
>
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense openvpn speed?

2017-11-26 Thread Eero Volotinen 
Is that real line "mtu" or just virtual parameter?

Eero

2017-11-26 6:04 GMT+02:00 Jim Thompson :

>
> To explain why this is an good thing:
>
> One of the problems here is that while the AES-CBC (actual crypto) can be
> accelerated via AES-NI, the HMAC isn’t (very new Intel parts have SHA
> instructions, but no support in OpenSSL in any version of FreeBSD or
> pfSense as yet).
>
> So, at the end of the day, your speed will be throttled by the speed of
> SHA-256 on <= ~1450 byte packets, as well as the overhead of making two
> “crypto” passes (one enc/dec, one hmac) over the stream of data.
>
> AES-GCM is a AEAD algorithm, so you get the HMAC as a “side effect”.
>
> OpenVPN recommends AES-GCM for OpenVPN >= 2.4.
> https://community.openvpn.net/openvpn/wiki/SWEET32
>
> The other thing you can do, as indicated, is to run the “MTU” up such that
> the (OpenVPN) packet size increases, which reduces the overhead of both the
> TUN/TAP interface, as well as some of the overhead of handing relatively
> short packets to OpenSSL for encryption/decryption.
>
> Jim
>
> > On Nov 25, 2017, at 2:51 PM, Eero Volotinen 
> wrote:
> >
> > Well,
> >
> > cipher AES-256-CBC
> > auth SHA256
> >
> > thinking to upgrade this to AES-256-GCM
> >
> > Eero
> >
> > 2017-11-25 21:30 GMT+02:00 Jim Thompson :
> >
> >> What crypto transform and authentication are you running?  Maybe try
> >> AES-GCM (which is AES-NI accelerated) at both ends if both devices
> support
> >> it. Might need pfSense 2.4 for this.
> >>
> >> Try setting the (OpenVPN) MTU to a larger number.
> >>
> >> More hints: https://forum.pfsense.org/index.php?topic=123915.0
> >>
> >>> On Nov 25, 2017, at 11:37 AM, Lyle  wrote:
> >>>
> >>> There is a lot of information missing here.
> >>>
> >>>
> >>> You have a better Netgate unit, but if the internet port on it is
> >> connected to a 100Mbps switch, performance will suck.  Same on the LAN
> >> side.  And if the ports are mismatched(half vs full duplex for
> instance),
> >> performance will suffer.
> >>>
> >>>
> >>> What percentage of the gigabit link and/or LAN link on Netgate are you
> >> utilizing before adding in OpenVPN ?  Your ISP may be over subscribed
> and
> >> it's uplinks are saturated.
> >>>
> >>>
> >>> You may be pushing too much traffic through the NetGate and it can not
> >> handle the load.
> >>>
> >>>
> >>> In other words, based on the limited info you provided, you have not
> >> provided proof that it's a problem with the NetGate.
> >>>
> >>>
> >>> Lyle Giese
> >>>
>  On 11/25/17 06:34, Eero Volotinen wrote:
>  Hi list,
> 
>  We are running pfsense 2.3 on netgate sg-8860.
> 
>  Device is connected to internet with gigabit link, but openvpn speed
> is
>  very slow (about 50Mbit/s). Any idea how to get more speed to vpn
> >> clients?
> 
>  Eero
>  ___
>  pfSense mailing list
>  https://lists.pfsense.org/mailman/listinfo/list
>  Support the project with Gold! https://pfsense.org/gold
> >>>
> >>> ___
> >>> pfSense mailing list
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>> Support the project with Gold! https://pfsense.org/gold
> >> ___
> >> pfSense mailing list
> >> https://lists.pfsense.org/mailman/listinfo/list
> >> Support the project with Gold! https://pfsense.org/gold
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-11-26 Thread Edward O. Holcroft 
My 8860 upgrade was uneventful. Also running ipsec and openvpn. No issues.

It did take quite a while to finish. Just don't interfere with it until
it's done.

I made sure I had a current backup and bootable 2.3.5 on hand before the
upgrade in case I had to roll back. Never needed it though.

Have you done the Netgate coreboot upgrade on your 8860? If you're planning
downtime, maybe you want to handle this at the same time:

https://www.reddit.com/r/PFSENSE/comments/6009os/firmware_update_information_related_to_netgate/

ed


_

*Edward O. Holcroft*
IT Operations Manager

*Madsen, Kneppers & Associates, Inc.*
Construction Consultants & Engineers
11695 Johns Creek Parkway, Suite 250
Johns Creek, GA 30097

*O*  770.446.9606  |  *F*  770.446.9612  |  *C*  770.630.0949  |
eholcr...@mkainc.com

www.mkainc.com

On Sun, Nov 26, 2017 at 7:04 AM, Eero Volotinen 
wrote:

> just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any
> known issues?
>
> it's not so complex setup, but running as our hq main firewall. so, some
> ipsec and openvpn connections are running against it.
>
>
>
> Eero
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>

-- 
MADSEN, KNEPPERS & ASSOCIATES USA WARNING/CONFIDENTIALITY NOTICE: This 
message may be confidential and/or privileged. If you are not the intended 
recipient, please notify the sender immediately then delete it - you should 
not copy or use it for any purpose or disclose its content to any other 
person. Internet communications are not secure. You should scan this 
message and any attachments for viruses. Any unauthorized use or 
interception of this e-mail is illegal.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-11-26 Thread Daniel 
I Updates 3 Firewalls all without any problems.



Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" 
:

just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any
known issues?

it's not so complex setup, but running as our hq main firewall. so, some
ipsec and openvpn connections are running against it.



Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfsense 2.3 -> 2.4 upgrade?

2017-11-26 Thread Eero Volotinen 
just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any
known issues?

it's not so complex setup, but running as our hq main firewall. so, some
ipsec and openvpn connections are running against it.



Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold