Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
Hi, Looks like "online" upgrade (2.3.5 -> 2.4.2) trashes sg-8860 unit to "non-working state". (ie. ssl libraries missing and so on) Where I can file critical bug ticket? :D -- Eero 2017-11-26 19:53 GMT+02:00 Daniel: > I Updates 3 Firewalls all without any problems. > > > > Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen" < > list-boun...@lists.pfsense.org im Auftrag von eero.voloti...@iki.fi>: > > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there > any > known issues? > > it's not so complex setup, but running as our hq main firewall. so, > some > ipsec and openvpn connections are running against it. > > > > Eero > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense openvpn speed?
Is that real line "mtu" or just virtual parameter? Eero 2017-11-26 6:04 GMT+02:00 Jim Thompson: > > To explain why this is an good thing: > > One of the problems here is that while the AES-CBC (actual crypto) can be > accelerated via AES-NI, the HMAC isn’t (very new Intel parts have SHA > instructions, but no support in OpenSSL in any version of FreeBSD or > pfSense as yet). > > So, at the end of the day, your speed will be throttled by the speed of > SHA-256 on <= ~1450 byte packets, as well as the overhead of making two > “crypto” passes (one enc/dec, one hmac) over the stream of data. > > AES-GCM is a AEAD algorithm, so you get the HMAC as a “side effect”. > > OpenVPN recommends AES-GCM for OpenVPN >= 2.4. > https://community.openvpn.net/openvpn/wiki/SWEET32 > > The other thing you can do, as indicated, is to run the “MTU” up such that > the (OpenVPN) packet size increases, which reduces the overhead of both the > TUN/TAP interface, as well as some of the overhead of handing relatively > short packets to OpenSSL for encryption/decryption. > > Jim > > > On Nov 25, 2017, at 2:51 PM, Eero Volotinen > wrote: > > > > Well, > > > > cipher AES-256-CBC > > auth SHA256 > > > > thinking to upgrade this to AES-256-GCM > > > > Eero > > > > 2017-11-25 21:30 GMT+02:00 Jim Thompson : > > > >> What crypto transform and authentication are you running? Maybe try > >> AES-GCM (which is AES-NI accelerated) at both ends if both devices > support > >> it. Might need pfSense 2.4 for this. > >> > >> Try setting the (OpenVPN) MTU to a larger number. > >> > >> More hints: https://forum.pfsense.org/index.php?topic=123915.0 > >> > >>> On Nov 25, 2017, at 11:37 AM, Lyle wrote: > >>> > >>> There is a lot of information missing here. > >>> > >>> > >>> You have a better Netgate unit, but if the internet port on it is > >> connected to a 100Mbps switch, performance will suck. Same on the LAN > >> side. And if the ports are mismatched(half vs full duplex for > instance), > >> performance will suffer. > >>> > >>> > >>> What percentage of the gigabit link and/or LAN link on Netgate are you > >> utilizing before adding in OpenVPN ? Your ISP may be over subscribed > and > >> it's uplinks are saturated. > >>> > >>> > >>> You may be pushing too much traffic through the NetGate and it can not > >> handle the load. > >>> > >>> > >>> In other words, based on the limited info you provided, you have not > >> provided proof that it's a problem with the NetGate. > >>> > >>> > >>> Lyle Giese > >>> > On 11/25/17 06:34, Eero Volotinen wrote: > Hi list, > > We are running pfsense 2.3 on netgate sg-8860. > > Device is connected to internet with gigabit link, but openvpn speed > is > very slow (about 50Mbit/s). Any idea how to get more speed to vpn > >> clients? > > Eero > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > >>> > >>> ___ > >>> pfSense mailing list > >>> https://lists.pfsense.org/mailman/listinfo/list > >>> Support the project with Gold! https://pfsense.org/gold > >> ___ > >> pfSense mailing list > >> https://lists.pfsense.org/mailman/listinfo/list > >> Support the project with Gold! https://pfsense.org/gold > >> > > ___ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
My 8860 upgrade was uneventful. Also running ipsec and openvpn. No issues. It did take quite a while to finish. Just don't interfere with it until it's done. I made sure I had a current backup and bootable 2.3.5 on hand before the upgrade in case I had to roll back. Never needed it though. Have you done the Netgate coreboot upgrade on your 8860? If you're planning downtime, maybe you want to handle this at the same time: https://www.reddit.com/r/PFSENSE/comments/6009os/firmware_update_information_related_to_netgate/ ed _ *Edward O. Holcroft* IT Operations Manager *Madsen, Kneppers & Associates, Inc.* Construction Consultants & Engineers 11695 Johns Creek Parkway, Suite 250 Johns Creek, GA 30097 *O* 770.446.9606 | *F* 770.446.9612 | *C* 770.630.0949 | eholcr...@mkainc.com www.mkainc.com On Sun, Nov 26, 2017 at 7:04 AM, Eero Volotinenwrote: > just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any > known issues? > > it's not so complex setup, but running as our hq main firewall. so, some > ipsec and openvpn connections are running against it. > > > > Eero > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- MADSEN, KNEPPERS & ASSOCIATES USA WARNING/CONFIDENTIALITY NOTICE: This message may be confidential and/or privileged. If you are not the intended recipient, please notify the sender immediately then delete it - you should not copy or use it for any purpose or disclose its content to any other person. Internet communications are not secure. You should scan this message and any attachments for viruses. Any unauthorized use or interception of this e-mail is illegal. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense 2.3 -> 2.4 upgrade?
I Updates 3 Firewalls all without any problems. Am 26.11.17, 13:04 schrieb "List im Auftrag von Eero Volotinen": just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any known issues? it's not so complex setup, but running as our hq main firewall. so, some ipsec and openvpn connections are running against it. Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfsense 2.3 -> 2.4 upgrade?
just planning to upgrade my sg-8860 from pfsense 2.3 to 2.4. is there any known issues? it's not so complex setup, but running as our hq main firewall. so, some ipsec and openvpn connections are running against it. Eero ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold