Re: [pfSense] Configs or hardware?

2018-02-15 Thread Ivo Tonev
Try increasing network buffers via "system tunables". Em 15 de fev de 2018 12:14, "Michael Munger" escreveu: > TL; DR. > > On 1Gbps downloads, our pfSense firewalls are performing poorly with > speed tests of ~400Mbps. It's either pfSense configs (not likely) or the

Re: [pfSense] quagga/bgp

2017-11-17 Thread Ivo Tonev
I'm using. There is no problems. Em 17 de nov de 2017 11:30, "Daniel" escreveu: > Here this, > > > > is anyone using quagga with bgpd as a self installed package on pfsense? > > I don’t want to use openBGPd and I also don’t want to use FRR because I am > completely new in

Re: [pfSense] IPv6 nat

2017-11-16 Thread Ivo Tonev
You can use NPT Em 16 de nov de 2017 5:19 PM, "Daniel" escreveu: > Hi there, > > > > i added a privat ipv6 LAN on my pfsense which has to do NAT like on IPv4. > > > > But it seems that NAT with ipv6 is not possible. Is there anyway or is it > not possible to NAT IPv6

Re: [pfSense] Strange packetloss

2017-10-20 Thread Ivo Tonev
On each interface you have "Block bogon networks". Is that option active ? On Fri, Oct 20, 2017 at 2:00 PM, Daniel wrote: > Hi Everyone, > > > > actually i have an any/any rule applied on all my interfaces. This I did > actually only for debugging issues. > > But I can

Re: [pfSense] problems with lagg interfaces?

2017-10-17 Thread Ivo Tonev
Even if your vlan dont bright up you can capture traffic on physical interfaces with tcpdump. See what you can capture before any other move. Do a bottom-up troubleshoot. Em 17 de out de 2017 12:34, "Eero Volotinen" escreveu: > So, you mean that it is not working? > >

Re: [pfSense] High-latency when traffic reaches 80% wirespeed

2017-10-05 Thread Ivo Tonev
run "top -SH" to find the top cpu consuming tasks On Thu, Oct 5, 2017 at 8:44 AM, Christoph Haas wrote: > Am Mittwoch, den 04.10.2017, 15:05 -0400 schrieb ED Fochler: > > I have a similar situation and I solved it with limiters. I'm also a > fan of limiters to ensure

Re: [pfSense] High-latency when traffic reaches 80% wirespeed

2017-10-04 Thread Ivo Tonev
You can try rise some "System tunables" net.inet.tcp.recvspace 524288 net.inet.tcp.sendspace 524288 net.raw.recvspace 524288 net.inet.raw.recvspace 524288 net.raw.sendspace 524288 net.inet.raw.maxdgram 524288 net.link.ifqmaxlen 2048 net.inet.tcp.recvbuf_inc 65536 net.inet.udp.recvspace 524288

Re: [pfSense] massive CARP Failover

2017-06-07 Thread Ivo Tonev
Can tou send network diagram? Why 2 switches? How they are connected? There are any feature like Cisco's arp inspection? Em 7 de jun de 2017 10:45, "Daniel" <dan...@linux-nerd.de> escreveu: > Both are Physical. > > -- > Grüsse > > Daniel > > Am 07.06.17

Re: [pfSense] massive CARP Failover

2017-06-07 Thread Ivo Tonev
Firewalls are virtual or physical servers? On Wed, Jun 7, 2017 at 9:12 AM, Daniel wrote: > Hi, > > Firewall on the Switch is the latest installed. > The Switch is just simple installed. No VLANS actually just IGMP disabled. > Carp has for sure 3 IPs. 2 Dedicated for each

Re: [pfSense] RRD alternatives

2017-02-17 Thread Ivo Tonev
zabbix ( via agent package or snmp ) nagios ( snmp ) http://nfsen.sourceforge.net/ ( softflowd ) On Fri, Feb 17, 2017 at 7:00 PM, Antonio Cortes Alhambra < antonio.cor...@incatel.cl> wrote: > http://www.cacti.net/ > > > Saludos Cordiales > > > > > >

Re: [pfSense] BandwithD

2017-02-16 Thread Ivo Tonev
It was removed. You can use netflow with netflow colector in another server. Em 16 de fev de 2017 12:20, "Daniel" escreveu: > Hi there, > > is it possible that bandwithD is removed from the Packages? > I wanted to install it and i cant see it anymore. > > Is there any

Re: [pfSense] pf rule error

2016-08-09 Thread Ivo Tonev
Check your states table size. Em 9 de ago de 2016 22:47, "Joseph L. Casale" escreveu: > I recently received an error that the pf table was wedged and had been > reset > while making changes. A few days later, a vlan stopped passing dhcp traffic > and filter reload did

Re: [pfSense] yesterday update to 2.3.2 has not worked - these machines now can not update any more

2016-07-27 Thread Ivo Tonev
>From the console: pkg clean pkg update pkg upgrade reboot Em 27 de jul de 2016 10:54, "WolfSec-Support" escreveu: > Hi Jim > > Many thanks for your hint. > Well it is still not working. > > See: > > >>> Updating repositories metadata... > Updating pfSense-core repository

Re: [pfSense] Errors when attempting upgrade to 2.3.2 from 2.3.1.5

2016-07-26 Thread Ivo Tonev
Yes. You can run from console pkg clean pkg update pkg upgrade reboot Em 26 de jul de 2016 12:03 PM, "mayak" escreveu: > Both on an embedded APU and HP-DL-160 ... > > Fetching pfSense-2.3.2.txz: . done >> pkg: >>

Re: [pfSense] OSPF help

2016-07-23 Thread Ivo Tonev
You can setup OpenVPN site-to-site VPN across your sites and run OSPF only in vpn tunnel. On Sat, Jul 23, 2016 at 8:55 PM, Francois Roussy wrote: > I will add another thing I tried.. > > Also, I had tried to create a policy based, using multiple phase 2 with > all my

Re: [pfSense] HAproxy question

2015-12-12 Thread Ivo Tonev
Run "netstat -anl | grep LISTEN | grep 443" ( for tcp ) to verify on whitch port/ip haproxy and openvpn are running. Openvpn don't listen on VIP. Em 12/12/2015 10:31, "C. R. Oldham" escreveu: > Actually I think I characterized this problem the wrong way. > > It appears that

Re: [pfSense] How to restrict certain websites for certain computers during certain times of the day?

2015-07-31 Thread Ivo Tonev
You can use squid+squidguard to create restrictions and time ranges. Need to create local users in pfsense box and use authentication Em 31/07/2015 12:36, Tim Koop t...@timkoop.com escreveu: I have installed pfsense and I would like to block certain websites during certain times of the day

Re: [pfSense] blocking torrents and web based https proxies

2015-03-27 Thread Ivo Tonev
You can block torrents with suricata. Works 100%. Install the package and activate all p2p rules. For web proxies you can use squid+(squidguard with http://www.urlblacklist.com/ ) and force everyone to use your proxy. On Thu, Mar 26, 2015 at 11:44 PM, Sean m...@thegeekclub.net wrote: Torrent

Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense

2014-10-03 Thread Ivo Tonev
[image: Inline image 1] On Thu, Oct 2, 2014 at 7:01 AM, Stefan Fuhrmann ste...@fuhrmann.homedns.org wrote: Hello Ivo, yes 2 pfsense nodes as cluster 2 loadbalancer 3 webserver need more info? tia Stefan -- *Von: *Ivo Tonev i...@tonev.pro.br

Re: [pfSense] Snort as IPS in Pfsense

2014-09-30 Thread Ivo Tonev
a bridge with WAN and LAN and I don't assign an IP, the IPS won't download the signs from Internet...I'm a bit confused. Thanks a lot, regards. JeLo On Tue, Sep 30, 2014 at 10:55 AM, Ivo Tonev i...@tonev.pro.br wrote: Yes. Always use out of band management. On Tue, Sep 30, 2014 at 10:35

Re: [pfSense] Snort as IPS in Pfsense

2014-09-29 Thread Ivo Tonev
Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort to get an IPS (Intrusion Prevention System), and in this case what is the graphical interface used to view events and dropped traffic. Thanks

Re: [pfSense] Snort as IPS in Pfsense

2014-09-29 Thread Ivo Tonev
can using Snort ??? 2) In IPS mode, do I have to have 3 interfaces in my server ??? 3) The only way to view the IPS blocking events is from into Pfsense or can I use Snorby ??? Thanks again, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use

Re: [pfSense] Snort as IPS in Pfsense

2014-09-29 Thread Ivo Tonev
, Roberto Thanks again, Roberto 2014-09-29 14:37 GMT-03:00 Ivo Tonev i...@tonev.pro.br: Use suricata On Sep 29, 2014 2:27 PM, Roberto Carna robertocarn...@gmail.com wrote: Dear, I need to know if it's possible to setup Pfsense with Snort

Re: [pfSense] Snort as IPS in Pfsense

2014-09-29 Thread Ivo Tonev
build a hogwash like setup if you like. 29. sep. 2014 21:38 skrev Roberto Carna robertocarn...@gmail.com følgende: Ivo, I want to locate the IPS between the router and the corporative firewall, so I think to use bridge modeis correct??? 2014-09-29 16:34 GMT-03:00 Ivo Tonev i...@tonev.pro.br

Re: [pfSense] Snort as IPS in Pfsense

2014-09-29 Thread Ivo Tonev
I don't like the bridge approach because if you have many vlans it become very complicated. I always use the router approach because I can configure the IDS for one interface and IPS for another. If you don't have enough IP addresses, you can use invalid IP on firewall WAN and create a route on

Re: [pfSense] Snort as IPS in Pfsense

2014-09-29 Thread Ivo Tonev
In production environment you need 3 interfaces - one for WAN, one for LAN and one for management. http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg .html On Mon, Sep 29, 2014 at 9:24 PM, compdoc comp...@hotrodpc.com wrote: But you say: one interface for WAN, a second

Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense

2014-09-28 Thread Ivo Tonev
can you send your network layout ? how many servers ? -- Ivo Tonev i...@tonev.pro.br On Sep 28, 2014, at 05:58, Stefan Fuhrmann ste...@fuhrmann.homedns.org wrote: Hello all, can someone help? tia Stefan Am Freitag, 26. September 2014, 15:11:04 schrieb Stefan Fuhrmann: Hello