Re: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider...
Is it possible these numbers are for both interfaces on the pfSense box? If so, do they include both inbound and outbound traffic for both? That would effectively double the true data transfer if traffic isn't being routed between other subnets / interfaces on the firewall. I don't have RRD loaded so this is strictly speculation on a possible cause. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck Mariotti Sent: Wednesday, May 23, 2018 1:57 PM To: list@lists.pfsense.org Subject: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider... We've run into a data overage situation at a datacenter... We get charged a premium per GB over 500GB (yes I know, stupid). Their reporting system seems to indicate significantly less data usages vs pfSense's RRD reporting... their billing system seems to be indicating overage similar to their reporting... Uploads seem to be growing significantly. Any idea why the pfSense box seems to be counting differently than the datacenter's metrics? We need to track down where this usage is happened, but I know users have only grown ~5% over that same period of time. Here are stats for each month: JanuaryFebruary March April May (to 23rd) Datacenter (Upload/Download): 618.95GB/76.01GB 365.25/47.15GB799.92/79.81GB801.67/105.01GB 581.57/76.26GB pfSense RRD (Upload/Download):1372.41GiB/148.91GiB 1388.65/149.60GiB 1697.71/152.24GiB 1706.53/200.86GiB 1177.95/139.55GiB Any suggestions how or why there is a mismatch? Regards, Chuck ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata
Lots of ISPs still make you do that for managed circuits. Sent from BlueMail On May 17, 2018, 10:56, at 10:56, John Johnstone wrote: >On 5/16/18 12:25 PM, WebDawg wrote: > >> It is high risk compared to serial, but when you are doing the job >> remotely, and the pfsense device is your core router, how do I log in >> and see the serial data? > >Dial-up modem? Just couldn't resist... > >- >John J. >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense on watchguard xtm 810?
I've had good luck in similar cases by installing on a generic machine then putting the media in the target box. On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen wrote: >Hi List, > >I need to install pfsense 2.4 on watchguard xtm 810. there is issue as >it >does not boot from usb stick, only from cf or sata. > >Any idea how to install pfsense on it? it works with 2.3 nano-vga >image, >but such is not available for pfsense 2.4 > >-- >Eero >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] CARP Demotion Not Working
But think of the time you would have wasted instead. Just trading a little pride for time. Seems like a good deal most times. On Nov 3, 2017, 15:02, at 15:02, Andrew Kester wrote: >Actually, it looks like Node B was indeed in maintenance mode. Setting > >it back to normal seems to have resolved the problem. > >(That always seems to happen: send mail to a mailing list and it's >something silly on my end) > >--- >Thanks! > >Andrew Kester >The Storehouse >https://sthse.co > >On 11/3/17 11:23 AM, Steve Yates wrote: >> Are you using the "enter persistent maintenance mode" here? I'm >trying to remember when I looked at this a couple years ago but overall >if we shut down node A, node B takes over, and when A boots up it >becomes Master again. However if I enter maintenance mode first >(forcing B to Master) then B stays as Master after A comes up again. >> >> I have seen the occasional situation where we exit maintenance mode >and the IPv6 CARP WAN IP ends up with *both* routers showing as Master, >but at that point I restart node B and it clears out (we have CARP IPs >for two LANs and a WAN, and both IPv4 and IPv6, on two virtualized >routers). >> >> -- >> >> Steve Yates >> ITS, Inc. >> >> -Original Message- >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of >Andrew Kester >> Sent: Friday, November 3, 2017 10:49 AM >> To: list@lists.pfsense.org >> Subject: Re: [pfSense] CARP Demotion Not Working >> >> An update on this, if the master node is rebooted during a failure, >the >> secondary node takes cover correctly and remains the master as would >be >> expected. >> >> This makes me think that the priority is set correctly but the second >> node for some reason isn't honoring the advskew set by the master >correctly. >> >> To illustrate what I mean- >> >> --- >> | Node A | Node B | >> --- >> | M M| B B| Normal, Node A is master on all CARP IP's >> | M X| B M| Failure, incorrect though. Node B should be >master. >> | - -| M M| Node A Offline, B takes over as master correctly >> | B X| M M| After restart, correct behavior. Node B is >master. >> --- >> M - Master >> X - Down >> B - Backup >> >> I've also ran through the CARP troubleshooting guide here to no >avail. >> https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting >> >> Let me know if you need more information or clarification, I'm not >sure >> the best way to illustrate / communicate my problem. >> >> --- >> Thanks, >> >> Andrew Kester >> The Storehouse >> https://sthse.co >> >> On 11/1/17 3:30 PM, Andrew Kester wrote: >>> Hi List, >>> >>> I'm having an issue with CARP preempt. I have two pfSense machines >>> running 2.4.1-RELEASE. CARP fails over all individual IPs >correctly, >>> but doesn't preempt correctly in the case of a single failure. >>> >>> On both machines, I've checked that net.inet.carp.preempt is >enabled. >>> The master appears to be detecting the demotion, as it sets >>> net.inet.carp.demotion to 240 during a failure, but ifconfig still >>> reports advskew as 0. >>> >>> I'm not 100% sure if that number should update, or if the demotion >>> number is added to the advskew reported by ifconfig. >>> >>> Relevent sysctl, ifconfig, and log output taken from the master >firewall >>> during a failure is attached. >>> >>> Any help is greatly appreciated! >>> >>> --- >>> Thanks, >>> >>> Andrew Kester >>> The Storehouse >>> https://sthse.co >>> >>> >>> ___ >>> pfSense mailing list >>> https://lists.pfsense.org/mailman/listinfo/list >>> Support the project with Gold! https://pfsense.org/gold >>> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] speed problems with SG-1000
Based on the product page the max throughput as you described would seem to be 200Mbps. https://www.netgate.com/products/sg-1000.html See the notes at the bottom of the page. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of John DeSoi Sent: Monday, May 15, 2017 6:42 PM To: list@lists.pfsense.org Subject: [pfSense] speed problems with SG-1000 I just purchased a SG-1000 for use with my Google Fiber installation. I did minimal configuration of the SG-1000, only changing the LAN address to 192.168.200.X (GF is 192.168.100.X). I hooked the WAN port to one of the GF ethernet ports and then my laptop to the LAN port on the SG-1000. Using GF performance test, the upload/download speed is only about 10% of what I get compared to plugging my laptop directly into the GF ethernet port (1000 Mbps versus 100 Mbps using the SG-1000). The SG-1000 shows both ethernet connections are 1000baseT. Shouldn't this device be able to basic routing at the full speed of the WAN connection? I did the same setup with a consumer router (ASUS) and it has no problem with upload/download over 900 Mbps. John DeSoi, Ph.D. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] bind domain specific forwarder
What you're trying to accomplish is something we commonly do with conditional forwarders, but they would forward all requests to a specific domain so site1... and site2... would have to be separate domains. I don't use bind to do that personally but I would assume it has that capability. Perhaps that will at least give you the proper search terms to find more info. On Sep 22, 2016, 15:58, at 15:58, Steve Yates wrote: >I don't know if you need forwarding for this. Can you just add an NS >record to the example.com zone for site2.example.com pointing to >10.0.10.1 (well, a hostname that points to that IP)? > >-- > >Steve Yates >ITS, Inc. > >-Original Message- >From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Satish >Patel >Sent: Thursday, September 22, 2016 2:54 PM >To: pfSense Support and Discussion Mailing List > >Subject: [pfSense] bind domain specific forwarder > >I have two office connected over VPN, and both sites has own bind >running in Pfsense. now i site1 client can resolve their DNS entries >but i want site1/2 both can resolve each other entires. in short i want >to tell DNS if you see site2.example.com then forward that query to >site2 DNS server. I have tired couple of stuff but didn't work. I have >disabled DNS resolver/ DNS forwarder services. I am only using bind >server, it has enable DNS Forwarding but if do that it didn't start my >bind service. > > >site1 ---VPN-site2 > > >I want something like this in bind but don't know how do i add this? > >zone "site2.example.com" IN { >type forward; >forwarders { >10.0.10.1; >}; >}; >___ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfSense as GUI and stripped OS for dedicated Cacheing name server
There was a m0n0DNS project at some point for just this purpose as I recall. I suspext it's still available. Original message From: Scott Lambert Date:03/31/2015 14:12 (GMT-05:00) To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] pfSense as GUI and stripped OS for dedicated Cacheing name server On Tue, Mar 31, 2015 at 03:05:03PM +, Steve Yates wrote: > Scott Lambert wrote on Tue, Mar 31 2015 at 1:49 am: > > > I remember seeing something years ago about the ability to use pfSense > > as an appliance to run a dedicated process. I think the post was > > specifically about running a name server. > > The m0n0wall project (http://m0n0.ch/wall/) which was the origin of > pfSense just ended, but is intended for smaller installations. If you > look at the last few days of their mailing list archive I think some > were discussing setting up a quasi-fork to in essence take over the > project. The pfSense embedded images are stripped down enough for my purposes, and already limit writes to the "disk"/CF card. -- Scott Lambert KC5MLE Unix SysAdmin lamb...@lambertfam.org ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Firewall Hardware/Setup for Datacenter...
If you're going to have 2 systems you can cluster them and make anything you're running HA even without duplicate vms. Original message From: Chuck Mariotti Date:02/05/2015 22:22 (GMT-05:00) To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Firewall Hardware/Setup for Datacenter... > Thanks… I am leaning that way I think… just trying to wrap my head around if it is worth trying to buy more ram + more storage (HW RAID) to make them ESXI worthy to run VMs, or if I should just keep it basic… the ESXI is tempting since I can at least make the secondary server do other stuff instead of just waiting for a failure on primary. Trying to think of a useful virtual machines to run that are not mission critical if a machine dies (since not raid), don’t have license to real-time replicate it on the VMWare side, but that might be useful for datacenter... > > > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jason Whitt > Sent: February-05-15 3:23 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] Firewall Hardware/Setup for Datacenter... > > > > > I would add that for "data center" workloads the apu's may not be > the best choice ... Those 8 core atoms are plenty for multi 1gig feeds and > the nic's are solid. > > > > > > > Sent from my iPhone > > > > On Feb 5, 2015, at 12:38 PM, Jeremy Bennett > wrote: > > >Jason is correct. Those Supermicro boxes are awesome. Be careful when > ordering though... they want ECC memory. > > > > > The APUs from Netgate are nice too–the year of bundled support has already > saved my bacon a number of times. Well worth the cost. > > > > > > On Thu, Feb 5, 2015 at 9:19 AM, Jason Whitt wrote: > >Ive ran as vm's using vmxnet3's as well as physical on these > http://m.newegg.com/Product/index?itemnumber=16-101-837 > > > > > > Both are viable options. > > > > > > Jason > > Sent from my iPhone > > > > On Feb 5, 2015, at 11:11 AM, Walter Parker wrote: > > >I've used pfSense in a VM on my ESXi application server. This is mostly to > firewall the Windows VMs from the Internet. > > > > > If you want fail-over, I'd suggest getting one of the new Netgate > (http://store.netgate.com/NetgateAPU2.aspx or > http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or pfSense > (https://www.pfsense.org/hardware/#pfsense-store) embedded systems with an > SSD. Then you can run a full install that supports package installs with a > power budget of ~10-15 Watts for the APU units. Then you have a choice of > getting a second HW unit for an additional $400 to $1000, or setting up > pfSense in a VM (not on a separate VMware server, on an existing VM server). > > > > > > The higher end HW systems on those pages are 8 core Atom systems built for > run pfSense (of course, the power requirements will be in the 100W range). > With an SSD, these systems should last for a long time with no issues. > > > > > > How much firewall horsepower do you need? What are your constrains (time, > money, space)? > > > > > > P.S. You can run packages on embedded in 2.2, you just want to be careful > not to run packages that would trash the SD card with too many writes. > > > > > > > > > Walter > > > > > > On Thu, Feb 5, 2015 at 9:40 AM, Chuck Mariotti wrote: > >Have been using pfSense for years at our datacenter, very happy with it > running on old dedicate hardware with failover. The hardware is overdue to be > retired and I’m wondering what people are doing/recommending for a datacenter > setup. We want to use OpenVPN Server, IDS, dBandwidth, etc… so need to keep > out option open for the ability to run packages... behind it we are running > multiple servers and vCenter/ESXI servers. > > > > What’s the go-to setup for a datacenter these days? > > > > Do we stick with two dedicated boxes? > Since we pay for power, nice to have lower power… So do we go as low as using > embedded hardware? It used to not be recommended for packages… still the case > I assume? > > So I’m leaning towards some of the newer SuperMicro Atom boxes (quad core, or > 8 core!!??! etc…). > > > > But then I see so many people running pfSense in VMWare and I wonder if we > should consider this. Then I think about the hardware needs and VMWare > Licensing (would like to avoid)… and what else can I run on the hardware > along side without hurting pfSense from running properly, etc… > > > > If pfSense is setup to failover, that means the hardware can be cheap…. No > RAID needed. > > If dedicated, do I go with Hard Drives/SSD drives? USB? We need packages… can > I run it off of USB stick then or do I still need HDD/SSD? > > > > If setting up new hardware so can run pfSense as Virtual Machines… I would > need two VM Hosts running pfSense as VM’s so would have the failover... What > should we consider for the hardware
Re: [pfSense] Traffic routing issue
What you're sewing is the proxy doing what you've told it to do. When the pc on the lan side (any vlan) requests a connection to a server the proxy makes that request on its behalf and returns the packets sent back from that request. In order for that to happen on a secured connection the proxy must set up a secure connection to he remote server (or in your case other interface server) as well as a separate secure connection between the proxy and the originating client pc. Doing it any other way requires either passing the traffic directly through the firewall or breaking the secure connection. This is one of the consequences of doing NAT. I'm guessing the main complaint is that the firewall cert isn't trusted and triggers browsers. Original message From: Ryan Clough Date:12/12/2014 13:58 (GMT-05:00) To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Traffic routing issue >Oliver, > > >I apologize, I should have been more clear. The problem is exhibited from all >VLANs if I force the use of the web server's public IP. I only just discovered >it while testing the guest WiFi on the restricted VLAN. > > >To answer your questions: > >The pfSense router is not aware of any VLANs, we use a layer 3 switch that >sits just inside from the pfSense router that routes traffic that must exit >the LAN to the pfSense router. > > >I have attached screen shots of my port forward rule and the auto-generated >firewall rule. > > >Thank you very much for your help. > > > > >Ryan Clough >Information Systems >Decision Sciences International Corporation > > > >On Fri, Dec 12, 2014 at 9:15 AM, Oliver Hansen >wrote:What does the allow rule on the restricted vlan and the NAT rule look >like? > On Dec 11, 2014 11:24 PM, "Ryan Clough" > wrote: > > >I am hoping that one of you out there can assist me with this rather >interesting problem I am having. Let me set the stage. > > >I am running the latest stable version of pfSense: >2.1.5-RELEASE (amd64) >built on Mon Aug 25 07:44:45 EDT 2014 >FreeBSD 8.3-RELEASE-p16 > >I am running transparent Squid and Squidguard, and all IP ranges have access >to use the proxy. > > >I have two WAN connections, each with a handful of public IPs. I have created >an IP alias virtual IP of one of my public IPs on WAN1, which is used to NAT >to a web server. > > >We have an internal DNS server that resolves the domain name of a web server >to the local LAN IP address. So, all computers on unrestricted VLANs access >the web server without having to hit the pfSense router at all. This works as >expected and the valid certificate is served and the web page loads. > > >We have one restricted VLAN that is used for guest WiFi access and this VLAN >is assigned external DNS servers and therefore resolve the domain name to the >public IP. > > > >Now my problem. When connected to the guest WiFi on the restricted VLAN and >attempting to access the web server on its public IP, which is assigned to a >virtual IP on WAN1, I get served the certificate from the pfSense router. I >can tell that this is the pfSense self-signed certificate because of the >details of the certificate displayed in the warning. I also get this behavior >if I force a computer on an unrestricted VLAN, using the hosts file, to >resolve the host name of the web server to its public IP. > > >What is going on here? I can provide more information if needed. Thank you for >your time. > >Ryan Clough >Information Systems >Decision Sciences International Corporation > > > > > > > > > > > > > > > > >This email and its contents are confidential. If you are not the intended >recipient, please do not disclose or use the information within this email or >its attachments. If you have received this email in error, please report the >error to the sender by return email and delete this communication from your >records. >___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > > >___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > > > > This email and its contents are confidential. If you are not the intended > recipient, please do not disclose or use the information within this email or > its attachments. If you have received this email in error, please report the > error to the sender by return email and delete this communication from your > records.___ >List mailing list >List@lists.pfsense.org >https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Making an install CD
Yes windows burns I SO files as bootable disk. I do it regularly. Original message From: Ryan Coleman Date:10/29/2014 00:57 (GMT-05:00) To: Mark Hisel , pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Making an install CD Does windows 7 actually burn disc images? Have you tried active ISO instead to burn the image? I believe it's free. -- Ryan Coleman Publisher, d3photography.com ryan.cole...@cwis.biz m. 651.373.5015 o. 612.568.2749 On Oct 28, 2014, at 20:07, Mark Hisel wrote: I can't seem to make an install CD. I downloaded the ISO, unzipped it from the gz file using 7-ZIP, and burnt the disk image using win7. The CD has a bunch of directories but only one file; the copyright. What did I do wrong? I'm trying to install onto an HP DL380 but the CD is a non-system disk. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list