Re: [pfSense] looking for silent and powerful pfsense hardware
On 03/31/2017 02:15 PM, Jim Thompson wrote: I claim that a simple "fill the pipe with large packets" test is useless to understand the performance of the system. All the work is on a per-packet rather than per byte basis, unless you don't have DMA or are doing some type of DPI. I suppose there as many goals as there are people in search of solutions. My point of view is as a system builder, and I'm sure is very different from yours. For myself and others Ive seen, its all about choosing the right x86_64 parts for the job... One of my goals was to provide just enough performance to pass a dsl speed test for my connection. Plus to keep the power bill low. Comcast provides the fastest connections in my area, and my own connection is only 60/6 down/up and is fairly expensive. For that, a cheap 25w tdp AMD 5350 cpu can handle pfsense, snort, pfBlockerNG, nut, and a couple of ipsec tunnels without breaking a sweat. A nearby client has a 118/21 Mbps connection, however they had other needs, so pfsense (plus snort & pfBlockerNG) is running as a guest on an ubuntu server with qemu-kvm. That system is an Ivy Bridge i5 that they provided, and also has a win7pro and a centos 6 guest, running alongside pfsense. I could only make that that work with a fast cpu like their i5. Anyway, others Ive seen in the IRC channel, and I think in this list, who are lucky enough to have 1G connections, are wanting to squeeze every drop of speed out it. Using off the shelf PC hardware because we like building, and because we're cheap bastards. Luckily for you, there are people and businesses who just want a fast and reliable and *small* appliance, along with excellent support. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] looking for silent and powerful pfsense hardware
(My last email seemed to go to the wrong area. Hope you don't mind if I try again...) On 03/28/2017 10:32 AM, compdoc wrote: Of the cpus I had to test, only an Intel i5-2400 (sandy bridge) and a newer model AMD APU could keep up. I wanted to clarify what I said before. You don't need an i5. Any sandy bridge class cpu, or newer has the ability. Including the 4/8 core Atoms and sandy bridge Celerons. Its because of their bus speed of 5 GT/s DMI . Newer cpus have 8 GT/s DMI. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] looking for silent and powerful pfsense hardware
On 03/28/2017 10:32 AM, compdoc wrote: Of the cpus I had to test, only an Intel i5-2400 (sandy bridge) and a newer model AMD APU could keep up. I should clarify what I said. You don't need an i5. Any sandy bridge class cpu, or newer has the ability. Including the 4/8 core Atoms and sandy bridge Celerons. Its because of their bus speed of 5 GT/s DMI . Newer cpus have 8 GT/s DMI. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfsense really slow
>though the web interface is incredibly slow. I think I remember that if your CPU doesn't support a certain built-in feature, the gui can be slow. But then it could be something else. Is cpu use high? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 3 hard locks this week... any ideas?
>I'd suggest that before you slag programs, you not rely on old, outdated, >biased information. Spinrite 6 is a twelve year program that seemed cool back in the day, but I would never recommend it to anyone now. Repairing computers for a living, Im always on the lookout for useful tools. I don’t find Spinrite useful. I once watched spinrite work on a failing HDD for a day and a half, and did nothing more than place additional wear on the drive. Does that make me biased? Speaking of outdated... In 2013 Steve Gibson said he would finally update it, but nothing so far? Here's an interesting quote: Gibson said that he could "see absolutely no possible benefit to running SpinRite on a solid-state drive" and later "SpinRite is all about mechanics and magnetics, neither of which exist, by design, in an SSD" And for your information, SMART records events. Some of those events will happen under load, since that’s the nature of mechanical drives. However, a bad sector is a bad sector and load or no, that does not change. Once they start to fail you replace the HDD, not try to repair it. Modern drives automatically reallocate sectors, meaning bad sectors are replaced with spares. Not even spinrite can recover lost data from these spare sectors that have never been used before. As for me, these days I install only SSDs in desktop systems that run 24/7, and also use them as boot drives for servers. Over the years I have had only one SSD fail, and it did show pending sectors in SMART. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 3 hard locks this week... any ideas?
>>Coming back tonight to do memtest, SpinRite on the SSD, etc..., Spinrite on an ssd is a terrible idea. It's an ancient program thats even a bad idea to use on hard drives. It doesn't even work on drives larger than 1TB, because it was written in a time when drives were not that big. And there was no such thing as an SSD back then. Toss spinrite in the trash. If you want to know if a drive is failing, you just have to ask it. Just read the SMART info recorded in the drive. Memtest86+ on the other hand is a great idea, but you should let it run as many passes as possible. One or two passes is fine for new equipment, but with old ram that might be flakey, its best to run overnight or at least 4 or 5 passes. If the motherboard is 4 or 5 years old, you might check for swollen capacitors, and many of the low cost power supplies go bad in a year or two. A bad PSU will have swollen caps and burned components inside, but it can be risky opening it if you aren't a technician. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How to determine supported packages without installing
I didn't even realize that Nut was back. That's great. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How to determine supported packages without installing
I'm sure there's a webpage with the list, but this seemed something I could do easily while waiting for a proper response. -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Bryan D. Sent: Friday, June 17, 2016 4:18 PM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] How to determine supported packages without installing On 2016-Jun-17, at 2:35 PM, compdoc <comp...@hotrodpc.com> wrote: > I think this is complete: > <snip'd> Thanks. Looks like I can proceed with an update to 2.3. Regardless, I still think there should be a way to authoritatively determine this info via the pfSense web site -- ideally, for all releases, minimally for the current release. Perhaps the generation of such a page could be added to the build/release tools? Alternatively, porting pfSense's packages pages to run on the pfSense site could provide the current-release info. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How to determine supported packages without installing
I think this is complete: 2.3.1-RELEASE-p5 (amd64) built on Thu Jun 16 12:53:15 CDT 2016 FreeBSD 10.3-RELEASE-p3 arping 1.2.2_1 AutoConfigBackup1.45 Avahi 1.11_2 Backup 0.4_1 bind9.10_8 blinkled0.4.7_1 Cron0.3.6_2 darkstat3.1.2_1 freeradius2 1.7.3_1 FTP_Client_Proxy0.3_2 gwled 0.2.4_1 haproxy 0.47 haproxy-devel 0.47 iftop 0.17_2 iperf 2.0.5.5_1 LADVD 1.2.1_2 Lightsquid 3.0.4 mailreport 3.0_1 mtr-nox11 0.85.6_1 nmap1.4.4_1 Notes 0.2.9_2 nrpe2.3.1_1 nut 2.3.0 OpenBGPD0.11_4 Open-VM-Tools 1280544.13_2 openvpn-client-export 1.3.8 Quagga_OSPF 0.6.13 routed 1.2.3_2 RRD_Summary 1.3.1_2 Service_Watchdog1.8.3 Shellcmd1.0.2_2 siproxd 1.1.2_2 softflowd 1.2.1_2 squid 0.4.18 squidGuard 1.14_3 sudo0.2.9_2 suricata3.0_7 syslog-ng 1.1.2_3 System_Patches 1.1.4_1 zabbix-agent0.8.9_2 zabbix-proxy0.8.9_2 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort or Suricata
> How do you have Snort configured to differentiate between incoming and > outgoing traffic? I guess used a poor choice of words. It's mainly 'HTTP Inspect' that’s the problem. It watches any http traffic, which is mainly outgoing in our case. On the Services / Snort / Interfaces page, edit your interface. And then click the 'WAN Preprocs' tab. I used to just disable HTTP Inspect, but at some point in time snort in pfSense started displaying a large warning. So, in that section there's a 'Server Configurations' option. I have one configuration named 'default', and you might have the same. Edit default, and there's a Ports area where you specify an alias which contains the ports snort should watch for HTTP traffic. I use port 10, but can be any unused port. Now snort listens on port 10 for HTTP traffic and never hears any. Also on the WAN Preprocs tab, there's an option 'Portscan Detection' which I enable. I think I leave most of the other options on defaults. Mine is configured for the VRT rules, GPLv2 Community Rules, Emerging Threats (ET) Rules, and a list named 'emerging-compromised-ips.txt' on IP lists tab. However, I edit the snort interface and check 'Use IPS Policy' and then choose 'IPS Policy Selection: Connectivity'. I believe when you do this, snort decides which one of the rulesets it will use. Occasionally, as rules get updated snort will start blocking something that it wasn’t blocking before, and you have to add those rules to the suppress list. This doesn’t happen too often, though. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Snort or Suricata
>Maybe is suricata better? What are the difference? I've never tried suricata so I cant say if its better, but snort works pretty well. There is one problem with snort, however. It can watch incoming traffic as well as outgoing traffic. But when snort watches outgoing traffic, it flags and blocks almost everything. That's too much trouble for me, so I have snort setup to only watch incoming traffic. Even then, you will have to watch the alert and blocked lists to make sure it doesn't block sites you need. That doesn't happen too often, though. When it does happen, you just click to add those rules to the suppress list and remove the ip addresses from the blocked list. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] PFSense for high-bandwith environments
> Using Intel E3-1270s and Intel 10G Nics I can't point to a specific setup, but something to look at... Your xeon is a sandy bridge with a max transfer rate of 5 GT/s, which is very nice but the new Skylake cpus are 8 GT/s. Also, there's always a possibility of equipment failure/setup problems... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] pfblockerng
>> The top10-2.txt file has last been updated in July 2015 according to >> my curl command and is not auto-documented. I find I'm only using "http://www.malwaredomainlist.com/hostslist/ip.txt; these days. Am I already hacked? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Two queries from intending new user
>Does installing pfSense, especially, using the "Quick/Easy Install option", allow for installation so as to allow for multiple boot options No, it will erase the hard drive and set up a freebsd file system. Might be worth using another drive altogether to preserve the old drive, or use clonezilla to make a copy of the drive to a network share, or saved as a file to another drive. >Is it possible, with the "Quick/Easy Install option", to retain the current LAN configuration, They use the 192.168.1.1/24 address to make it easy to navbigate to the first time. But when you begin to configure it, it asks what address you want to use. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Status - Traffic Shaper - Queues
> This message never made it to the list Received this one... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Kernel problem after upgrade 2.2.3 to 2.2.4
Thanks for your response, but my installation is on a physical machine, and there was no disk space issue. Be sure to check the hard drive's SMART info. It's the best way to tell if the drive is failing. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
A lot of good info in these posts, but no real hardware recommendations... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Access Point Recommendations?
Does anyone have any recommendations for small office access points? I use a Zyxel WAP3205 v1, which was fairly inexpensive. I use pfSense to provide DHCP and rules for the clients, and have the features in the WAP that are said to be easy to hack disabled. (like WPA Compatible, and WPS) So, it's basically used as a dumb 802.11 b/g/n radio. However, I do use the mac filter in the WAP. This is more work for me to add a device, but I only have a couple of devices that use it. Range is great, and I actually set the Output Power to 50% so it can't be seen as far away. Newer versions are about $45 on amazon. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Cannot Spoof MAC
I ended up spending over an hour trying to get that little system to pick up a DHCP address for their Comcast router. Once upon a time, Comcast used to install their modems and register the mac address of the NIC of the customer's computer. Sort of a way of preventing their customers from stealing service, I suppose. But now, they don't care. All you have to do is power down the modem, attach it to whatever NIC you like, and power it up. It will see the change of MAC and dhcp assign an ip to whatever is there. I've heard, that you can also just clear the ARP table of the modem to do the same thing, but power off/on might be easier. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSEC Tunnel with NAT not working under 2.2.3
I updated to 2.2.3 over the weekend, and now my tunnel no longer works correctly, even though my settings havent changed. The same thing happened to me. I had to change the Encryption algorithm from AES256 to 3DES to get it to work. There's talk this will be fixed in the next release. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] pfsense behind netscreen
There is an oncology clinic using a Juniper SSG5. They have a couple of ipsec connections that require policy-based routing with mapped IP addresses. (MIP) I can't provide that with pfSense, but I do want to use pfSense to give them protection like squid w/ antivirus, and snort, and pfblocker. From what I can tell, all the attack detection and other security features of that type in the Netscreen are disabled. They recently added a second WAN connection because their Integra connection is about 4.5 Mbps. So, they have two WAN connections that I need to support. I'm thinking I could place the pfSense box in front of the Juniper and forward ipsec to it, or I could place pfSense behind the Juniper. The customer wants to know which websites are being accessed by its users, so if pfSense were behind the Juniper the reports could better associate the users' addresses with the websites they're going to. (I think) Any thoughts? Thanks! ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Squid + Squidguard
The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure' returned exit code '1' ... squid: ERROR: No running copy' If you type the following on the command line, do you get any output? squid -k shutdown Use your browser to start squid again. useful log: /var/squid/logs/cache.log Also, you might try squidGuard-devel if you have the 'squid' package installed, instead of squid3. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] no stable ipsec connection after upgrade to 2.2
peer client ID returned doesn't match my proposal I have two ipsec tunnels and after the upgrade, for one tunnel I had to change the 'Peer identifier' on my side to use the IP address it was seeing. Been working great since. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Dual Port NIC ports
Is there any advantage or disadvantage to using the the two port on a dual port NIC vs. one port each on two different dual port NICs? Hopefully, the dual-port Intel Nics are pci-e, and so will be the fastest. The legacy Intel NIC could be PCI, and will be a bit faster than the Marvel nics. I use the slower nics for connecting to stuff like waps, or less critical nets. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2 Packages
Where is a good place to monitor for package updates for 2.2? If you click the text in the Status column on the Available Packages tab, you're taken to a page that shows the change logs for that package. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] New pfSense 2.2 install
The link I'm working with is: http://www.malwaredomainlist.com/hostslist/ip.txt When an alias is created with this url, do you know where the list is stored on pfSense? I just want to see if I've created the alias correctly and that the list matches the ip addresses in the url. Thanks ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Release 2.2 - more problems than success by upgrades / looping packet installations / sshd is not working any more / crashes on X5550 CPU
Do have more of you had similar problems ? I upgraded one firewall and everything works fine except that I use the squid and HAVP packages together, but HAVP is broken. Running commands like clamd and freshclam don't work. I don't know how to file a bug report so I created a topic in the forums, and others have the same problem. Also, in the irc support channel, people are having odd problems like yours. Might be best to wait on upgrades. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How to change driver for NIC
It is only pfSense 2.2, that has this not usuable speed from other VM's in the Xenserver. I installed xenserver with a pfSense guest on a machine, and had the same problem. Traffic from hosts on the lan through the pfSense guest to the wan is nice and fast, but traffic from other guests through pfSense drops to a crawl. From what I can gather, this is a problem with the freebsd 10 drivers, and not really related to pfSense. And unfortunately, you can't change the NIC emulation in xenserver for guests. I tried in several ways. Freebsd 10 senses the xen environment and installs the xen NIC drivers and there seems no way to change this. There are enough people with freebsd having this problem that I'm sure this will be fixed before long. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How to change driver for NIC
Can anyone give me a description of, how to change driver ? Well, you would need to change the NIC itself. I haven't tried this, but the following url explains the problem and might help fix the problem. http://www.netservers.co.uk/articles/open-source-howtos/citrix_e1000_gigabit I switched to KVM because of the limitations of XenServer's networking. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] How to change driver for NIC
Is it impossible to try to improve on pfSense 2.2's problem in pfSense You might not be the only person having the problem, but I haven't researched to know for sure. Sometimes, it's possible to do the work and discover the problem yourself. There are a few areas of experimentation that might lead to the problem, or to the solution... First of all, it's possible that there is a problem with that version of pfSense. Something that may be fixed before or after its release. Or, its possible there is a problem with the drivers for the virtual nics in that version of freebsd. Guess that would be either the 100baseT Realtek NIC emulation, or the xenserver NIC drivers if you have managed to install those. You can see if a better or newer driver exists. I have compiled realtek's newest freebsd drivers myself and used them, for example. If you were to try the e1000 emulation as suggested in the url I posted and saw no improvement, that knowledge might be a great help to the community. Finally, there's the actual server hardware itself. Its takes a certain speed and type cpu to host virtual machine firewalls. Also, certain brands of network cards perform better than others. Maybe you can describe these... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] APU and SSD: full install or NanoBSD
Bottom line, squid and SSD are not a good combo. Ive used several SSDs over the years running pfSense and linux and windows OSes. Work just like hard drives, except might actually be more reliable. There is one exception: none of the SSDs I used were PC Engines. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] problems running pfSense 2.1.5 running in a kvm session
Any thoughts on this? Is this known not to work? If you know vi commands, you can type: sudo virsh edit pfSense (substitute the actual VM name) Look for the line like: type arch='x86_64' machine='pc-i440fx-trusty'hvm/type This line will be different depending on the version of KVM and the choices you made when you created the VM. The example above is from a working pfSense VM, but sometimes machine='pc-1.0' works too. Also, in Virt Manager, I usually select Processor Configuration Copy host CPU configuration, to give the guest all the features of the host's cpu. However, if this causes problems, selecting 'qemu64' can work well for some systems. By the way, although pfSense/freebsd does support virtio, you have to take steps to enable the driver. It's usually less work and more reliable to use e1000 nics. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] APU and SSD: full install or NanoBSD
Things will get outrageous soon with the advent of M.2 PCI SSDs on a x4 connection. The speeds of m.2 on x4 do look amazing, but the prices and sizes of them probably means that not many people will be tossing them into their firewalls anytime soon. For projects like firewalls, and to act as server boot drives, I use 60GB ssds that I find on sale. With 60, 120, etc. sata drives you get the latest technologies. I've owned and installed almost every brand over the last few years, and have only had one OCZ drive fail. The first two ssd's I purchased were 60GB Vertex 2 drives that still work fine. Of course, you deal with far more of them than I do, but I trust SSDs as much as hard drives. By the way, I use zfs on several large arrays, and don't see why anyone is against it. Guess I missed the discussion. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Making an install CD
I can't seem to make an install CD. I downloaded the ISO, unzipped it from the gz file using 7-ZIP, and burnt the disk image using win7. Those are the same tools I use to create bootable CDs/DVDs. Windows 7 can burn an iso without having to install any programs. I would have to guess something went wrong with the download, or with the mirror you used to d/l the file . Did you actually try booting the cd after burning it? Do you have the url for your download? I could test it... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense h/w
A proven hardware platform, available in the UK with at least 6 physical network ports, I can probably justify buying Not much info. Got an url for that? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] trying to install
Thanks for that link, none of it seems to apply as the box is not booting from the media at all, says there is not a bootable media present Just a shot in the dark, but is there a bios/firmware update for your system? Sometimes they correct problems they find after its been sold for a while ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] trying to install
I've been trying to install 2.1.5 into a http://www.mini-itx.com/store/~FX5624 The specs look ok. I would think it supports most 'nix distros. Unfortunately, that website doesn’t say if it supports booting from USB. Does the manual say it can? I've tried several ways to write the .iso to disk I like to be sure about what people are saying. You're not trying to copy the iso file onto a cd or disk? You're using burning software, right? Can you boot your FX5624 with other live cd's, like Ubuntu or freebsd, etc? Or maybe try booting memtest86. That’s small and boots quickly, and it's always good to test the ram. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
I wanted to add one more thing. Maybe this will help avoid future misunderstandings... Ulrik Lunddahl asked: Will A SMB without L3 capable switches, that needs routing between 3-4 local subnets (LAN, SERVERS, WIRELESS/GUEST, OTHER/DMZ) as close to wirespeed as possible, be happy with a C2758. ? Now, I realize that the vast majority of users and businesses in the world don’t need a wirespeed router, and they have no idea what one is. Their internet connections just aren't fast enough to require one, and they don’t use them internally. The fact that Ulrik was asking this question means that he not only knows what one is, but he has a specific requirement. I've seen others asking this same question on IRC but with a different requirement: they were getting Google Fiber connections and they knew enough to want a server powerful enough to take full advantage of the connection. One guy I saw chose a system with fairly expensive dual Xeon cpus. I thought he was crazy. Their questions made me curious, and I decided to see just which hardware I had on hand could reach gigabit line-rates. (pkt-gen measures this bandwidth as 714.23 Mbps (raw 999.92 Mbps), at 1.488Mpps) I was surprised at the results. Nics connected to the PCI bus were dogs. Nics connected to the PCI-e bus were lots faster, and some could reach 1.488Mpps. Also, nics with 4 pci-e lanes were faster than nics with 1 pci-e lane. Furthermore, I found that to forward packets at 1.488Mpps requires not only a fast NIC, but also a cpu that was capable of pushing traffic through that fast. The only cpus I had on hand there were capable, was an Intel i5, and a newly released Amd Kaveri APU. (with Steamroller cores) Anyway, Ulrik asked if he'd be happy with a C2758, and I had read on the BSD-RP site that the C2758 board they were testing wasn’t capable of 1.488Mpps. It was about half that, even though it had Intel based nics. And while that’s still blazing fast, I felt it might not be fast enough for the knowledgeable people asking these questions. It would be a shame for anyone to buy something so expensive and expecting certain results, and not getting them. Even a cheap 5 port gigabit switch can forward traffic at 1.488Mpps, so if the devices sold by pfSense and elsewhere are capable of full wirespeed, then those devices would be an excellent buy. More so, because of the tuned software and support they'd be getting along with it. compdoc ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
I am well-aware of Olivier’s work in this area, as are many in the FreeBSD community. There is no proof, except that which is documented and reproducible. We're doing something like science here. Hmm, proof. Well, maybe a scientist like yourself can appreciate my concern over this direct quote from the BSD Router Project, of which you are so well-aware: Intel Rangeley: Atom C2758 (8 cores) at 2.4GHz Embedded Intel i354 4-port gigabit Ethernet 8Gb of RAM Debugging slow throughput in progress… With the default value of igb(4) drivers that use all 8 cores, this system is not able to received more than 585Kpps (far from the gigabit line-rate 1.488Mpps) on one port ?!?! Last modified: 2014/03/13 20:16 by olivier As I said in my original post, I'm know the C2758 is capable according to its specs, however buyer beware... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
The difference between Olivier's setup and ours (assuming pfsense 2.1.1+), is tuning The only way to prove what you say is with numbers. Tuning pfSense won't fix this hardware problem, *if* it exists in your boards. As I said in my original post, I'm know the C2758 is capable according to its specs, however buyer beware... Again with the insult and denigration. Is it an insult that I think Intel's cpu is capable? Or is it that I suggest a person be cautious when buying these products? That you are concerned is understandable, but also immaterial, as it is clear from this thread that your understanding of the issues, tools(!), terms of art and resolutions is limited. ... Here, you perform an act commonly known as I read it on the Internet (so it must be true.) This is a much better example of insult and denigration. You don’t know me, my methods, or my thinking. Do you own a C2758? Have you actually bothered to read anything I've said in this conversation? It's time to end this nonsense. Prove what you say, or shut up. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
do you realize who you’re arguing with compdoc? Yeah, I'm arguing with a guy that not only attacked me for suggesting a person be careful about buying certain hardware, he also attacked the work of Olivier from BSDRP. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
When I speak of the C2758, I speak of the product sold at the pfSense store, as sold by the pfSense store, not the generic pfsense release running on some brand of board@. I was speaking of a C2758 board that was tested by someone else, and which wasn’t able to reach Ethernet's maximum throughput. Clearly not all C2758 boards are the same. Buyer beware. If you have tests results that prove the product you mentioned doesn’t have this problem, feel free to post them. I'd love to see. You seem confused. Not at all. You seem defensive. - this list is about pfsense, not the BSDRP Never said it was. BSDRP is a tool to test hardware. If the hardware cannot achieve maximum throughput, then pfSense cannot achieve maximum throughput. Pkt-gen does not test routing. What tests did you run? Here's a clue: BSD *Router* Project. I doubt you’ve done this sort of testing, so I'm not going to spoil this learning opportunity for you... However, I will mention one thing: if you try to route 1.488M packets per second through the 'generic' pfSense, it will crash after a minute or so. (and that's not a criticism of pfSense) I don't see where a C2758 is tested. I clearly stated what I was testing and how. You seem confused. The OP was asking what hardware might serve his purpose. I offered suggestions. You're welcome to prove anything I've said was wrong - but with actual test results, and without the misplaced rancor. Also, it's better to reply to the list, and not send emails directly to me. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
I am well-aware of Olivier’s work in this area, as are many in the FreeBSD community. You’ve failed to disprove anything I've said, even the part about tools. You’re still assigning fault to pfSense Not at all. But it would be nice if any of this pleasant banter becomes useful by pushing someone to actually try this type of testing, to find out why it happens. And if not, oh well... By the way, does the C2758 hardware sold by pfSense include pps performance information? Has anyone with this hardware tested it? (speaking to others who might be reading this) You suggest it can operate at near 'wirespeed', or at least that the OP will be very happy with a C2758 , but you’ve not proven it. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NIC support
as close to wirespeed as possible, be happy with a C2758. ? Very That C2758 has nice specs and should be able to keep up, however there seems to be a throughput problem on at least one brand of board running the C2758. (I think it’s more a problem with the nics than the cpu) I recently tested various nics and cpus to see if the systems I was building could reach Gigabit Ethernet's max throughput of 1.488Mpps on one port. Tests were run on AMD FM1+ and AM1 APUs, an FX-4100, and an Intel i5-2400 Sandy Bridge. Tests used the BSD Router Project (BSDRP) OS, and a program named 'pkt-gen'. During routing tests, I found that an AMD A8-7600 Kaveri was the only cpu I had that was equal in performance to the Intel i5-2400. (the routing tests involved a 3rd test machine, and aren't covered in the scores below) Anyway, I hope you find this helpful... In these tests, I used the two fastest test machines connected to each other. One sends, and one receives: Realtek 8169sc 32-bit PCI card 266935 pps (283752 pkts in 1063001 usec) Speed: 267.19 Kpps Bandwidth: 128.25 Mbps (raw 179.55 Mbps) Realtek RTL8111DL, Onboard 405708 pps (406113 pkts in 1000998 usec) Speed: 404.78 Kpps Bandwidth: 194.29 Mbps (raw 272.01 Mbps) Intel pro 1000 32-bit PCI card 307102 pps (307586 pkts in 1001577 usec) Speed: 276.49 Kpps Bandwidth: 132.72 Mbps (raw 185.80 Mbps) Intel Pro 1000, x1 PCI-e card (no heatsink) 1367299 pps (1453440 pkts in 1063001 usec) Speed: 1.36 Mpps Bandwidth: 654.85 Mbps (raw 916.79 Mbps) Intel Pro 1000, x1 PCI-e card, server version (with heatsink) 1488012 pps (1490981 pkts in 1001995 usec) Speed: 1.49 Mpps Bandwidth: 714.23 Mbps (raw 999.92 Mbps) Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter (with heatsink) 1488012 pps (1490981 pkts in 1001995 usec) Speed: 1.49 Mpps Bandwidth: 714.23 Mbps (raw 999.92 Mbps) *** These tests were using the lowest TDP(watt) APUs I had. The Intel server nics were the fastest nics tested, and used the least cpu time, so I used those in these tests: AMD 5150 quad core APU @ 1.6GHz Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter (with heatsink) 1179367 pps (1180530 pkts in 1000986 usec) Speed: 1.17 Mpps Bandwidth: 562.85 Mbps (raw 787.99 Mbps) AMD 5350 quad core APU @ 2GHz Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter (with heatsink) 1488106 pps (1489615 pkts in 1001014 usec) Speed: 1.48 Mpps Bandwidth: 709.33 Mbps (raw 993.07 Mbps) AMD 5350 quad APU @ 2GHz Onboard RTL8111/8168B PCI Express Gigabit Ethernet controller 560938 pps (561565 pkts in 1001117 usec) Speed: 558.35 Kpps Bandwidth: 268.01 Mbps (raw 375.21 Mbps) AMD A4-6300 dual core APU @ 3.7GHz Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter (with heatsink) 1129784 pps (1130961 pkts in 1001042 usec) Speed: 1.09 Mpps Bandwidth: 521.00 Mbps (raw 729.39 Mbps) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense
Stefan Fuhrmann, here's my settings. They work well for me, but there may be some fine-tuning you should do... First, I choose the rules on the Global Settings tab. I applied for a free Oinkmaster Code, which I use on a few firewalls. Then I set the Removed Blocked Hosts Interval to 15 minutes, just in case I do something remotely that Snort doesn't like and locks me out. I think everything else is default: http://imgur.com/dLIsp7v Then I force a download of the rules on the Update tab... http://imgur.com/bV7Pqoa Next, create the Snort Interface. On the Wan Settings tab, I use defaults except I check Block Offenders and I use a Pass List and Suppression List which need to be selected here. On the WAN Categories tab, I select an IPS Policy which disables selection of some rules. This is normal. However, do select the other rules that are available: http://imgur.com/PwVqjU2 And then the last thing I change is on the WAN Preprocs tab. Everything is default, except that I check Auto Rule Disable, I disable HTTP Inspect, and enable Portscan Detection. HTTP Inspect will block many legitimate websites like Amazon, and will require that you add all the blocked sites to the pass or rule suppress lists. I feel this is too much work. After Snort is up and running, there will be times when you need to suppress some rules to suit your users. For instance, one user's iPhone was triggering a POP3 rule whenever he tried to connect, and was being blocked. When this happens go to the Blocked tab and unblock the address, then go to the Alerts tab, find the address, and add the rule to the Suppress list by clicking the appropriate button. Good luck! ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] a notification is not sent when a gateway is down[https://redmine.pfsense.org/issues/3306]
And then an email should be sent, which it is not being sent. -Jason On a firewall with two wan connections, one connection is faster than the other so I use one for incoming connections and one for outgoing. User's outgoing traffic is routed to the gateway that's working using gateway groups. (fallover) I've noticed that if the outgoing connection goes down briefly, no emails are sent. Possibly because that's the route the emails would normally take? But if the incoming connection goes down for a moment, I get several emails. (too many) Maybe pfSense isn't caching the emails to send when switching connections, or for when the link comes back up? Fortunately, the links don't go down that often so I can't say for certain... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
Here is a good place to start regarding Suricata or Snort. http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/ Is the free to use version of Snort going away? I scanned the page mentioned above but it seems unclear. Suricata sounds like an excellent replacement given the advanced features, but I have to say Snort is doing a fine job for us. I use the free Registered User rules and the free Emerging Threats rules, and Snort is busy blocking port scans and all kinds of activity, while not bothering/blocking our user's activity. Not that we rely solely on Snort - no unnecessary ports are listening to the web. No management ports like 22 are open. Anyway, Snort doesn’t use much cpu time for our 30 user office, and pfSense makes it (kinda) easy to use. Until Suricata arrives for pfSense, I think its fine. By the way, if you have a decent speed quad-core server with at least 8GB ram, you can easily run pfSense, Suricata, and whatever else side by side in virtual machines. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
The Pfsense firewall has to be setup as BRIDGE if want to put it between the router and the corporate firewall ??? Connect like this? www - isp router - pfSense - corporate firewall - lan Don’t think you have to use bridge mode. Can Snort work in bridge mode? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
But you say: one interface for WAN, a second for LAN...and which interface is for managing ??? You manage with a browser from LAN, and optional also from the WAN port. And with ssh from the LAN. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Snort as IPS in Pfsense
do I have to have 3 network interfaces or 2 interfaces are enough to implement the IPS? With Snort, just need one for wan, one for lan. That’s all. I use a 3rd for wifi at home. The office is a virtual machine with two wan ports, one lan, one wifi, and one connection for the host. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense
I need a recommandation for following setup: pfsense-cluster loadbalancers webservers I can't help with these. There are some thousend visits per day and I want to secure with pfsense and snort. Snort runs on lan-site. In the moment there are several thousend alerts per day! There are always many alerts, but you should not block them. Only the bad things are blocked. I can tell you how I set up snort to prevent it from creating too many false positives, if that's what you want. My settings might be a little different than others, but it's what I had to do ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] How do I fix this?
Why not try the upgrade. Maybe the problem will go away.. There are also three settings for apinger that can be useful: Alternative monitor IP, Probe Interval, and Down Is this a new install, or a machine that recently developed a problem? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] How do I fix this?
I have tried the alternate IP. No change. Not sure what the other two do? Some connections might be slow to respond occasionally, or not handle constant pings well. You can send fewer pings, (every 3 seconds for instance) and wait a longer period of time before declaring the link is down. (like 30 seconds or so) The hardware is a dell 2850, i have a 15x1 cable connection. If you have nothing better to do with the PowerEdge, might as well use it. They look like they might consume some watts, though. Yours has only Intel nics? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Strange problems with pfSense 2.1.4
Jason M. wrote: I'm using the PFW201 hardware from Tranquilnet According to Tranquilnet: *Note: These units may run hot to the touch and we recommend eith a wall mount or to place them on a cool, dry and hard surface with proper air flow I can build systems that are much faster and more powerful for less than half the price so I've never used a PFW201, but I have seen it mentioned that units like them often have a cpu heat sink that makes contact with the case. Or, that they have a metal shim that connects the heat sink to the case. Heat transfer for these systems is often critical. Is yours overheating? Are you testing with one of the Tranquilnet units, or one of the units you got direct from the supplier? Now my question is, what is going wrong? I've tried the same config on multiple devices, so I don't think it's hardware. Could my config have become corrupted? I don't follow your logic about it not being the hardware, but yes, your config could have become corrupted. Try another CF card? Try installing from scratch and restoring a backup xml file? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Another OPT1 routing question
OPT1 interface - actually has the VM's WAN MAC address (the second interface rather than the third interface) If you haven't yet, you might want to reassign interfaces on the console login screen. The Option is number (1) in the list. Then reboot. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Another OPT1 routing question
em1 third MAC address (up) -- shouldn't that be the second MAC address? Are you saying two interfaces have the same mac address even after reassignment? That's not right. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Failed Downloads
I use squid and squid guard I don't think anything in squid would block, but check to make sure everything is set to zero and only 'Throttle only specific extensions' is checked on this page: Proxy server: Traffic management You mentioned HAVP in another post and some downloads don't work for me unless I uncheck: Antivirus: HTTP proxy: Scan Broken Executables I don't use squid guard. But Snort is another one that needs some tuning. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Transparent Squid with Multiwan on 2.1.3?
With Squid disabled, fail over works as expected. In the lab I created to test this machine, I have squid with havp set to transparent. Also have snort. I don’t use squidguard. If I disconnect wan #1, most browsers will time out. But I can often just refresh to get them going again. Squid never complains. There are a couple of remote clients and programs that have to be closed and then opened again after the gateway fails. (maybe because they cache something?) I'm pretty happy with it. (49) Can't assign requested address What is your client connecting to? Is it some sort of secure remote session? A disconnect cannot be avoided with any type of secure connection. You're changing external ip addresses when it falls over, after all. Are you able to recover normal connections to google or youtube, etc.? Close the browser and try again after waiting for the switch to happen. There are settings for how long it takes pfSense to decide a gateway is down, and how it determines its down. I use just 'packet loss'. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] KVM virtualization: Fatal trap 9: general protection fault while in kernel mode
graphics type='vnc' port='5901' autoport='yes'/ By the way, if you ever install vncserver, that port used for the VM will cause a conflict ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] KVM virtualization: Fatal trap 9: general protection fault while in kernel mode
Did you ever had troubles with virtio drivers? I have a pfSense guest that runs fine with all virtio drivers (lan,storage) but you might want to switch back to IDE just to see if your virtio storage driver is causing the issue. Your xml file looks very much like a pfSense guest I have running on Ubuntu 12.04, except mine has these differences: type arch='x86_64' machine='pc-0.14'hvm/type (I've had problems with some OSes with the wrong 'machine' type) disk type='file' device='disk' driver name='qemu' type='raw' cache='writeback'/ (I use files because I don't have a need to dedicate a disk, and pfSense uses very little drive space. Also makes it easy to back up the guest by copying the file) Speaking of drives, do you have a way to read the SMART values from the hard drives on your raid controller? Drives can fail slowly, but to know you have to read the following SMART values: Reallocated sector count Current Pending sector count Uncorrectable sector count GSense error rate (if the drive has experienced a shock while running. More likely on laptops) Also, when you're seeing weird problems, booting and running memtest86 on the host for several passes will test the systems RAM. Best to let it run 4 or 5 passes, or even letting it run overnight if possible. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] KVM virtualization: Fatal trap 9: general protection fault while in kernel mode
The VM is configured with VirtIO disks, emulated e1000 network cards. I use kvm and have had no problems running any of the 2.1 releases. I'm building a VM server right now that will run pfSense and one other guest OS. I have used the virtio drivers for nics, storage, and memory ballooning, but because of the steps you have to take to switch to virtio, I'm using e1000 and IDE emulation on this one to keep it simple. What host OS are you using, and what hardware is it running on? (real cpu, ram, and storage) Is it possible to see the results of virsh dumpxml for the guest? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsense slowing wan speed
I have a PFsense box on a 50/5 DSL connection How much swap is being used? What is swap stored on? Any overheating of the nic or cpu? What happens if you disable or remove squid? I have no experience with HT and pfSense. Sometimes HT can help and sometimes it can hinder. Try disabling, but turn it back on if it makes no difference. Personally, I like at least 1 gig ram, (but use 2 gigs) and two real cores. Squid with havp, snort using ac-bnfa, and two ipsec tunnels take up 43% of 1930 MB, and very low cpu use. This gives me room to tweak settings on the installed packages, or try other packages. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Install on one machine, deploy on another
Will I have any problems if I install a new version of pfsense on one machine and then move the hard drive to another machine? You probably will have some problem. Let us know how it goes... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] apu.4c silently dies
Even if adding more memory corrects the issue, I still don't like to know that pfsense can suddenly die and leave no clues behind :-|. pfSense is pretty stable. I've tested it in many VMs and 'bare metal' systems and it doesn’t freeze on me. Of course, I might not be using the same combinations of packages as you, but I would suspect the hardware, or troubleshooting as you’ve done: increasing the ram. Overheating can be a problem. I use KVM on centos and ubuntu server, and freebsd does not like some settings. It can fail to boot with the default CPU emulation, for example. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Annoying Comcast Issue When Changing Hardware
You may want to make sure the DHCP server is disabled on the modem completely. It's a cable modem that I guess is in bridge mode, and they don't let me mess with settings. Anyway, I think the DHCP server is in their headend somewhere. I'm just glad it's not like the old days when Comcast wouldn't let you switch network cards without contacting them. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Annoying Comcast Issue When Changing Hardware
I called Comcast and had them remotely reboot the modem. Whenever I connect a different network card to my home Comcast modem, I have to power cycle the modem for it come up. I think it keys off the MAC address of the old card, and won't accept the new one until then. I get a new IP address each time I test firewall builds. Not exactly the same situation, but something like. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Gateway Status Remains Offline
However, after about 10 minutes the gateway went offline and I lost access to the internet. I recently had much the same thing happen, but with a wired dual-port network card. It turned out to the nic. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] cbeyond troubles
I tried installing a firewall for customer who uses Cbeyond for phones and internet service. I had Cbeyond set their equipment to bridge mode, disabling NAT and DHCP. Everything seemed to work for a while so I left their office, but I soon got a call saying they couldn't browse the web. In the dashboard, I noticed the gateway was showing as down so I tried various monitoring options, even disabling gateway monitoring. But nothing changed - after rebooting pfSense browsing works for a short time and then stops. In order to have their network working this morning, I had Cbeyond set it back to the way it was and removed the firewall. I was looking for a solution online, and I think I may have to uncheck ' Block private networks' on the WAN. I'm going back out Friday to try this. Does anyone use Cbeyond who can provide any tips? Thanks. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Problems with pfsense on ProfitBrick
I found that I had problems with FreeBSD using pf + virtio under KVM Virtio in KVM works fine with pfSense, but you have to modify the/boot/loader.conf.local file to enable the drivers. And if you load the storage drivers, you have to modify /etc/fstab. https://doc.pfsense.org/index.php/VirtIO_Driver_Support ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Restoring from XML prevents VM from booting
I can install pfsense fine, and manually set up a LAN IP address on vboxnet0 so that I can get into the web and use Diagnostics Backup/Restore to upload an existing XML config. But then the VM refuses to boot properly... What if you were to install pfSense in the new environment and save the backup xml file, then compare the old file with the new? Maybe use the linux 'diff' command? The idea of using Virtual box in a production environment seems odd to me. Isn't it more for testing/running an OS on your desktop? Every time I've tried VB, I've never found an option to have guests start automatically when the host boots. Have they added that feature? I've used zen and kvm for this sort of thing for years... ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] psSense stops working
How would I pull that off? Computers have several common points of failure. They are the power supply, the motherboard, RAM, cooling fans, and the hard drive. Fans are easy - just make sure they are spinning at the proper speed. This includes the fan inside the PSU. If the motherboard is a few years old, it can develop bad capacitors. (caps) They are easy to spot when you open the case. Any caps that are rounded on top, are bad. Some even leak. If so, replace the motherboard. Here are some sample pictures: http://en.wikipedia.org/wiki/Capacitor_plague Cheap power supplies often develop bad caps inside too, but it's dangerous to open the PSU so just swap it out to test. Sometimes you can see the caps inside if you just look through the openings. Bad Ram is more rare, but you can test it for free by booting memtest86 or memtest86+. At least 3 or 4 passes is best. I've had bad ram that didn't show up until 5 test passes. I like to let the tests run overnight when possible. The hard drive is easy. There's no need to run any tests - you just read the drive's SMART info. It records when sectors are failing, and when other bad things happen. PfSense has a SMART Status menu under Diagnostics. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Motherboard compatibility
So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3) on a motherboard with a brand new chipset (Intel C222) and CPU (e.g. Core i3 / Haswell) it should work, eventhough FreeBSD 8.3 is older than those technologies and might not fully support the chipset yet (e.g. due to general compatibility with i386-64 CPUs?!)? There is a way to make pfSense run on any kind of new hardware and not have to worry about problems with new technologies, while also making it somewhat portable: run pfSense in a virtual machine that runs on the new hardware. (Portable in the sense that you can move it from one host to another, no matter what cpu and chipset runs underneath) ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec packets in one direction are too big
Any thoughts?? May not answer your question, but you did ask... I set up my first ipsec tunnel with pfSense and it has been wonderful, but I had to set System menu Advanced Miscellaneous tab Enable MSS clamping on VPN traffic, and set it to 1375 before I got a stable connection. Before that SSH seemed to work, but VNC and RDP connections would just stall until I changed the setting. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1 - strange minor issue with OpenVPN
All my OpenVPN services report an error contacting the daemon, both on the status page (as in print-screen) and also on the dashboard page. I'm getting this error as well. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!
I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription, including immediate PDF download to the updated 2.1 book for subscribers! I assume this is why snapshots.pfsense.org is offline At least the .iso for the LiveCD is downloading very quickly. Is it possible to restore a backup from 2.0.3 to a fresh install of 2.1? I have it running in a virtual machine, so there are 2 or 3 paths I can take. I live near Denver, Colorado where everything is washing away, and this seems a nice project and good reason for staying indoors today. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NETGATE FW-7535 pfSense 2.0.2-RELEASE OpenVPN Data Corruption
I switched out the memory and the SSD, But did you test the ram? Make sure the ram doesn't require a special voltage - this is usually written on the sticker on the ram. And run memtest86 on it overnight. And suspect the ssd - try a small hdd. I like to use laptop drives as boot drives for my servers. Only need the speed of an ssd for running my VMs. That also leaves the nics. Some pci nics will run at 66MHz if they are placed in a 66MHz pci slot. That causes them to run very hot in some cases. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list