Re: [pfSense] best ipsec cipher for aes-ni on sg-8860

2017-12-09 Thread Jim Thompson


> On Dec 9, 2017, at 6:36 PM, Erik Anderson  wrote:
> 
> On Sat, Dec 9, 2017 at 2:56 PM, Chris L  wrote:
>> AES-GCM with all hashes disabled in the ESP/Phase 2.
> 
> I'm curious why you recommend this. I'm not being contrary, just
> curious. I've always had hashing enabled for both P1 and P2s. Is this
> something unique to AES-GCM?

AES-GCM is an AEAD algorithm.

https://en.wikipedia.org/wiki/Authenticated_encryption 


That means you don’t need the AH with AES-GCM (you can still use it, but it’s 
only going to slow you down.)

The HMAC-SHA1 is a complete second pass over the packet when using AH.  Also, 
until Goldmont (e.g. C3000) there aren’t any instructions to speed up SHA.

You can leave the hashes enabled on the P1s without great consequence.  (I tend 
to use AES-CBC + HMAC-SHA1 for the P1, and AES-GCM for the P2.)

Speaking to the original thread:  Using OpenSSL, AES-GCM is over twice as fast 
as AES-CBC on an E5 Xeon
https://software.intel.com/en-us/articles/aes-gcm-encryption-performance-on-intel-xeon-e5-v3-processors
 


That paper also shows the total gain of AES-GCM .vs AES-CBC + HMAC-SHA1 is 4.5x

On a 4860 AES-GCM is about 2.33X AES-CBC for 1024 byte packets.
OpenSSL 1.0.2m-freebsd  2 Nov 2017
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) 
blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type   16 bytes64 bytes  256 
bytes1024 bytes8192 bytes
aes-128-gcm115071.69k   228127.15k   318135.73k   
358155.93k   367813.84k
aes-128-cbc 4877.33k 18806.89k 63629.80k   
153355.25k   258233.02k
aes-128-cbc-hmac-sha169219.79k   131366.66k   166310.72k   182410.40k   
188056.86k

Anyway, the speedup is why we did the work to put AES-GCM support for IPsec in 
FreeBSD.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense openvpn speed?

2017-11-25 Thread Jim Thompson
What crypto transform and authentication are you running?  Maybe try AES-GCM 
(which is AES-NI accelerated) at both ends if both devices support it. Might 
need pfSense 2.4 for this. 

Try setting the (OpenVPN) MTU to a larger number. 

More hints: https://forum.pfsense.org/index.php?topic=123915.0

> On Nov 25, 2017, at 11:37 AM, Lyle  wrote:
> 
> There is a lot of information missing here.
> 
> 
> You have a better Netgate unit, but if the internet port on it is connected 
> to a 100Mbps switch, performance will suck.  Same on the LAN side.  And if 
> the ports are mismatched(half vs full duplex for instance), performance will 
> suffer.
> 
> 
> What percentage of the gigabit link and/or LAN link on Netgate are you 
> utilizing before adding in OpenVPN ?  Your ISP may be over subscribed and 
> it's uplinks are saturated.
> 
> 
> You may be pushing too much traffic through the NetGate and it can not handle 
> the load.
> 
> 
> In other words, based on the limited info you provided, you have not provided 
> proof that it's a problem with the NetGate.
> 
> 
> Lyle Giese
> 
>> On 11/25/17 06:34, Eero Volotinen wrote:
>> Hi list,
>> 
>> We are running pfsense 2.3 on netgate sg-8860.
>> 
>> Device is connected to internet with gigabit link, but openvpn speed is
>> very slow (about 50Mbit/s). Any idea how to get more speed to vpn clients?
>> 
>> Eero
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.4 Bricked my APU4 Netgate

2017-11-23 Thread Jim Thompson
If there is no response from the bootloader (coreboot) on the serial port, then 
the hardware died, and the upgrade’s only involvement was the reboot at the 
end. 

Jim

> On Nov 23, 2017, at 10:59 AM, Ryan Coleman  wrote:
> 
> There’s likely a package you added to your APU4 that is stopping the upgrade.
> 
> If you use reddit you can get some assistance from more NetGate staff there: 
> http://reddit.com/r/pfsense/
> 
>> On Nov 23, 2017, at 10:08 AM, Elijah Savage  wrote:
>> 
>> I know it is an older model but after my attempt to upgrade my APU4 it would
>> not reboot. I let it sit for 24 hours as it was still passing traffic but no
>> reboot. Logged into the console from my laptop and rebooted it and nothing
>> comes back. It doesn't give anything on the console and doesn't beep anymore
>> when booting up, I believe it doesn't get to that point.
>> 
>> 
>> 
>> Interesting enough I was able to get 2.4 loaded on an older dell optiplex
>> 780 with 3 nics to replace it just fine.
>> 
>> 
>> 
>> This is not intended to bash pfSense, I like it so much that I do contribute
>> monetarily. This meant to be nothing more than a public service announcement
>> for others with this platform. Maybe it was just time for mine to dye and it
>> potentially has nothing to do with pfSense.
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.4.1 IPSec tunnels

2017-10-29 Thread Jim Thompson
https://redmine.pfsense.org/issues/8003

It’s being worked on in snapshots. 

Jim

> On Oct 25, 2017, at 9:03 AM, Edward O. Holcroft  wrote:
> 
> I just upgraded from 2.4.0 to 2.4.1.
> 
> If I view the status of my IPSec tunnels, it seems they have all been
> duplicated.
> 
> The original tunnels all show as disconnected, while the second tunnel,
> which has no description, shows as connected.
> 
> So all the tunnels still work, it's just that there is new duplicate entry
> without a description field populated. If I look in the IPSec tunnel
> settings however, there is only tunnel, the correct one, with the
> description filed populated. If I hit "connect" on one of the original
> tunnels, it does nothing, since of course it is already connected via the
> duplicate, unnamed tunnel.
> 
> Has anyone else seen this?
> 
> Any ideas on a way to clean it up? I don't see anything duplicated in the
> IPSec xml file.
> 
> ed
> 
> -- 
> MADSEN, KNEPPERS & ASSOCIATES USA WARNING/CONFIDENTIALITY NOTICE: This 
> message may be confidential and/or privileged. If you are not the intended 
> recipient, please notify the sender immediately then delete it - you should 
> not copy or use it for any purpose or disclose its content to any other 
> person. Internet communications are not secure. You should scan this 
> message and any attachments for viruses. Any unauthorized use or 
> interception of this e-mail is illegal.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] ASRock E3C236D2I+Pentium G4560 vs SM A1SRi-C2758F

2017-10-29 Thread Jim Thompson


> On Oct 28, 2017, at 3:45 PM, ullbeking  wrote:
> 
> P.S. Are there known problems posting to the forums at the moment?

Our upstream provider is having IPv6 issues. 

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPSec tunnels on AT U-Verse

2017-05-15 Thread Jim Thompson


> On May 15, 2017, at 10:02 PM, Laz C. Peterson  wrote:
> 
> Is Openswan what is used for IPSec?

Strongswan. 


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPSec tunnels on AT U-Verse

2017-05-14 Thread Jim Thompson
agree about what to send each other from each end. Bad things can 
> happen if you try to do stuff like 0.0.0.0/0 routes, when using an IPv4 IPSec 
> outer tunnel, if you aren't careful, as non-tunnel traffic can get stolen by 
> the selectors. To prevent weird stuff like that, you have to make sure that 
> the Local Subnet entries, on the "Client" or "Less Central / Non Core 
> Network" 
> side of the tunnel are right.
> 
> Very carefully read this page if using really broad Masks on one, other, or 
> both ends of tunnel:
> 
> https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel
>  
> <https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel>

Don’t know what you mean by “broad”, but it’s all (multiple) /24s here.

> 
> 10. Instead of the MOBIKE and DPD crap, keep the tunnel up, by using valid 
> IPs 
> on PFSense on other end of tunnel in the P2 auto-ping host entry. This will 
> keep the IPSec up all the time and keep it from getting foobarred, unless the 
> link itself has a gnarly outage, in which case you're down regardless.
> 
> 11. On both the P1 and P2, lock down the list of KEX, Enc, and Auth 
> algorithms 
> to a single solid algorithm. If the negotiation screws up, it causes weird 
> connection problems which you will damage your brain trying to debug.

All of this is of interest, and deeply appreciated, but I’ve got an IPsec 
connection between home and work that has been stable since … a couple years 
ago.

[2.4.0-BETA][admin@.netgate.com]/root: ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, FreeBSD 11.0-RELEASE-p8, amd64):
  uptime: 31 days, since Apr 12 23:04:50 2017   <— when I upgraded 
2.4.0-BETA last time
...
Security Associations (1 up, 0 connecting):
con1[207]: ESTABLISHED 38 minutes ago,[n.o.p.e]…[n.o.p.e]
con1[207]: IKEv2 SPIs: f05e2f42a05215a7_i* aa6a47782800909e_r, 
pre-shared key reauthentication in 7 hours
con1[207]: IKE proposal: 
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
con1{1615}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c403bfaa_i ce716bae_o
con1{1615}:  AES_GCM_16_128, 56691 bytes_i (314 pkts, 0s ago), 89480 
bytes_o (404 pkts, 0s ago), rekeying in 9 minutes
con1{1615}:   ===   

Note that I have DPD on, either side can be initiator or responder, and that I 
am rekeying.   I’m not on AT Uverse (even though there is an ONT from them on 
the side of my house, and
They claim “no service at that address”.). I’m using Grande (a local provider) 
at 1gbps/1gbps.

Jim

> 
> Matthew.
> 
> On Sat, May 13, 2017 at 06:48:48PM -0700, Laz C. Peterson wrote:
>> We???ll try that, thanks for the suggestion.
>> 
>> I don???t recall us using that anywhere else ??? Would be great if it works!
>> 
>> I???ll let you know.  Thanks Jim.
>> 
>> ~ Laz Peterson
>> Paravis, LLC
>> 
>>> On May 13, 2017, at 3:57 PM, Jim Thompson <j...@netgate.com> wrote:
>>> 
>>> 
>>> Maybe NAT traversal?
>>> 
>>> https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal
>>> 
>>>> On May 13, 2017, at 5:30 PM, Laz C. Peterson <l...@paravis.net> wrote:
>>>> 
>>>> Hello everyone,
>>>> 
>>>> We???re having a pretty interesting problem here ???
>>>> 
>>>> To give you the quick summary, we have AT U-Verse ???Business Fiber??? 
>>>> (which is a fancy way of saying it???s actual fiber, but the budget kind 
>>>> ???) and have very serious issues establishing any TLS or SSL encrypted 
>>>> connections through IPSec tunnels.
>>>> 
>>>> If we plug a SonicWALL device in, same tunnel settings, we have no issues 
>>>> at all.  But our pfSense device (it is a SG-2440) struggles very hard and 
>>>> we cannot do simple encrypted services over this tunnel ??? including 
>>>> downloading email, synchronizing AD domain servers, or even rsync over SSH.
>>>> 
>>>> It???s been very troubling.  When plugging in the SonicWALL, all of these 
>>>> services work completely flawlessly.  The second we use the pfSense, none 
>>>> of the encrypted protocols through the tunnel work.
>>>> 
>>>> I???ve been thinking about MSS and MTU, but I really don???t know where to 
>>>> begin.  The SonicWALL seems to be able to figure these things out on its 
>>>> own (if that???s even the issue).  But I???m at a total loss.
>>>> 
>>>> Any suggestions?
>>>> 
>>>> ~ Laz Peterson
>>>> Paravis, LLC
>>>> ___
>>>> pfSense mailing list
>>>> https://lists.pfsense.org/mailman/listinfo/list
>>>> Support the project with Gold! https://pfsense.org/gold
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec tunnels on AT U-Verse

2017-05-13 Thread Jim Thompson

Maybe NAT traversal?

https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal

> On May 13, 2017, at 5:30 PM, Laz C. Peterson  wrote:
> 
> Hello everyone,
> 
> We’re having a pretty interesting problem here …
> 
> To give you the quick summary, we have AT U-Verse “Business Fiber” (which 
> is a fancy way of saying it’s actual fiber, but the budget kind …) and have 
> very serious issues establishing any TLS or SSL encrypted connections through 
> IPSec tunnels.
> 
> If we plug a SonicWALL device in, same tunnel settings, we have no issues at 
> all.  But our pfSense device (it is a SG-2440) struggles very hard and we 
> cannot do simple encrypted services over this tunnel — including downloading 
> email, synchronizing AD domain servers, or even rsync over SSH.
> 
> It’s been very troubling.  When plugging in the SonicWALL, all of these 
> services work completely flawlessly.  The second we use the pfSense, none of 
> the encrypted protocols through the tunnel work.
> 
> I’ve been thinking about MSS and MTU, but I really don’t know where to begin. 
>  The SonicWALL seems to be able to figure these things out on its own (if 
> that’s even the issue).  But I’m at a total loss.
> 
> Any suggestions?
> 
> ~ Laz Peterson
> Paravis, LLC
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hardware compatibility

2017-04-07 Thread Jim Thompson


> On Apr 7, 2017, at 7:31 PM, Jon Gerdes  wrote:
> 
> There are quite a few ready made low power systems with pfSense pre-installed 
> - no need to go off piste.

Every one of these that doesn't come from Netgate or its partners is in 
violation of the license to pfSense Community Edition. 

pfSense CE is the free version we give to the community.  It's not made for 
people to pre-load and sell.

https://doc.pfsense.org/index.php/Can_I_sell_pfSense


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for silent and powerful pfsense hardware

2017-03-31 Thread Jim Thompson
On Tue, Mar 28, 2017 at 11:32 AM, compdoc  wrote:

> On 03/28/2017 08:41 AM, WebDawg wrote:
>
> It seems to me that NAT and general firewalls should be easily handled?  Am
>> I wrong here?  I mean, how much hardware do you need for pf to function at
>> 1gbps??  Would not offloading help here too?
>>
>
> Ive run tests on AMD and Intel cpus that I happened to have in stock using
> BSDRP. This is simple, router only software based on BSD. It has no
> services running, (nat, snort, ect) so no overhead to slow it down.
>
> To get the full bandwidth of gig ethernet required using Intel nics. I
> also found that sending or receiving full gigabit was easy even for
> low-power cpus. But routing it, meaning in one port and out another,
> required a more powerful cpu.
>
> Of the cpus I had to test, only an Intel i5-2400 (sandy bridge) and a
> newer model AMD APU could keep up. All these tests were using standard
> x86_64 desktop hardware. No server-based parts were needed.


​We're currently building a pair boxes with a i7-6850x on a X-99
motherboard with 40G NICs ​to test the 'new' stuff.   Stay tuned.  ;-)
​(Is that 'desktop' enough for you?)​

​These are really to demo for my talk in May: ​
https://conferences.oreilly.com/oscon/oscon-tx/public/schedule/detail/56727

However, I think that router-boards can route full Gig ethernet without
> such powerful cpus. Even cheap gigabit network switches can pump gig
> ethernet in one port and out another, at full speed. I'm not sure how
> router-boards and network switches do this. Im guessing its done using
> specialized hardware.
>

​That's some of it.  More of it is that "cheap gigabit network switches"
only base forwarding decisions on the layer 2 destination address.
A router has to do a lot more work.

​For example:
A router much check for minimum length and correct checksum on any input
packet.
It must decrement the TTL in the IP packet, and, if it's not 0, update the
checksum and forward the packet.  This may involve discovering a layer 2
address and outbound interface.
It also has to look at the layer 3 (IPv4/IPv6) destination, the router must
determine the best (longest) match route.  It may use a 'default' route if
no 'best' route is found.

​Cheap routing silicon is available.  The Ubiquiti Edge Router series uses
a small Cavium SoC.   There are others (these days mostly ARM based).  The
problem with cheap routing
silicon is that it either doesn't implement, or constrains what you can do
for other services typically associated with a firewall.  Packet filtering
(especially beyond simple, stateless ACLs) is typically not implemented on
inexpensive SoCs.
Some SoCs have a "NAT offload" function, but it isn't as sophisticated as
what you'll find in 'pf'.

On the other side of the penny, you can thrown almost any amount of CPU at
traditional kernel networking, and you're not going to see the performance
of a traditional hardware router.
All the stacks (FreeBSD, Linux, other BSDs, Windows) are optimized for
delivering packets to an application, not forwarding packets.  They've all
been designed as "packet at a time", and some of the stacks, e.g. FreeBSD's
are overly locked.

The lessons of technologies such as netmap are clear.   You don't process
packet-at-a-time if you want performance.  Too much stop-n-go.  Too much
thrash on (especially) the instruction cache. Our 'netmap-fwd' codebase
shows the limit of that approach (albeit with kernel-bypass).

None of the urls or examples posted in this thread so far address the
> actual throughput of the equipment being used, so dont assume everything
> suggested will work at the speed you want.


​First you have to decide what you're going to measure, and how.

I claim that a simple "fill the pipe with large packets" test is useless to
understand the performance of the system.  All the work is on a per-packet
rather than per byte basis, unless you don't have DMA or are doing some
type of DPI.
​
Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for silent and powerful pfsense hardware

2017-03-28 Thread Jim Thompson
On Tue, Mar 28, 2017 at 11:50 AM, Matthew Hall 
wrote:

> On Tue, Mar 28, 2017 at 09:59:05AM +0300, Eero Volotinen wrote:
> > Hi List,
> >
> > Looking for pfsense hardware that can handle 1000M/1000M internet
> > connection with NAT.
> >
> > Any recommendations? It must be silent..
> >
> > --
> > Eero
>
> This model can do gigabit with line-rate 64-byte packets:
>
> https://store.pfsense.org/SG-2440/
>
> If you don't need line-rate it's possible with some other units.
>
> Can you provide more specifics on the traffic mix?
>

​Can you run line-rate 1gbps (1.488Mpps, 64 byte packets) us​ing
kernel-bypass networking, (DPDK, netmap, etc) sure.   It's even easy.

Can you do this using kernel networking (freebsd, linux, whatever)?

No.  No f-ing way.   You can do 1gbps the easy way (1500 byte frames at
around 88,000 fps) on a 2C Rangeley, but not the hard way.

This is why "3.0" has support for kernel-bypass networking.  It's a whole
new architecture, designed to take advantage of the types of acceleration
that are possible if you get away from the packet-at-a-time forwarding
inherent in the kernel-based stacks in both FreeBSD and linux.

To directly answer the question:

I run a 4860 at home on a 1g/1g connection.  I happen to live in the right
neighborhood in Austin that FTTH at 1gbps is $65/mo.  They didn't offer
anything faster than 300Mbps (for $199/mo) before Google came to town.
 (Thanks, Google Fiber.)

When Google Fiber does the buildout in my neighborhood, I'll probably have
both.

Technically a 2440 or even 2220 will handle 1gbps traffic, but I run a
constant on IPsec connection to work, and the increased clockrate (2.4GHz
.vs 1.7GHz) of the 4860 .vs the 2440/2220 is worth it for IPsec.

If your timeframe is later this year, we tweeted this last week:
https://twitter.com/NetgateUSA/status/840225916550807552
https://twitter.com/NetgateUSA/status/841331131270221825

A few more details here:
https://www.reddit.com/r/PFSENSE/comments/61ging/why_is_the_sg2220_hardware_so_expensive/dfeox4c/

As I stated in that Reddit thread, the unit in that tweet is 2C C3338, I'll
likely spec it as a 4C when it ships.  With pfSense 2.x on it, it will more
than do the job.  With 3.0, it won't even get warm.  And yes, perfectly
silent.

We have other (ARM-based) hardware coming that will likely meet the same
performance as a C3338.  Dual WAN, 4 port switch on LAN, optional POE
support, and a bunch of other goodies (multiple m.2 sockets for
LTE/802.11/SSD, miniPCIe, on-board antennas, etc.)

There is a roadmap beyond these, but I'm not going to expose it here.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Netgate Firmware

2017-03-21 Thread Jim Thompson
One more time:  there is only so much I can say about the issue.  Richard
Relph's message is inaccurate, but I can not describe why or how.

Specific to the subject of this thread:  The coreboot (it's not really a
BIOS, and yes, I'm splitting hairs) update addresses a Intel-issued
"specification clarification" for C2000-based systems.

The Intel specification clarification is available at the following
location:
https://www-ssl.intel.com/content/dam/www/public/us/en/documents/specification-updates/atom-c2000-family-spec-update.pdf

This specification clarification includes the following text on page 36:

*“If your system does not use SERIRQ and BIOS puts SERIRQ in Quiet-Mode,
then the*
*weak external pull up resistor is not required. All other cases must
implement an*
*external pull-up resistor, 8.2k to 10k, tied to 3.3V.”*

Since the LPC bus, including SERIRQ is not used in the SG-2xxx, SG-4xxx and
SG-8xxx systems, a software workaround for this specification clarification
has been implemented by ADI Engineering in v12 of coreboot for the affected
systems. The workaround disables SERIRQ to prevent indeterminate interrupt
behavior for these systems.

The instructions on how to update all affected systems are at the following
URLs:

https://www.netgate.com/docs/sg-2220/adi-bios-flash.html
https://www.netgate.com/docs/sg-2440/adi-bios-flash.html
https://www.netgate.com/docs/sg-4860/adi-bios-flash.html
https://www.netgate.com/docs/sg-4860-1u/adi-bios-flash.html
https://www.netgate.com/docs/sg-8860-1u/adi-bios-flash.html

We are also working on a 'package' (for pfSense) that will do most of the
work outlined in this documentation.

If you aren't running pfSense on your system, then there is a
different procedure, please contact Netgate customer support.

We have tested this update and believe it to be low risk for you to
implement. However, we encourage you to always backup your configuration
before applying any update or change.

We recommend that you update your affected systems at your earliest
convenience.

Jim


On Tue, Mar 21, 2017 at 3:33 PM, Richard A. Relph 
wrote:

> Google “cisco intel atom issue” for some of the coverage of the problem.
> The symptom appears to be that on a reboot (power on? cold reset? warm
> reset?) the Atom may not generate LPC clocks… kinda fatal. But it seemingly
> doesn’t happen in the course of normal operation.
>
> Richard
>
> > On Mar 21, 2017, at 1:24 PM, Steve Yates  wrote:
> >
> >   Note despite the thread subject, the affected models are:
> >
> > SG-2220
> > SG-2440
> > SG-4860
> > SG-8860
> > SG-4860-1U
> > SG-8860-1U
> >
> > However, what is the symptom?  We have a handful of these in service at
> various clients but have not noticed any issues that we're aware of.
> >
> > --
> >
> > Steve Yates
> > ITS, Inc.
> >
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon
> Gerdes
> > Sent: Tuesday, March 21, 2017 12:57 PM
> > To: list@lists.pfsense.org
> > Subject: Re: [pfSense] Netgate Firmware
> >
> >
> > Topic: SG-2440 bios upgrade:
> >
> > https://forum.pfsense.org/index.php?topic=127418.msg703237#msg703237
> >
> >
> > On Mon, 2017-03-20 at 19:49 -0500, Richard A. Relph wrote:
> >> OK, now you guys have me curious…
> >>
> >> I have a Netgate SG-2440 purchased directly from Netgate. I’ve
> >> received no emails. I don’t frequent the forums. But I am aware of an
> >> “alleged” chip issue, which I believe my unit is susceptible to.
> >>
> >> Can someone provide a link to a relevant forum thread?
> >>
> >> Thanks,
> >> Richard
> >>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Netgate Firmware

2017-03-20 Thread Jim Thompson
I tend to be careful about spamming the pfSense list with things that
aren't directly related to pfSense.

Jim

On Mon, Mar 20, 2017 at 7:13 PM, Jon Gerdes <gerd...@blueloop.net> wrote:
> It might be worth putting a press release style post here as well
> anyway.
>
> Your mailing list may not be perfect and some people have a nasty habit
> of registering things with their own email address instead of a group
> address/alias and then moving on.  Thir account gets deleted and that
> box that does something for the internets stops working and it could
> have been fixed by a timely firmware update.
>
> To be fair, there is quite a lot of chat on the forums about this and
> any interested pfSenser should be hanging out there as well as here.
>
>
>
> On Mon, 2017-03-20 at 18:57 -0500, Jim Thompson wrote:
>> we only sent it to customers of affected units.
>>
>> On Mon, Mar 20, 2017 at 5:43 PM, WebDawg <webd...@gmail.com> wrote:
>> > Is there any other list for netgate firmware updates?  I just
>> > received a
>> > notification from sales@pfsense about netgate firmware updates but
>> > it was
>> > not sent to this list?
>> > ___
>> > pfSense mailing list
>> > https://lists.pfsense.org/mailman/listinfo/list
>> > Support the project with Gold! https://pfsense.org/gold
>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Netgate Firmware

2017-03-20 Thread Jim Thompson
we only sent it to customers of affected units.

On Mon, Mar 20, 2017 at 5:43 PM, WebDawg  wrote:
> Is there any other list for netgate firmware updates?  I just received a
> notification from sales@pfsense about netgate firmware updates but it was
> not sent to this list?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense twitter account making rude comments.

2017-02-22 Thread Jim Thompson
On Tue, Feb 21, 2017 at 10:49 AM, Travis Hansen  wrote:
> Regardless of this specific issue, I'd prefer the official twitter feed be a 
> bit more...focused.
> In any case, thanks for the great project! Travis Hansen 
> travisghan...@yahoo.com

I just hired someone to take it over, so... in a couple days, and
until they quit, it won't be me.

I'll continue to be myself at @gonzopancho, if you care.

Best,

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense twitter account making rude comments.

2017-02-22 Thread Jim Thompson
Because that's what most MUAs default to these days. (joke intended)

On Thu, Feb 23, 2017 at 12:38 AM, WebDawg  wrote:

> Why does everyone top post on this list?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense twitter account making rude comments.

2017-02-20 Thread Jim Thompson

It wasn't veiled at all, Ryan.  Nor am I attempting to "win anyone over". 

This individual has always been cranky. He wanted us to add code to squidGuard 
to support username+password downloads so he could sell users of pfSense his 
lists. We said, "No".

If I though Mr. Nichols "offering" (blacklists) was of any value, I'd have sent 
him $2800.00 for a lifetime subscription for everyone using pfSense over a year 
ago. 

http://www.squidblacklist.org/commercial.html

The only reasons I haven't:

- I can't see any value in what he has.
- I don't do business with anyone who would post this as a response: 

https://vid.me/MsYw (warning: nsfw)

All this individual is offering is a collection of other people's blacklists, 
promoted on Twitter, leveraging (and likely infringing) Cisco's trademark. 

Curation can be valuable, if performed correctly.  The value of a content 
curator is their ability to filter through the volumes of content and select 
the best, the most original, the most valuable, pieces.

This individual isn't doing any of these. 

pfBlockerNG is a far better solution. 

Jim

> On Feb 20, 2017, at 8:41 PM, Ryan Coleman <ryan.cole...@cwis.biz> wrote:
> 
> My point is this: If you have something to say to someone… don’t block them. 
> If you want to open a dialog, do so… but you’re making the wrong step here 
> coming to the mailing list to make a veiled call out of the project. You knew 
> for darn sure who it was that responded. 
> 
> So… send @GonzoPancho a message privately and take the higher ground. When 
> you stoop to his level you don’t win anyone over. And neither does Jim. 
> 
> —
> Ryan
> 
>> On Feb 20, 2017, at 9:35 PM, Ryan Coleman <ryan.cole...@cwis.biz> wrote:
>> 
>> Really?
>> 
>>> 
>> ⁨Jim Thompson ‏@gonzopancho ⁩ <⁨https://twitter.com/gonzopancho⁩> 9h9 hours 
>> ago <https://twitter.com/gonzopancho/status/833750107157884928>
>> More
>> @Squidblacklist <https://twitter.com/Squidblacklist> is there a reason 
>> you're so spammy?
>> 1 reply0 retweets0 likes
>> Reply 1 Retweet  
>> Like 
>> ⁨Squidblacklist ‏@Squidblacklist ⁩ <⁨https://twitter.com/Squidblacklist⁩> 
>> 8h8 hours ago <https://twitter.com/Squidblacklist/status/833756019696209920>
>> More
>> @gonzopancho <https://twitter.com/gonzopancho> Is there a reason you are 
>> calling me spammy? Its called social media, you use it or you dont, we dont 
>> work for free.
>> 1 reply0 retweets0 likes
>> Reply 1 Retweet  
>> Like 
>> ⁨Jim Thompson ‏@gonzopancho ⁩ <⁨https://twitter.com/gonzopancho⁩> 7h7 hours 
>> ago <https://twitter.com/gonzopancho/status/833778454978031617>
>> More
>> @Squidblacklist <https://twitter.com/Squidblacklist> maybe if you had 
>> something to say...
>> 2 replies0 retweets0 likes
>> Reply 2 Retweet  
>> Like 
>> ⁨Squidblacklist ‏@Squidblacklist ⁩ <⁨https://twitter.com/Squidblacklist⁩> 
>> 7h7 hours ago <https://twitter.com/Squidblacklist/status/833780612557217792>
>> More
>> @gonzopancho <https://twitter.com/gonzopancho> Maybe if you'd be enjoying 
>> life, if you weren't spreading ur misery on Twitter.
>> 2 replies0 retweets0 likes
>> Reply 2 Retweet  
>> Like 
>> ⁨
>> pfSense® Project
>> ‏@pfsense
>> ⁩ <⁨https://twitter.com/pfsense⁩>
>> Follow
>> More
>> @Squidblacklist <https://twitter.com/Squidblacklist> dude, you blocked me, 
>> so I'll respond here. I've been snowboarding in Vail the past 2 days. I am 
>> enjoying my life.
>> 6:12 PM - 20 Feb 2017
>> You know what you’re doing… I would highly recommend you walk away - you 
>> aren’t going to win many friends here. From the looks of it you’re the one 
>> on the soap box.
>> 
>> 
>> 
>> 
>>> On Feb 20, 2017, at 8:28 PM, Benjamin E. Nichols 
>>> <webmas...@squidblacklist.org <mailto:webmas...@squidblacklist.org>> wrote:
>>> 
>>> Whomever is running the pfsense twitter account is making uncalled for, and 
>>> rude remarks.
>>> 
>>> I submit to you that the official pfsense twitter account is not a platform 
>>> for one individual to abuse as a soap box to cast insults at whatever 
>>> persons targeted.
>>> 
>>> We reserve the right to, and will respond accordingly.
>>> 
>>> 
>>> -- 
>>> --
>>> 
>>> Signed,
>>> 
>>> Benjamin E. Nichols
>>> http://www.squidblacklist.org <http://www.squidblacklist.org/>
>>> 
>>> 1-405-397-1360 - Call Anytime.
>>> 
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-2440 fsck at reboot

2017-02-08 Thread Jim Thompson
igb

> On Feb 9, 2017, at 12:18 AM, Øyvind 'bolt' Hvidsten <b...@dhampir.no> wrote:
> 
> Ah. I had forgotten about that. That's me playing around with a few scripts 
> and tcpdump/tcprewrite/tcpreplay in attempt to simulate a very specific 
> environment.
> 
> It was started by cron. Are there any specific drivers I should be using on 
> the SG-2440 if I want to do stuff like that?
> 
>> On 09/02/17 01:53, Jim Thompson wrote:
>> Why are you attempting to run netmap over standard, unmodified device 
>> drivers?
>> 
>> (Perhaps Suricata IPS?)
>> 
>> 
>> 
>>> On Wed, Feb 8, 2017 at 11:47 AM, Øyvind 'bolt' Hvidsten <b...@dhampir.no> 
>>> wrote:
>>> So, I rebooted an SG-2440 at a remote site, and it didn't come back up.
>>> 
>>> I went over there, plugged in the console cable, pressed  and got a #
>>> 
>>> Stupidly, instead of poking around, I typed "exit", and it immediately
>>> booted, complaining about some fsck fixes it had to do.
>>> 
>>> Then it gave me a ton of lines like these:
>>> -
>>> 281.465158 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
>>> 281.476184 [ 799] generic_netmap_dtor   Restored native NA 0
>>> 281.483175 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
>>> 281.490567 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
>>> 281.497547 [ 799] generic_netmap_dtor   Restored native NA 0
>>> 281.504807 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
>>> 281.512232 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
>>> done.
>>> 281.519241 [ 799] generic_netmap_dtor   Restored native NA 0
>>> 281.526864 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
>>> 281.534269 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
>>> 281.541352 [ 799] generic_netmap_dtor   Restored native NA 0
>>> 281.548217 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
>>> 281.555776 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
>>> 281.562758 [ 799] generic_netmap_dtor   Restored native NA 0
>>> 281.569795 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
>>> 281.577263 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
>>> 281.584263 [ 799] generic_netmap_dtor   Restored native NA 0
>>> 281.595263 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
>>> 281.603180 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
>>> 281.610788 [ 799] generic_netmap_dtor   Restored native NA 0
>>> Starting NTP tim281.618288 [ 266] generic_find_num_desc called, in tx
>>> 1024 rx 1024
>>> e client...281.627131 [ 274] generic_find_num_queues   called, in txq 0 rxq
>>> 0
>>> 281.635177 [ 799] generic_netmap_dtor   Restored native NA 0
>>> 281.642505 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
>>> 281.650094 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
>>> 281.657131 [ 799] generic_netmap_dtor   Restored native NA 0
>>> 281.664235 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
>>> 281.671654 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
>>> 281.678689 [ 799] generic_netmap_dtor   Restored native NA 0
>>> 281.685705 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
>>> 281.693152 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
>>> 281.702990 [ 799] generic_netmap_dtor   Restored native NA 0
>>> done.
>>> Starting DHCP service...done.
>>> Configuring firewall.0 addresses deleted.
>>> 0 addresses deleted.
>>> .done.
>>> Generating RRD graphs...done.
>>> Starting syslog...done.
>>> [boot process continues.]
>>> -
>>> 
>>> Well, the box is up now, but what the hey?
>>> Is it normal for these to get stuck at fsck and require manual intervention?
>>> What do all the generic_ lines mean?
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] SG-2440 fsck at reboot

2017-02-08 Thread Jim Thompson
Why are you attempting to run netmap over standard, unmodified device drivers?

(Perhaps Suricata IPS?)



On Wed, Feb 8, 2017 at 11:47 AM, Øyvind 'bolt' Hvidsten  wrote:
> So, I rebooted an SG-2440 at a remote site, and it didn't come back up.
>
> I went over there, plugged in the console cable, pressed  and got a #
>
> Stupidly, instead of poking around, I typed "exit", and it immediately
> booted, complaining about some fsck fixes it had to do.
>
> Then it gave me a ton of lines like these:
> -
> 281.465158 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
> 281.476184 [ 799] generic_netmap_dtor   Restored native NA 0
> 281.483175 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
> 281.490567 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
> 281.497547 [ 799] generic_netmap_dtor   Restored native NA 0
> 281.504807 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
> 281.512232 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
> done.
> 281.519241 [ 799] generic_netmap_dtor   Restored native NA 0
> 281.526864 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
> 281.534269 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
> 281.541352 [ 799] generic_netmap_dtor   Restored native NA 0
> 281.548217 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
> 281.555776 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
> 281.562758 [ 799] generic_netmap_dtor   Restored native NA 0
> 281.569795 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
> 281.577263 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
> 281.584263 [ 799] generic_netmap_dtor   Restored native NA 0
> 281.595263 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
> 281.603180 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
> 281.610788 [ 799] generic_netmap_dtor   Restored native NA 0
> Starting NTP tim281.618288 [ 266] generic_find_num_desc called, in tx
> 1024 rx 1024
> e client...281.627131 [ 274] generic_find_num_queues   called, in txq 0 rxq
> 0
> 281.635177 [ 799] generic_netmap_dtor   Restored native NA 0
> 281.642505 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
> 281.650094 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
> 281.657131 [ 799] generic_netmap_dtor   Restored native NA 0
> 281.664235 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
> 281.671654 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
> 281.678689 [ 799] generic_netmap_dtor   Restored native NA 0
> 281.685705 [ 266] generic_find_num_desc called, in tx 1024 rx 1024
> 281.693152 [ 274] generic_find_num_queues   called, in txq 0 rxq 0
> 281.702990 [ 799] generic_netmap_dtor   Restored native NA 0
> done.
> Starting DHCP service...done.
> Configuring firewall.0 addresses deleted.
> 0 addresses deleted.
> .done.
> Generating RRD graphs...done.
> Starting syslog...done.
> [boot process continues.]
> -
>
> Well, the box is up now, but what the hey?
> Is it normal for these to get stuck at fsck and require manual intervention?
> What do all the generic_ lines mean?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

2017-01-27 Thread Jim Thompson
>  My point is just that if you have normal traffic patterns, even at 600 you 
> should
have no problem pushing 10GE.   A MTU of 600 should give you about 53
gigabit/s if you are able yo push 1200 pps with that payload.

An "MTU of 600" wouldn't allow IPv6 to pass over a link.  IPv6
requires that every link in the internet have an MTU of 1280 octets or
greater.  See RFC 2460, section 5.

MTU is *maximum transmission unit*, which is decidedly different than
minimum packet size, which is probably what you intended.

> Your statement of 80% is just confusing, that is all.

Your misunderstanding of the issues here is, unfortunately, quite
common.  Nearly all of the work in packet processing is per-packet,
rather than per bit.  The exceptions include VPN, where the encryption
overheads dominate, and DPI, where the payload must be inspected,
rather than merely passed along.

Jim


On Fri, Jan 27, 2017 at 5:59 AM, Espen Johansen <pfse...@gmail.com> wrote:
> 1200 was my average packet size when analyzed in Dataguard Core network (a
> smb ISP here in .no) . Im sure others can find different averages. My point
> is just that if you have normal traffic patterns, even at 600 you should
> have no problem pushing 10GE. A MTU of 600 should give you about 53
> gigabit/s if you are able yo push 1200 pps with that payload. Your
> statement of 80% is just confusing, that is all.
>
> On Fri, Jan 27, 2017, 04:02 Jim Thompson <j...@netgate.com> wrote:
>
>> On Thursday, January 26, 2017, Espen Johansen <pfse...@gmail.com> wrote:
>>
>> > Are you saying worst case is 80%? Its not normal to have all minimum size
>> > packets unless you are under ddos.
>> > Default ethernet is 1526 (1530 with vlan) with a MTU 1500 on a layer 1
>> > frame.
>> > A layer 2 frame is 1518 (1522 with vlan).
>> > If you want to include all layer headers then 1542 including vlan is the
>> > correct number and that will allow a 1500 octet payload.
>>
>>
>> Yes, I know, but adding a vlan tag means the small frame size isn't
>> "smallest". I was just throwing that in for comparison.
>>
>> Point is, on a 10g network, the maximum frame rate is 14.88 mpps.  This is
>> the highest rate required by the network under any circumstance. It's also
>> how you have to think about the problem if you're not going to engage in
>> making excuses.
>>
>> If you still don't like it, consider that:
>>
>> - 40g Ethernet cards exist today, so being able to forward 256 byte packets
>> at 40gbps will require the same 14.88 mpps rate,
>> - nx25 is the future in the data center vswitches and vrouters are a thing,
>> and pfSense should be able to play in this market
>> - 10g is starting to appear on lower-end hardware.
>> - 10g switches are starting to hit $100/port
>>
>> And also that netgate has product coming in 2017 that folds multiple
>> integrated switch ports into a single 2.5gbps or multiple 10gbps Ethernet
>> uplink ports.
>>
>> Remember, we're doing this in software.  No ASICs required.  That 12mpps
>> figure on an 8 core Rangeley includes 50 ACLs in the path.
>>
>> BTW, average frame size on the Internet is just under 600 bytes, btw. Not
>> 1200 as you guessed.
>>
>> Jim
>>
>> >
>> > On Thu, Jan 26, 2017, 18:20 Jim Thompson <j...@netgate.com
>> <javascript:;>>
>> > wrote:
>> >
>> > > > On Jan 26, 2017, at 5:06 PM, rai...@ultra-secure.de <javascript:;>
>> > wrote:
>> > > >
>> > > > Am 2017-01-26 07:03, schrieb Jim Thompson:
>> > > >> It does not.
>> > > >> The c2758 SoC is interesting. 8 cores, and the on-die i354 is
>> > > essentially a
>> > > >> block with 4 i350s on it.
>> > > >> These have 8 queues for each of rx and tx, so 16 each, for a total
>> of
>> > 64
>> > > >> queues.
>> > > >> On the c2xxx series (and other) boxes we ship, we increase certain
>> > > >> tunables, because we know what we're installing onto, and can adjust
>> > > that
>> > > >> factory load. pfSense CE does not have that luxury, it has to run on
>> > > nearly
>> > > >> anything the community finds to run it on. Some of these systems
>> have
>> > > ...
>> > > >> constrained RAM.  While we test each release on every model we ship,
>> > > such
>> > > >> testing takes place only for a handful of other configurations.
>> > > >>

Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

2017-01-26 Thread Jim Thompson
On Thursday, January 26, 2017, Espen Johansen <pfse...@gmail.com> wrote:

> Are you saying worst case is 80%? Its not normal to have all minimum size
> packets unless you are under ddos.
> Default ethernet is 1526 (1530 with vlan) with a MTU 1500 on a layer 1
> frame.
> A layer 2 frame is 1518 (1522 with vlan).
> If you want to include all layer headers then 1542 including vlan is the
> correct number and that will allow a 1500 octet payload.


Yes, I know, but adding a vlan tag means the small frame size isn't
"smallest". I was just throwing that in for comparison.

Point is, on a 10g network, the maximum frame rate is 14.88 mpps.  This is
the highest rate required by the network under any circumstance. It's also
how you have to think about the problem if you're not going to engage in
making excuses.

If you still don't like it, consider that:

- 40g Ethernet cards exist today, so being able to forward 256 byte packets
at 40gbps will require the same 14.88 mpps rate,
- nx25 is the future in the data center vswitches and vrouters are a thing,
and pfSense should be able to play in this market
- 10g is starting to appear on lower-end hardware.
- 10g switches are starting to hit $100/port

And also that netgate has product coming in 2017 that folds multiple
integrated switch ports into a single 2.5gbps or multiple 10gbps Ethernet
uplink ports.

Remember, we're doing this in software.  No ASICs required.  That 12mpps
figure on an 8 core Rangeley includes 50 ACLs in the path.

BTW, average frame size on the Internet is just under 600 bytes, btw. Not
1200 as you guessed.

Jim

>
> On Thu, Jan 26, 2017, 18:20 Jim Thompson <j...@netgate.com <javascript:;>>
> wrote:
>
> > > On Jan 26, 2017, at 5:06 PM, rai...@ultra-secure.de <javascript:;>
> wrote:
> > >
> > > Am 2017-01-26 07:03, schrieb Jim Thompson:
> > >> It does not.
> > >> The c2758 SoC is interesting. 8 cores, and the on-die i354 is
> > essentially a
> > >> block with 4 i350s on it.
> > >> These have 8 queues for each of rx and tx, so 16 each, for a total of
> 64
> > >> queues.
> > >> On the c2xxx series (and other) boxes we ship, we increase certain
> > >> tunables, because we know what we're installing onto, and can adjust
> > that
> > >> factory load. pfSense CE does not have that luxury, it has to run on
> > nearly
> > >> anything the community finds to run it on. Some of these systems have
> > ...
> > >> constrained RAM.  While we test each release on every model we ship,
> > such
> > >> testing takes place only for a handful of other configurations.
> > >> There is a decent explanation of some of the tunables here:
> > >> https://wiki.freebsd.org/NetworkPerformanceTuning
> > >> Incidentally, FreeBSD, and thus pfSense can't take much advantage of
> > those
> > >> multqueue NICs, because the forwarding path doesn't have the architure
> > to
> > >> advantage them.  Our DPDK-based system can forward l3 frames at over
> > 12Mpps
> > >> on this hardware (about 80% of line-rate on a 10g interface).
> > >> Neither pfSense or FreeBSD (nor Linux) will do 1/10th of this rate.
> > >
> > >
> > >
> > >
> > > Hi, is this DPDK-based system commercially available?
> > >
> > >
> > >
> > > Rainer
> >
> > Still being developed.
> >
> > Jim
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

2017-01-26 Thread Jim Thompson


> On Jan 26, 2017, at 5:06 PM, rai...@ultra-secure.de wrote:
> 
> Am 2017-01-26 07:03, schrieb Jim Thompson:
>> It does not.
>> The c2758 SoC is interesting. 8 cores, and the on-die i354 is essentially a
>> block with 4 i350s on it.
>> These have 8 queues for each of rx and tx, so 16 each, for a total of 64
>> queues.
>> On the c2xxx series (and other) boxes we ship, we increase certain
>> tunables, because we know what we're installing onto, and can adjust that
>> factory load. pfSense CE does not have that luxury, it has to run on nearly
>> anything the community finds to run it on. Some of these systems have ...
>> constrained RAM.  While we test each release on every model we ship, such
>> testing takes place only for a handful of other configurations.
>> There is a decent explanation of some of the tunables here:
>> https://wiki.freebsd.org/NetworkPerformanceTuning
>> Incidentally, FreeBSD, and thus pfSense can't take much advantage of those
>> multqueue NICs, because the forwarding path doesn't have the architure to
>> advantage them.  Our DPDK-based system can forward l3 frames at over 12Mpps
>> on this hardware (about 80% of line-rate on a 10g interface).
>> Neither pfSense or FreeBSD (nor Linux) will do 1/10th of this rate.
> 
> 
> 
> 
> Hi, is this DPDK-based system commercially available?
> 
> 
> 
> Rainer

Still being developed. 

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

2017-01-26 Thread Jim Thompson
Line rate for 10GbE is 14.88Mpps.  Your frame size doesn't include many 
overheads.
Ethernet specific (20 bytes)
12 bytes = inter-frame gap (https://en.wikipedia.org/wiki/Interpacket_gap) this 
is really time
8 bytes = MAC preamble + SFD 
Ethernet frame (64 bytes)
14 bytes = MAC header
46 bytes = Minimum payload size
4 bytes = Ethernet CRC
Thus, the minimim size Ethernet frame is: 84 bytes (20 + 64) which includes 
time on the wire

Max 1500 bytes MTU Ethernetframe size is: 1538 bytes ((12+8) + (14) + 1500 + 
(4) = 1538 bytes)

Peak possible packet rate:  (10*10^9) bits/sec / (84 bytes * 8) = 14,880,952 pps

1500 MTU packet rate: (10*10^9) bits/sec / (1538 bytes * 8) = 812,744 pps

12,000,000 / 14,880,952 = 0.8074

That looks like 80% of line rate to me. 

Jim

> On Jan 26, 2017, at 4:10 PM, Espen Johansen <pfse...@gmail.com> wrote:
> 
> What do you mean by 12Mpps or 80% or 10GE? 12Mpps at 150 packet length is
> 13.4Gbps. At 1200 (good inet avg.) you should hit 107Gbps. Where does the
> 80% of 10GE come from?
> 
> 
> On Thu, Jan 26, 2017, 07:04 Jim Thompson <j...@netgate.com> wrote:
> 
> It does not.
> 
> The c2758 SoC is interesting. 8 cores, and the on-die i354 is essentially a
> block with 4 i350s on it.
> These have 8 queues for each of rx and tx, so 16 each, for a total of 64
> queues.
> 
> On the c2xxx series (and other) boxes we ship, we increase certain
> tunables, because we know what we're installing onto, and can adjust that
> factory load. pfSense CE does not have that luxury, it has to run on nearly
> anything the community finds to run it on. Some of these systems have ...
> constrained RAM.  While we test each release on every model we ship, such
> testing takes place only for a handful of other configurations.
> 
> There is a decent explanation of some of the tunables here:
> https://wiki.freebsd.org/NetworkPerformanceTuning
> 
> Incidentally, FreeBSD, and thus pfSense can't take much advantage of those
> multqueue NICs, because the forwarding path doesn't have the architure to
> advantage them.  Our DPDK-based system can forward l3 frames at over 12Mpps
> on this hardware (about 80% of line-rate on a 10g interface).
> Neither pfSense or FreeBSD (nor Linux) will do 1/10th of this rate.
> 
> Jim
> 
>> On Thursday, January 26, 2017, Espen Johansen <pfse...@gmail.com> wrote:
>> 
>> It should autotune by default based on memory iirc.
>> 
>> On Wed, Jan 25, 2017, 23:27 Peder Rovelstad <provels...@comcast.net
>> <javascript:;>> wrote:
>> 
>>> FWiW - My nano (4 NICs, 1GB, Community), PuTTY says:
>>> 
>>> kern.ipc.nmbufs: 131925
>>> kern.ipc.nmbclusters: 20612
>>> 
>>> but nothing explicitly set on the tunables page, just whatever's built
>> in.
>>> 
>>> -Original Message-
>>> From: List [mailto:list-boun...@lists.pfsense.org <javascript:;>] On
>> Behalf Of Karl Fife
>>> Sent: Wednesday, January 25, 2017 4:02 PM
>>> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org
>> <javascript:;>>
>>> Subject: Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot
>>> failure with pfSense 2.3.2
>>> 
>>> This is a good theory, because RRD data from 2.2.6 suggests that the
>>> difference in utilization between the versions is slight, and that we
> had
>>> 'barely' exhausted our system default allocation.
>>> 
>>> Is there a difference between nano and full with respect to the
> installer
>>> explicitly setting tunables for kern.ipc.nmbclusters and kern.ipc.nmbuf?
>>> Vick Khera says he sees explicitly set tunables on his
>>> 2.3.2 system, yet my virgin installation of Nano pfSense 2.3.2 has no
>>> explicit declarations?
>>> 
>>> Vick, is your Supermicro A1SRi-2758F running an installation that came
>> from
>>> Netgate, or is it a community edition installation?  If the latter, Full
>> or
>>> Nano?
>>> 
>>> 
>>>> On 1/25/2017 3:49 PM, Jim Pingle wrote:
>>>>> On 01/25/2017 01:10 PM, Karl Fife wrote:
>>>>> The piece that's still missing for me is that there must have been
>>>>> some change in default system setting for FreeBSD, or some other
>>>>> change between versions, because the system booted fine with pfSense
>>>>> v 2.2.6
>>>> Aside from what has already been suggested by others, it's possible
>>>> that the newer drivers from FreeBSD 10.3 in pfSense 2.3.x enabled
>>>> features on the NIC chipset that consumed more mbufs. For example, it
>>>> might be us

Re: [pfSense] SG-1000 and VPN

2017-01-25 Thread Jim Thompson
Meant to include this:
https://github.com/freebsd/freebsd/commits/master?author=loos-br



On Thursday, January 26, 2017, Jim Thompson <j...@netgate.com> wrote:

>
> Adam,
>
> Given the 21Mbps figure I quoted, 100x (2.1Gbps) would be an unrealistic
> expectation.
>
> Based on the discussion here: https://groups.google.
> com/forum/m/#!msg/beagleboard/ZFrCs9ZHCP4/aCNFejgXpxYJ
> perhaps 3-4x at 1500 (1420) byte frame sizes, and (as a guess), closer to
> 3, given the PPs rates we see without the crypto offload, and the
> associated CPU loading.
>
> Most of the work lately has actually been on the Ethernet driver, which
> (good news), we can no longer make fall over at high frame rates.
>
> Jim
>
>
> On Thursday, January 26, 2017, Adam Thompson <athom...@athompso.net
> <javascript:_e(%7B%7D,'cvml','athom...@athompso.net');>> wrote:
>
>> Jim,
>> Asking you to speculate here...
>> Assuming someone *is* working on drivers for the chip's crypto
>> capabilities, when that finally happens, do you have any notion of how much
>> faster IPsec will get? Are we talking 2x or 100x?
>> -Adam
>>
>>
>> On January 25, 2017 7:45:49 PM CST, Jim Thompson <j...@netgate.com> wrote:
>>>
>>> Steve,
>>>
>>> It currently does 21mbps IPsec (aes-gcm-128), in a lab environment, because 
>>> there is no driver for the crypto core (yet).
>>>
>>> OpenVPN is slightly slower (19 Mbps).
>>>
>>> It's always strange to see your name on the list. The president of ADI 
>>> shares your name, so I tend to pay a lot more attention to what you post.
>>>
>>> Jim
>>>
>>>  On Jan 25, 2017, at 6:15 PM, Steve Yates <st...@teamits.com> wrote:
>>>>
>>>>  That's what I'm trying to ask, if the SG-1000 would work for that.
>>>>
>>>>  --
>>>>
>>>>  Steve Yates
>>>>  ITS, Inc.
>>>>
>>>>  -Original Message-
>>>>  From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of A Mohan 
>>>> Rao
>>>>  Sent: Tuesday, January 24, 2017 11:41 PM
>>>>  To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
>>>>  Subject: Re: [pfSense] SG-1000 and VPN
>>>>
>>>>  better u can use site to site vpn is best solution.
>>>>
>>>>  On Wed, Jan 25, 2017 at 11:08 AM, WebDawg <webd...@gmail.com> wrote:
>>>>>
>>>>>  On Tue, Jan 17, 2017 at 10:16 AM, Steve Yates <st...@teamits.com> wrote:
>>>>>>
>>>>>> We have a client who wants to set up one remote user (in a
>>>>>>  fixed
>>>>>>  location) with a hardware VPN connection back to the office.  The
>>>>>>  office has about 5 active PCs at any given time.  This would be the
>>>>>>  only VPN
>>>>>>
>>>>>  user.
>>>>>
>>>>>>
>>>>>> Has anyone used one of the new micro SG-1000 units with a
>>>>>>  VPN yet?  Either as a remote site or as a SOHO router + VPN host?
>>>>>>  Just wondering how the ARM CPU would stack up.  The specs say 200k
>>>>>>  active
>>>>>>  (non-VPN) connections...
>>>>>>
>>>>>> --
>>>>
>>>>  pfSense mailing list
>>>>  https://lists.pfsense.org/mailman/listinfo/list
>>>>  Support the project with Gold! https://pfsense.org/gold
>>>>
>>> --
>>>
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] SG-1000 and VPN

2017-01-25 Thread Jim Thompson
Adam,

Given the 21Mbps figure I quoted, 100x (2.1Gbps) would be an unrealistic
expectation.

Based on the discussion here:
https://groups.google.com/forum/m/#!msg/beagleboard/ZFrCs9ZHCP4/aCNFejgXpxYJ

perhaps 3-4x at 1500 (1420) byte frame sizes, and (as a guess), closer to
3, given the PPs rates we see without the crypto offload, and the
associated CPU loading.

Most of the work lately has actually been on the Ethernet driver, which
(good news), we can no longer make fall over at high frame rates.

Jim


On Thursday, January 26, 2017, Adam Thompson <athom...@athompso.net> wrote:

> Jim,
> Asking you to speculate here...
> Assuming someone *is* working on drivers for the chip's crypto
> capabilities, when that finally happens, do you have any notion of how much
> faster IPsec will get? Are we talking 2x or 100x?
> -Adam
>
>
> On January 25, 2017 7:45:49 PM CST, Jim Thompson <j...@netgate.com
> <javascript:_e(%7B%7D,'cvml','j...@netgate.com');>> wrote:
>>
>> Steve,
>>
>> It currently does 21mbps IPsec (aes-gcm-128), in a lab environment, because 
>> there is no driver for the crypto core (yet).
>>
>> OpenVPN is slightly slower (19 Mbps).
>>
>> It's always strange to see your name on the list. The president of ADI 
>> shares your name, so I tend to pay a lot more attention to what you post.
>>
>> Jim
>>
>>  On Jan 25, 2017, at 6:15 PM, Steve Yates <st...@teamits.com> wrote:
>>>
>>>  That's what I'm trying to ask, if the SG-1000 would work for that.
>>>
>>>  --
>>>
>>>  Steve Yates
>>>  ITS, Inc.
>>>
>>>  -Original Message-
>>>  From: List [mailto:list-boun...@lists.pfsense.org 
>>> <javascript:_e(%7B%7D,'cvml','list-boun...@lists.pfsense.org');>] On Behalf 
>>> Of A Mohan Rao
>>>  Sent: Tuesday, January 24, 2017 11:41 PM
>>>  To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org 
>>> <javascript:_e(%7B%7D,'cvml','list@lists.pfsense.org');>>
>>>  Subject: Re: [pfSense] SG-1000 and VPN
>>>
>>>  better u can use site to site vpn is best solution.
>>>
>>>  On Wed, Jan 25, 2017 at 11:08 AM, WebDawg <webd...@gmail.com 
>>> <javascript:_e(%7B%7D,'cvml','webd...@gmail.com');>> wrote:
>>>>
>>>>  On Tue, Jan 17, 2017 at 10:16 AM, Steve Yates <st...@teamits.com 
>>>> <javascript:_e(%7B%7D,'cvml','st...@teamits.com');>> wrote:
>>>>>
>>>>> We have a client who wants to set up one remote user (in a
>>>>>  fixed
>>>>>  location) with a hardware VPN connection back to the office.  The
>>>>>  office has about 5 active PCs at any given time.  This would be the
>>>>>  only VPN
>>>>>
>>>>  user.
>>>>
>>>>>
>>>>> Has anyone used one of the new micro SG-1000 units with a
>>>>>  VPN yet?  Either as a remote site or as a SOHO router + VPN host?
>>>>>  Just wondering how the ARM CPU would stack up.  The specs say 200k
>>>>>  active
>>>>>  (non-VPN) connections...
>>>>>
>>>>> --
>>>
>>>  pfSense mailing list
>>>  https://lists.pfsense.org/mailman/listinfo/list
>>>  Support the project with Gold! https://pfsense.org/gold
>>>
>> --
>>
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot failure with pfSense 2.3.2

2017-01-25 Thread Jim Thompson
It does not.

The c2758 SoC is interesting. 8 cores, and the on-die i354 is essentially a
block with 4 i350s on it.
These have 8 queues for each of rx and tx, so 16 each, for a total of 64
queues.

On the c2xxx series (and other) boxes we ship, we increase certain
tunables, because we know what we're installing onto, and can adjust that
factory load. pfSense CE does not have that luxury, it has to run on nearly
anything the community finds to run it on. Some of these systems have ...
constrained RAM.  While we test each release on every model we ship, such
testing takes place only for a handful of other configurations.

There is a decent explanation of some of the tunables here:
https://wiki.freebsd.org/NetworkPerformanceTuning

Incidentally, FreeBSD, and thus pfSense can't take much advantage of those
multqueue NICs, because the forwarding path doesn't have the architure to
advantage them.  Our DPDK-based system can forward l3 frames at over 12Mpps
on this hardware (about 80% of line-rate on a 10g interface).
Neither pfSense or FreeBSD (nor Linux) will do 1/10th of this rate.

Jim

On Thursday, January 26, 2017, Espen Johansen  wrote:

> It should autotune by default based on memory iirc.
>
> On Wed, Jan 25, 2017, 23:27 Peder Rovelstad  > wrote:
>
> > FWiW - My nano (4 NICs, 1GB, Community), PuTTY says:
> >
> > kern.ipc.nmbufs: 131925
> > kern.ipc.nmbclusters: 20612
> >
> > but nothing explicitly set on the tunables page, just whatever's built
> in.
> >
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org ] On
> Behalf Of Karl Fife
> > Sent: Wednesday, January 25, 2017 4:02 PM
> > To: pfSense Support and Discussion Mailing List  >
> > Subject: Re: [pfSense] Intel Atom C2758 (Rangeley/Avoton) install/boot
> > failure with pfSense 2.3.2
> >
> > This is a good theory, because RRD data from 2.2.6 suggests that the
> > difference in utilization between the versions is slight, and that we had
> > 'barely' exhausted our system default allocation.
> >
> > Is there a difference between nano and full with respect to the installer
> > explicitly setting tunables for kern.ipc.nmbclusters and kern.ipc.nmbuf?
> > Vick Khera says he sees explicitly set tunables on his
> > 2.3.2 system, yet my virgin installation of Nano pfSense 2.3.2 has no
> > explicit declarations?
> >
> > Vick, is your Supermicro A1SRi-2758F running an installation that came
> from
> > Netgate, or is it a community edition installation?  If the latter, Full
> or
> > Nano?
> >
> >
> > On 1/25/2017 3:49 PM, Jim Pingle wrote:
> > > On 01/25/2017 01:10 PM, Karl Fife wrote:
> > >> The piece that's still missing for me is that there must have been
> > >> some change in default system setting for FreeBSD, or some other
> > >> change between versions, because the system booted fine with pfSense
> > >> v 2.2.6
> > > Aside from what has already been suggested by others, it's possible
> > > that the newer drivers from FreeBSD 10.3 in pfSense 2.3.x enabled
> > > features on the NIC chipset that consumed more mbufs. For example, it
> > > might be using more queues per NIC by default than it did previously.
> > >
> > > Jim
> > >
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] SG-1000 and VPN

2017-01-25 Thread Jim Thompson
Steve,

It currently does 21mbps IPsec (aes-gcm-128), in a lab environment, because 
there is no driver for the crypto core (yet).

OpenVPN is slightly slower (19 Mbps).

It's always strange to see your name on the list. The president of ADI shares 
your name, so I tend to pay a lot more attention to what you post. 

Jim

> On Jan 25, 2017, at 6:15 PM, Steve Yates  wrote:
> 
> That's what I'm trying to ask, if the SG-1000 would work for that.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of A Mohan Rao
> Sent: Tuesday, January 24, 2017 11:41 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] SG-1000 and VPN
> 
> better u can use site to site vpn is best solution.
> 
>> On Wed, Jan 25, 2017 at 11:08 AM, WebDawg  wrote:
>> 
>>> On Tue, Jan 17, 2017 at 10:16 AM, Steve Yates  wrote:
>>> 
>>>We have a client who wants to set up one remote user (in a 
>>> fixed
>>> location) with a hardware VPN connection back to the office.  The 
>>> office has about 5 active PCs at any given time.  This would be the 
>>> only VPN
>> user.
>>> 
>>>Has anyone used one of the new micro SG-1000 units with a 
>>> VPN yet?  Either as a remote site or as a SOHO router + VPN host?  
>>> Just wondering how the ARM CPU would stack up.  The specs say 200k 
>>> active
>>> (non-VPN) connections...
>>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPSec Bug?

2017-01-24 Thread Jim Thompson
On Tue, Jan 24, 2017 at 12:16 PM, Eero Volotinen  wrote:
> What hardware is other side running? Why you are trying to use 3des?
>
> Eero
>
> 2017-01-17 16:36 GMT+02:00 Roland Giesler :
>
>> We've battled all afternoon to establish an IPSec site-to-site connection.
>> Here's what happens:
>>
>> TimeProcessPIDMessage
>> Jan 17 15:58:53 charon 05[NET] <197> sending packet: from
>> 129.232.232.130[500] to 105.27.116.62[500] (56 bytes)
>> Jan 17 15:58:53 charon 05[ENC] <197> generating INFORMATIONAL_V1 request
>> 2809641300 [ N(NO_PROP) ]
>> Jan 17 15:58:53 charon 05[IKE] <197> no proposal found
>> Jan 17 15:58:53 charon 05[CFG] <197> configured proposals:
>> IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072,
>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/
>> CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_
>> 128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_
>> SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_
>> SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_
>> CMAC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/
>> ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_
>> 8192/MODP_2048/MODP_2048_256/MODP_1024,
>> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_
>> 128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_
>> 192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/
>> PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_
>> MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_
>> 384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/
>> MODP_2048_256/MODP_1024
>> Jan 17 15:58:53 charon 05[CFG] <197> received proposals:
>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>> Jan 17 15:58:53 charon 05[IKE] <197> 105.27.116.62 is initiating a
>> Aggressive Mode IKE_SA
>>
>> The strange thing is that I have set 3DES and SHA1 to in my setup, yet it
>> is not being offered.  I have also test quite a few other like AES 265 and
>> SHA2, but they are also not offered.  The other side (SonicWall) is
>> offering what we set mutually.

The other side proposed 3DES-CBC/HMAC-SHA1/MODP_1536.
Your side didn't propose same (search for MODP_1536)

Search for "Phase 1 DH Group Mismatch" in
https://doc.pfsense.org/index.php/IPsec_Troubleshooting

not a bug.

Jim

>>
>> Is this a bug?  If now, how to I force pfSense to behave and start using
>> the settings I set.
>>
>> IPSec IKE V2 with pre-shared key.
>>
>> I'm running 2.3.2_1
>>
>> Anyone that has seen this?
>>
>> regards
>>
>>
>> Roland Giesler
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Lightning strike

2016-10-13 Thread Jim Thompson
You are making a very poor assumption about which parts of the "Ethernet"
interface are missing after a high voltage event.

You may still have (enough of) the MAC to be enumerated on the
(PCI/PCIe/...) bus.   If this occurs, then no renumbering will take place,
since, as far as BIOS/boot firmware/OS can 'tell', the device still exists
(can be enumerated), even if the PHY(s) are non-responsive.

This is different than removing a PCI/PCIe card from a system.  In this
case, the device is no longer on the bus, and will not be enumerated
for the OS to probe/attach/open/...

> Does a disappearing reX driver interface renumber the ueX interfaces?

On FreeBSD?  no.  On a linux system?  LIkely.

Let's say you had one re(4) and two em(4) devices.   Let's assume for now
you have:

em0: WAN
em1: LAN
re0:  OPT1

Case 0:

em0 gets fried in such a way that it doesn't enumerate on the bus.  We are
left with:
em1: LAN
re0: OPT1

What should pfSense do in this instance?

Case 1:
em1 gets fried in such a way that it doesn't enumerate on the bus.  We are
left with:
em0: WAN
re0: OPT1

What should pfSense do in this instance?

Case 2:
re0 gets fried in such a way that it doesn't enumerate on the bus.  We are
left with:
em0: WAN
em1: LAN

What should pfSense do in this instance?

Case 3:
pfSense is operating in a dual-WAN mode
em0: WAN0
em1: WAN1
re0:  LAN

em0 gets fried in such a way that it doesn't enumerate on the bus.  We are
left with:
em1: WAN1
re0:  LAN

What should pfSense do in this instance?


Case 4:
pfSense is operating in a dual-WAN mode
em0: WAN0
em1: WAN1
re0:  LAN

em1 gets fried in such a way that it doesn't enumerate on the bus.  We are
left with:
em0: WAN0
re0:  LAN

What should pfSense do in this instance?

Case 5:
pfSense is operating in a dual-WAN mode
em0: WAN0
em1: WAN1
re0:  LAN

re0 gets fried in such a way that it doesn't enumerate on the bus.  We are
left with:
em0: WAN0
em1: WAN1


Now let's say you have a 2440, with 4 igb(4) interfaces

igb0: WAN0
igb1: WAN1
igb2: LAN
igb3: OPT1

Case 6:

igb0 gets fried in such a way that it doesn't enumerate on the bus.  We are
left with:
igb1: WAN1
igb2: LAN
igb3: OPT1

What should pfSense do in this instance?

Case 7:
igb1 gets fried in such a way that it doesn't enumerate on the bus.  We are
left with:
igb0: WAN0
igb2: LAN
igb3: OPT1

What should pfSense do in this instance?

Case 8:
igb2 gets fried in such a way that it doesn't enumerate on the bus.  We are
left with:
igb0: WAN0
igb1: WAN1
igb3: OPT1

Case 9:
igb3 gets fried in such a way that it doesn't enumerate on the bus.  We are
left with:
igb0: WAN0
igb1: WAN1
igb2: LAN

What should pfSense do in this instance?

Case 10:
igb0 and igb1 get knocked off the bus
What should pfSense do in this instance?

Case 11:
igb1 and igb2 get knocked off the bus
What should pfSense do in this instance?

Case 12:
igb2 and igb3 get knocked off the bus
What should pfSense do in this instance?

Case 13:
igb3 and igb0 get knocked off the bus
What should pfSense do in this instance?

Case 14:
igb0 and igb2 get knocked off the bus
What should pfSense do in this instance?

Case 15:
igb1 and igb3 get knocked off the bus
What should pfSense do in this instance?

Case 16:
igb0, igb1 and igb2 get knocked off the bus
What should pfSense do in this instance?

Case 17:
igb0, igb1 and igb3 get knocked off the bus
What should pfSense do in this instance?

Case 18:
igb1, igb2 and igb3 get knocked off the bus
What should pfSense do in this instance?

Now, having described the desired behavior for pfSense in each case,
generalize an algorithm for up to 8 interfaces of
the same device type, 8 different device types, or a mix of device types, that
behaves correctly in each case.

Pseudo-code will do for now.

I look forward to your response.

JIm


On Thu, Oct 13, 2016 at 8:41 PM, Volker Kuhlmann 
wrote:

> On Fri 14 Oct 2016 11:25:12 NZDT +1300, Walter Parker wrote:
>
> > Problem is that all of the current OS do this sort of renumbering (I'd
> have
> > to check, but I think it could be a hardware/driver issue). IIRC Linux
> > systems have had this sort of problem in even greater measure than the
> > BSDs. The plug and play nature of USB has caused issues for most systems
> > (drive letter changes on Windows, device name changes on Linux, even BSD
> > has started doing this). The brain dead here is problem that extends to
> the
> > PC industry as a whole.
>
> Totally with you there on PC industry intelligence!
>
> > PFSense is subject bad decisions that were made
> > decades ago by other companies without enough vision. The automapping
> ideas
> > in hardware were not properly thought out and software didn't think it
> > though either.
>
> Sure, pfsense can do little about dumb OS things, and swapping
> interfaces randomly is a major security problem. But pfsense could still
> do much better. Does a disappearing USB interface renumber Ethernet
> interfaces? Does a disappearing reX driver interface renumber the ueX

Re: [pfSense] pfSense 2.3.2-p1 RELEASE Now Available

2016-10-10 Thread Jim Thompson
On Fri, Oct 7, 2016 at 5:49 AM, Holger Bauer  wrote:

>
> Are there any chances that there is something wrong with the
> upgraderepository-servers of pkg.pfsense.org or that some kind of timeout
> is too low for connecting to the updaterepository?
>

I also suspect an issue with pkg.pfsense.org, but I've not proven this.

We are working on a resolution.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Restoring XML config file from URL at console

2016-10-07 Thread Jim Thompson

> On Oct 7, 2016, at 6:09 AM, Brian Candler  wrote:
> 
> However I'm happy to drop down either to the Linux shell or the PHP shell.

pfSense is based on FreeBSD. 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfSense 2.3.2-p1 RELEASE Now Available

2016-10-06 Thread Jim Thompson
Details are here: https://blog.pfsense.org/?p=2122 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] New feature in ISC DHCP server v.4.3+ ( pfSense feature request )

2016-09-09 Thread Jim Thompson


> On Sep 9, 2016, at 8:49 AM, Ryan Coleman <ryan.cole...@cwis.biz> wrote:
> 
> 
>> On Sep 8, 2016, at 10:37 PM, Jim Thompson <j...@netgate.com> wrote:
>> 
>> 
>>> On Sep 8, 2016, at 10:30 PM, Ryan Coleman <ryan.cole...@cwis.biz> wrote:
>>> 
>>> 
>>>> On Sep 8, 2016, at 9:14 PM, Jim Thompson <j...@netgate.com> wrote:
>>>> 
>>>> On Thu, Sep 8, 2016 at 7:36 PM, Karl Fife <karlf...@gmail.com> wrote:
>>>> 
>>>>> There is a brand new feature/option in ISC dhcpd 4.3.0 (the DHCP server
>>>>> version in pfSense 2.3+).
>>>> 
>>>> you could say, "Thank you".  I drove the old crud out.
>>> 
>>> You could say “you’re welcome” but… I know you’re not capable :)
>> 
>> Thank you, Ryan. 
>> 
>> It was a bit of a tussle with some of the other team members. I still 
>> believe it was the correct decision. 
>> 
>> And, "you're welcome", for whatever I've done that might have been useful to 
>> you.
> 
> At least I know we can laugh at each other, right? :)


"With" is one thing. 
"At" is quite another. 


Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] New feature in ISC DHCP server v.4.3+ ( pfSense feature request )

2016-09-08 Thread Jim Thompson

> On Sep 8, 2016, at 10:30 PM, Ryan Coleman <ryan.cole...@cwis.biz> wrote:
> 
> 
>> On Sep 8, 2016, at 9:14 PM, Jim Thompson <j...@netgate.com> wrote:
>> 
>> On Thu, Sep 8, 2016 at 7:36 PM, Karl Fife <karlf...@gmail.com> wrote:
>> 
>>> There is a brand new feature/option in ISC dhcpd 4.3.0 (the DHCP server
>>> version in pfSense 2.3+).
>> 
>> you could say, "Thank you".  I drove the old crud out.
> 
> You could say “you’re welcome” but… I know you’re not capable :)

Thank you, Ryan. 

It was a bit of a tussle with some of the other team members. I still believe 
it was the correct decision. 
 
And, "you're welcome", for whatever I've done that might have been useful to 
you. 

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] New feature in ISC DHCP server v.4.3+ ( pfSense feature request )

2016-09-08 Thread Jim Thompson
On Thu, Sep 8, 2016 at 7:36 PM, Karl Fife  wrote:

> There is a brand new feature/option in ISC dhcpd 4.3.0 (the DHCP server
> version in pfSense 2.3+).
>

you could say, "Thank you".  I drove the old crud out.


> I would like to see this new feature available in the pfSense GUI
>
> The new feature allows the DHCP server to ignore client UIDs as the
> primary identifier for the lease.  A host that presents a UID will have its
> lease assigned/keyed to that UID instead of having it be keyed to the
> client's MAC address.
>
> Rationale for this feature request:
>
> Honoring the client-presented UID is a DHCP specification, but in
> practice, A *single* host, with multiple OSes (or a host with a multi-step
> boot process, e.g. PXE boot) will end up receiving multiple different IP
> leases if one stack's DHCP client happenst to present a Client Identifier
> UID's versus another that does not (versus yet another that present a
> differently-formatted UID). Thus the ISC created a server feature in 4.3.0+
> allowing client identifier UID to be ignored by the server.
>
> In practice, I often see the example where a host that boots PXE, into
> iPXE, into Linux (e.g. Fog's Linux stack) on its way to say, Windows, often
> ends up having different IP addresses along the way.  I tend to see where
> the Intel PXE stack presents a UDI, iPXE does not, and Windows can't be
> bothered with a DHCP discover at all (going straight to a DHCP Request
> which may be out-of-pool). :-)
>
> Unfortunately it is NOT a command-line option, thus can't be passed as an
> advanced option.  I think it would be necessary to add a simple GUI
> checkbox.  Since it can be desirable for a host to be identified by the
> same IP throughout the stages of the boot process (not to mention a
> cluttered DHCP lease table with multiple entries for a the client's MAC),
> it would be helpful to ENABLE the use of this feature in pfSense.
>
> Is this in the pipeline?  Before making a formal feature request I thought
> I'd bounce it off my peers here on the mailing list.
>
> Cheers.
>
> -Karl Fife
>
> https://www.freebsd.org/cgi/man.cgi?query=dhcpd.conf
>
> " ignore-client-uids flag;
>  If the ignore-client-uids statement is present and has a value of
>  true or on, the UID for clients will not be recorded.  If this
>  statement is not present or has a value of false or off, then client
>  UIDs will be recorded.  "
>

Well, it's in the FreeBSD tree, so it seems that it should be
straight-forward to install support for this in pfSense > 2.3

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for perfect pfsense box for home?

2016-08-20 Thread Jim Thompson


-- Jim

> On Aug 20, 2016, at 3:10 AM, Dave Warren  wrote:
> 
>> On 2016-08-03 08:43, Steve Yates wrote:
>> I'm being serious but what is your rationale for not using 
>> pfSense's/NetGate's?
>> 
>> https://www.pfsense.org/products/
>> 
>> The "cheap" part (< $299)?  We tried a "build our own" approach and it's 
>> tough to get a small package.  Any old PC will do just fine if one adds an 
>> SSD but as someone pointed out that may use far more power in the long run.
> 
> For me, it's the fact that I want to rackmount my gear, but $1,799.00 is the 
> cheapest option offered on pfSense.org that can rackmount.

You seem to have added $1000 without justification:

https://store.pfsense.org/SG-4860-1U/

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for perfect pfsense box for home?

2016-08-04 Thread Jim Thompson

> On Aug 3, 2016, at 9:18 PM, Moshe Katz  wrote:
> 
> Maybe I'm reading too much into points 1 (second paragraph) and 4 of your 
> message, but it sounds somewhat hostile to the old use-your-own-hardware 
> selling point that brought me into the pfSense community ten years ago in the 
> first place.

Moshe,

Thanks for your kind words. I appreciate your reaching out. I think that 
perhaps you are over-reading my response. 

Use-your-own hardware (if you want) is still a key point of pfSense, and it's 
not changing, even though I get challenged frequently on same both inside and 
outside the company.  

I've literally had people (outside the company) challenge me during the past 24 
hours that there is "no barrier to entry" for people entering the market to 
sell appliances based on pfSense software (typically on Amazon or eBay).

This is truth.

We carry on anyway.

Personally, I think pfSense has gotten a lot better during the past several 
years as we've been able to bring dedicated professional staff to bear on the 
process of keeping up to date with our upstream project(s), rather than lagging 
by several years.  All the changes to the toolchain to support this remain open 
source. 

Case in point: 2.4 snapshots will begin shortly, based on FreeBSD 11, which is 
not yet in release candidate form.  MPD and captive portal don't work, but 
these will be fixed before 2.4-release.  The captive portal work will serve to 
decrease our technical debt, due to the elimination of several patches found in 
pfSense that will never be upstreamed, and are not up to our standards of 
quality.  2.4 will also bring the ARM architecture to pfSense. We've also moved 
to bsdinstall, which means that ZFS is an option during install. Moving from 
PBI to pkg-ng as part of 2.3 enabled this work. This move included a huge 
improvement in the build tools to be a lot more like those found in FreeBSD. 
Work in this area continues. 

Past efforts to improve both FreeBSD and pfSense include bringing AES-GCM to 
IPsec. Work continues on making the stack faster and better, see our paper, 
Measurement and Improvement of a software based IPsec implementation to be 
given at Eurobsdcon next month. 
https://2016.eurobsdcon.org/speakers/  (this effort is a pre-requisite to 
making QAT work at speed.)

The entire FreeBSD community (including various forks of pfSense) benefits from 
these efforts, just as the entire pfSense community benefits both from these 
efforts as well as those of outside collaborators like BBCan117 (pfblockerNG) 
or Denny Page (dpinger, bringing the NUT package back to 2.3+) or Bill Meeks 
(Snort and Suricatta) or Phil Davis (space does not allow me to begin to 
enumerate Phil's contributions) or even Kill Bill/doktornotor.   I hesitate 
mentioning these because I have left many others out, and I do not mean to 
slight their efforts by not mentioning them.

All of it, every single piece, is under a liberal open source license. 

But it remains true that there would not be a project but for the core 
developers and core contributors.  We preferentially employ FreeBSD committers 
to work on pfSense. This has always been true. Running the project takes funds. 
 

- Donations don't work, and we ask that anyone who wants to donate to pfSense 
instead donate to the FreeBSD Foundation. 
- Support does not scale.
- Appliance sales do. 

I am not blocking BYOH, nor have I made any plans to do so.  I'm not hostile to 
it at all, Moshe. 

This said, people selling appliances based on pfSense *who do not otherwise 
contribute to pfSense* (or worse, who work against pfSense), are not part of 
the solution.

Applianceshop/Deciso, and every one of their "opnsense" partners still also 
offer pfSense on the same appliances. None of them contribute to pfSense, all 
are willing to see it destroyed.  I do not endorse or support these companies 
and individuals. 

Any number of parties on eBay and Amazon (and elsewhere) sell pfSense 
appliances, but none of them contribute to pfSense or FreeBSD. I don't block 
these, though I do insist that they correctly use our trademarks. That said, I 
do not endorse or support these parties, as they do not participate in the 
project or upstream, while freely availing themselves of our efforts. 

Companies as large as VMware, Cisco and Avaya have forks or components of 
pfSense as part of their product set. None of them contribute to pfSense or 
FreeBSD. We are approached several times per week by companies large and small, 
almost always with a one-way deal.

In every healthy relationship there is an exchange of value where each party 
gets something out of the exchange, even if it is relatively small.  This can 
be a deliberate exchange, or it can be embedded in social interaction and 
conversation.

Value may be a perception of benefit, rather than something material.  It may 
or may not be quantifiable and it may be highly valued or of limited value. It 
may also be 

Re: [pfSense] looking for perfect pfsense box for home?

2016-08-03 Thread Jim Thompson
My response was not directed at you, Ryan.




On Wed, Aug 3, 2016 at 8:44 PM, Ryan Coleman  wrote:

> Correction. Instead the system is ON an open-SOURCE platform.
>
> > On Aug 3, 2016, at 8:43 PM, Ryan Coleman  wrote:
> >
> >  Instead the system is open platform.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for perfect pfsense box for home?

2016-08-03 Thread Jim Thompson
Here's all you need to know:

1) we only test releases on the hardware we sell, or have sold in the past
two years.  (Obviously doesn't include VM images.)

We don't intentionally break anything, but your J1900 box isn't in the test
matrix, nor will it ever be.  That said, we have included
fixes for hardware that we'll never ship.  The i217s on recent Intel NUCs
is one example.

2) Many people are employed making pfSense.   Appliance sales make up  the
largest part of the revenue that keeps them employed working on pfSense.

If you want to support the project and make pfSense better, you’re welcome
to submit bugs or develop fixes. If you’re not a developer but want to
support the project, you can always purchase a Gold Subscription"

3) At the ram densities involved, ECC isn't going to buy you much.  If we
were doing storage, the story would be different, but given the relative
error rates of Ethernet and non-ECC RAM, you're unlikely to ever detect a
bit error.  Those of you still running on CF or "SD Cards" should worry
about your storage, not ECC ram.

We could have put ECC on the RCC-VE boards, and chose not to.  There isn't
a good reason for raising the cost (and therefore price).

4) Your enthusiasm for your j1900 box is understood, but this is the
pfsense list.

You're a guest.  Be nice.

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Installation issues of latest release (2.3.2) resolved?

2016-07-29 Thread Jim Thompson
pfSense is normally tested on the devices that Netgate has released as
products over the past two years.

pfSense 2.3.2 was tested on the following devices and hypervisors:

SG-2220 (eMMC and M.2), SG-2440 (eMMC and mSATA), SG-4860 (eMMC and mSATA),
SG-8860 (eMMC and mSATA), 7541 (CF and SSD), 7551 (CF and SSD), APU (not
APU2) (nano on SD, full install on SD, and mSATA), ALIX, C2758, XG-1540,
XG2758, AWS, Azure, OVA (VMware), as well as a KVM and bhyve images for
internal use.

pfSense CE is tested against an otherwise unremarkable, ordinary 64-bit PC
for the ISO, memstick and serial memstick images for both amd64 and i386
architectures, including a "CE" install for the ADI (SG-) platforms
above.  NanoBSD images are tested for both 2G and 4G CF cards for both
amd64 and i386 for both VGA and non-VGA.  An amd64 OVA for pfSense CE is
produced and tested as well.

For all the above, clean install as well as upgrade (from 2.3.1 and 2.2.6 )
were tested.   Several parameters and items (I will not document them all)
are checked after install or upgrade to ensure they are the expected value.

The full matrix takes several people several days to complete.

As a reminder, pfSense 2.4 will not support i386, and will not support the
'nano' image.
We are including ARM support (for the uFW) in pfSense 2.4.

Jim


On Fri, Jul 29, 2016 at 9:52 PM, Ryan Coleman  wrote:

> I presume you mean AMD… But that’s what the 64-bit code base is labeled
> as, regardless of Intel, AMD or other.
>
>
> > On Jul 29, 2016, at 9:50 PM, Alfredo Tapia Sabogal <
> alfred.ta...@gmail.com> wrote:
> >
> > So far i know pfsense have some issues related to the architecture of ADM
> >
> > CHEERS
> >
> > Alfredo Tapia Sabogal
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Lightning strike

2016-07-27 Thread Jim Thompson
On Tue, Jul 26, 2016 at 7:43 PM, Volker Kuhlmann 
wrote:

> On Tue 26 Jul 2016 09:41:37 NZST +1200, Karl Fife wrote:
>
> >  After some
> > testing, I found the system would not come up after reboot because
> > it had gone into port reassignment mode since the config made
> > reference to a non-existent interface.
>
> I find this really really annoying of pfsense! Especially for headless
> systems. Hey, why run with only one interface and some functionality
> missing when one can run with functionality of zero point zero instead?
>
>
Certainly, let's just go ahead and run if you inserted or deleted a NIC.
Won't change anything, let's just
run with the new enumeration.

Afterall, what could happen?   rules for some internal NIC get dropped on
WAN?  Sure thing.

(NOT!)

Sometimes security != convenience.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Lightning strike

2016-07-25 Thread Jim Thompson
"Lightning surge damage to Ethernet and POTS ports connected to
inside wiring"
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=3D6842005

A summary of the paper:
http://incompliancemag.com/article/lightning-surge-damage-to-ethernet-and-pots-ports-connected-to-inside-wiring/

a slide deck on the same subject, by the same author:
http://www.atis.org/peg/docs/2015/LightningSurgeDamage_JRandolph.pdf

In which:

> Interestingly, some generic replacement power supplies purchased on the
Internet showed breakdown levels as low as 3 kV. Internal inspection
revealed that the isolation barriers in these supplies were not compliant
with [10]. These non-compliant supplies had no safety markings from
independent labs, although they did have the CE marking for manufacturer’s
self-declaration in Europe.

Which is to say cheap far-eastern wall warts are not compliant, though
claiming to be.

> At present there is no evidence of non-compliant power supplies being
used by name brand manufacturers of routers and cordless phones.

"Well, obviously it's not meant to be taken literally; it refers to
any manufacturers
of dairy products." [1]

But here's the important bottom line:

> The key point here is that a high current, fast rise time surge on the AC
mains can interact with the inductance of the ground wire to create a high
voltage common mode surge on every cable that is connected to the surge
protector. In some sense, the surge protector takes a surge on the AC mains
and “broadcasts” it onto every cable that is connected to the surge
protector. This happens despite the fact the surge protector has been
installed correctly and the ground wire of the AC mains outlet is connected
properly.

In other words, your ground wire won't help you.   Check the slide deck
(and paper), it can be that the ground potential has risen.

I'll add that inductive coupling is a function of the rate of change rather
than the peak current.  So when di/dt is a small fraction of infinity, it
doesn't really matter much that your inductor coil is a stretch of wire
five meters away ... it's going to get a big spike of current and the teeny
tiny little transistors in your equipment are going to arc over.  A small
puff of smoke will appear.  If you're unlucky, a fire will shortly (narf)
follow.

Surge protectors have several practical failures:

1 - they are rated for a certain amount of energy, and a big strike
overwhelms that, so you're done.

2 - they are rated for that amount of energy over their service lifetime,
which means that come the big storm your five-year-old surge protector has
actually sacrificed itself to a thousand little surges that you never
noticed over the time it's been in service.

3 - they have a response curve that makes them more suitable for lower
di/dt or dv/dt spikes ... this makes them a good protection for spikes that
originate far away and get their sharp edges worn off as they travel across
the network, not so much for close hits.

For extra credit:

Who did some of the important early research on lightning effects?  Why, Mr
Steinmetz, of course.
https://en.wikipedia.org/wiki/Charles_Proteus_Steinmetz


tl;dr: your multiport surge protectors are a prime suspect.

Jim

[1] https://en.wikiquote.org/wiki/Monty_Python%27s_Life_of_Brian


On Mon, Jul 25, 2016 at 4:41 PM, Karl Fife  wrote:

> The 6th Ethernet port (em5) on my Lanner fw-7541D died Saturday night
> during the electrical storm.  Just the one port.
>
> Apparently fried, apparently by an electrical anomaly.
>
> Now, the link light is always on (dimly lit), whether populated or not,
> and neither the POST, nor the OS detects the presence of the fifth port.
>
> Interesting how it failed: The fried port 'simply' broke connectivity for
> the interface's LAN segment.  Everything else continued to work.  I kinda
> didn't believe the report that Internet was out for the one LAN, since the
> other was not.  After some testing, I found the system would not come up
> after reboot because it had gone into port reassignment mode since the
> config made reference to a non-existent interface.
>
> I edited the config in VI to de-reference the interface, and All's well.
>
> I really like this Lanner hardware, and would like to keep it in service.
> Ideally I'd like to fix the (now dead) spare port so that I still have a
> spare.
>
> Can anyone tell me what's component is typically fried in this scenario?
> Is it the NIC controller chip itself? I'm guessing it's not, rather I'm
> guessing it's just the big, blocky Ethernet Isolation transformer/amplifier
> that's been fried.  I'm also guessing that the reason the system is still
> functional (at all) is because the little dude did its job.  I know it's a
> long shot, but I'd like to hear if anyone has ever repaired a fried
> Ethernet port on a motherboard.
>
> Also ironic, everything's very well grounded with a dedicated earth-ground
> via #6 AWG except the one (damned) switch that services that one 

Re: [pfSense] Migrating existing install to another drive

2016-07-16 Thread Jim Thompson


> On Jul 15, 2016, at 4:55 PM, Dan Langille  wrote:
> 
> I have a NetGate APU2 running pfSense 2.3.  It came pre-installed and I've 
> upgraded it over the past two years.

Pretty sure you have an APU, not APU2.  We never sold the APU2, and the re(4) 
NICs in your bootlog confirm. 

Jim
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 502 Bad Gateway

2016-07-07 Thread Jim Thompson
I run the widget on my dashboard without issue. 

Please stop assuming there is a problem, and take steps to prove it instead. 

-- Jim

> On Jul 7, 2016, at 1:16 PM, Bill Arlofski  wrote:
> 
>> On 07/07/2016 08:09 AM, Jon Gerdes wrote:
>> Bill
>> 
>> I maybe off target here but the IPSEC widget used to cause php-fpm
>> daemon to die after a few days.  
>> 
>> I haven't looked into it since but removing that widget fixed it for me
>> on two pfSenses.
>> 
>> Cheers
>> Jon
> 
> Hi Jon,
> 
> Hmmm, I do have the IPsec widget on my dashboard, so this is at least
> somewhere to start. :)
> 
> I guess I will remove it the next time this happens and see if there is any
> change.
> 
> Do you know if this is a known (and reported) issue?
> 
> Thanks for the response.
> 
> Best regards,
> 
> Bill
> 
> 
> -- 
> Bill Arlofski
> Reverse Polarity, LLC
> http://www.revpol.com/
> -- Not responsible for anything below this line --
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] USB3 to ethernet adaptor

2016-06-06 Thread Jim Thompson

> On Jun 6, 2016, at 10:36 AM, WebDawg  wrote:
> 
> On Mon, Jun 6, 2016 at 9:00 AM, RB  wrote:
>> 
>> On Sun, Jun 5, 2016 at 7:02 PM, Volker Kuhlmann
>>  > This is a laughable argument!
>> 
>> I'm not here to argue, you are.  More specifically, you're here to
>> press your personal point for open switch firmware.  Your paranoia,
>> it's showing.
>> ___
> 
> 
> 
> All of this arguing aside and all of these points made I still cannot wait
> until there is nothing stopping me from examining the code that runs on my
> switches.

Given that the forwarding plane in these is largely TCAM-based, you’re going to 
go very deep to begin
to understand same, and the there will be large parts of the chips that are not 
documented.

We actually have Broadcom Trident and Fulcrum FM6K/10K source code here.  I 
won’t explain why.

> I know some of these is off topic but I am going to post this anyways:
> 
> 
> j...@netgate.com wrote:
> 
> "Open Source is more about sharing than security."
> 
> Open source is way more then both of these topics but even in the sentence
> that you wrote, you even agree that it could be a little bit of both.  It
> seems like groups are moving towards openness in general and it is going to
> be really cool when I can cheaply take something like Open vSwitch,

bah.  yesterday’s newspaper^Wtechnology.

> some hardware, and an open vSwitch accelerator 
> (http://www.6wind.com/products/6wind-virtual-accelerator/)

Which is neither open source, nor inexpensive.

> and forget about Cisco, Juniper and the lot.

For up to about 40Gbps, probably.  Above that?  Probably not.

> It sucks, it really does.  I would think Open Source is more about lowering
> the entry level for any topic.  It is easier to audit if you need it
> secure, it is easier to work with when you need to share or bits and pieces
> of it, etc.
> 
> When I was a child I wanted something like the raspberry pi so very bad, or
> an Arduino.  The closest thing I could find in my environment at the time
> was about $400+ and the programming software was very proprietary, the
> device was limited in its capabilities, it was closer to SCADA.

A Z80 couldn’t have cost $400.

> I do not think anyone here wants to argue Some Company vs OpenSource, when
> you look at the fabric switches that Cisco any other companies offer it is
> obvious how money can motivate a company/organization to build new tech.

I think you’ll find that Cisco (etc) use off-the-shelf switch parts these days.

> But then take a look at something like the Raspberry Pi

“take a look at … the Raspberry Pi”   which is not open hardware, 

Just try to build your own.

... and has binary blobs:

https://www.raspberrypi.org/blog/open-source-arm-userspace/
https://www.raspberrypi.org/blog/new-video-features/

Further, the license of the raspberry pi firmware is restricted to use on 
raspberry pi products, so to remain within the license were you to build your 
own (should you be able to somehow acquire chips)<
you would have to make your own firmware builds from the materials broadcom 
provide (under NDA).  Odroid managed to secure a small batch of BCM2835 and 
developed a pi-compatible
product called the odriod W around it but Broadcom refused to sell them further 
chips.

In short, the Pi is not an open source project.  It was meant to be a learning 
tool to get kids interested in computer hardware and programming.
Mission Accomplished.

Obviously there has also been a lot of interest from the 30+ computer crowd who 
have turned their PIs into cheap portable media players and DIY projects 
involving the GPIO port(s).
But this was never the goal of the RPi foundation.

Given this, please explain what you want me to examine.

> and see where it is and what it is doing.  Part of OpenSource is removing the 
> grip the
> companies have on these technologies and giving it away, this especially
> helps when you live in an environment when the bar for getting things that
> are not OpenSource is high for whatever reasons.
> 
> On Sun, Jun 5, 2016 at 7:02 PM, Volker Kuhlmann wrote:
> 
> Your paranoia, it's showing.
> 
> "Paranoia is a thought process believed to be heavily influenced by anxiety
> or fear, often to the point of delusion and irrationality."
> 
> If you believe there are not malicious actors trying to influence and hack
> technologies for there own benefit, I do not know what to say, but someone
> not trusting some software does not sound all that crazy.

You didn’t read it, did you?

http://dl.acm.org/citation.cfm?id=358210

You should read it.  Serious.  It will destroy your faith in “many eyes make 
shallow bugs”.

Here is a pull quote:
"The moral is obvious. You can't trust code that you did not totally create 
yourself. (Especially code from companies that employ people like me.) No 
amount of source-level verification or scrutiny will protect you from using 

Re: [pfSense] USB3 to ethernet adaptor

2016-06-05 Thread Jim Thompson

All this invective, yet you run your firewall on an Intel/AMD platform.

Et tu, Volker. 

Open Source is more about sharing than security.   Anyone who argues get 
referred to, "Reflections on Trusting Trust."

-- Jim

> On Jun 5, 2016, at 8:02 PM, Volker Kuhlmann  wrote:
> 
> On Fri 27 May 2016 04:53:12 NZST +1200, RB wrote:
> 
>>> http://seclists.org/fulldisclosure/2016/Jan/77
>>> 
>>> http://seclists.org/fulldisclosure/2016/Mar/25
>> 
>> I see, but that has nothing to do with the security of the VLAN
>> implementation, rather of the switch as a whole.
> 
> Uhhmm, very moot point. They can't even make a secure switch, how secure
> their VLAN is becomes irrelevant. And the switch manufacturer couldn't
> care less about fixing anything - what's your trust value in the VLAN
> implementation? How different are other manufacturers?
> 
>> Nor does it mean we avoid using an entire technology because there
>> "might" be vulnerabilities in what has otherwise remained a stable and
>> useful paradigm for decades.
> 
> As "stable and useful" a paradigm as the Internet was before Snowden?
> 
>> The question of VLAN jumping remains open, in my mind.  An
>> appropriate, well-configured switch fabric should have no problem
> 
> True - as you say, "should", but it's utopic. Which means reducing critical
> firmware entirely increases security a lot. No matter where you buy your
> VLAN, it doesn't come close to the security of an extra port on the
> firewall you already trust. VLAN is just being lazy.
> 
>> vulnerabilities in its management software notwithstanding.
> 
> This is a laughable argument! You can only use the whole. You're arguing
> it's safe to use a (potentially!) safe fragment of VLAN firmware that by
> necessity is embedded in whatever management, of which you know it's a
> piece of rubbish. I'm increasingly getting the impression that network
> device manufacturers only ever fix anything if there is sufficient
> public backlash to make it financially worth fixing - no other reason to
> fix anything exists. The logical conclusion is that such "technology" is
> unsafe.
> 
> VLAN switch with 100% open source firmware please...
> 
> Volker
> 
> -- 
> Volker Kuhlmannis list0570 with the domain in header.
> http://volker.top.geek.nz/Please do not CC list postings to me.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] FreeBSD on uFW

2016-06-01 Thread Jim Thompson

> On Jun 1, 2016, at 4:02 PM, Vick Khera <vi...@khera.org> wrote:
> 
> On Wed, Jun 1, 2016 at 4:54 PM, Jim Thompson <j...@netgate.com> wrote:
> 
>> Vick, no, it’s not in the Netgate storefront (yet).  There are a handful
>> of boards in the world.  This one is on my desk at home.
>> https://twitter.com/gonzopancho/status/738098254890471424
>> 
> Cool. I found the original twitter thread too. Wasn't sure exactly what it
> was, but glad to see you took the banana request seriously. :)

I’m about to eat that banana.

> The name will confuse the heck out of people. Right now when you google uFW
> you get stuff about some linux firewall software.

It’s new.

you prefer ‘m1cr0Wall’, perhaps?  

Netgate used to have a m1n1wall product (which shipped with m0n0wall at first, 
then pfSense).

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] FreeBSD on uFW

2016-06-01 Thread Jim Thompson

Ian,

WRT “it’s new and perhaps incomplete at best”.   What does that even mean?

Yes, it’s new.  First boot on that hardware was last night, around 3am Central 
(US).  

No, It’s not ready to ship.  A close inspection of the bootlog will show 
several issues (some of them affect Intel/AMD as well.)
https://gist.github.com/gonzopancho/df6f0730fa54fec0d782eea00d7653a0

Note that it’s on the pfSense 2.4 train, which won’t be out until September 
(gating on FreeBSD 11-RELEASE, which is targeted at 2 September).
https://www.freebsd.org/releases/11.0R/schedule.html

For a long time, pfSense trailed FreeBSD by a year or more.  These days we’re 
able to stay -CURRENT, and ship releases based on upstream within weeks of the 
FreeBSD release timeline.

Vick, no, it’s not in the Netgate storefront (yet).  There are a handful of 
boards in the world.  This one is on my desk at home.
https://twitter.com/gonzopancho/status/738098254890471424

Jim

> On Jun 1, 2016, at 10:50 AM, Ian Bowers  wrote:
> 
> looks like there's some progress being made on getting pfsense running on
> netgate ufw
> 
> https://www.reddit.com/r/PFSENSE/comments/4m07jm/pfsense_24dev_now_runs_on_ufw/
> 
> which also tells me it's new and perhaps incomplete at best.
> 
> On Wed, Jun 1, 2016 at 11:21 AM, Vick Khera  wrote:
> 
>> What is a uFW? Google is not my friend (keeps finding some stupid firewall
>> package for linux) and I see nothing on the netgate storefront that seems
>> to be it.
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] FreeBSD on uFW

2016-05-31 Thread Jim Thompson


U-Boot SPL 2016.03 (May 31 2016 - 19:23:56)
Trying to boot from MMC
Card doesn't support part_switch
MMC partition switch failed
*** Warning - MMC partition switch failed, using default environment

reading u-boot.img
reading u-boot.img


U-Boot 2016.03 (May 31 2016 - 19:23:56 -0500)

   Watchdog enabled
I2C:   ready
DRAM:  512 MiB
MMC:   OMAP SD/MMC: 0, OMAP SD/MMC: 1
reading u-boot.env

** Unable to read "u-boot.env" from mmc0:1 **
Using default environment

Net:not set. Validating first E-fuse MAC
cpsw, usb_ether
Hit any key to stop autoboot:  0 
Booting from: mmc 0 ubldr.bin
reading ubldr.bin
224696 bytes read in 23 ms (9.3 MiB/s)
## Starting application at 0x8800 ...
Consoles: U-Boot console  
Compatible U-Boot API signature found @0x9ef3ab58

FreeBSD/armv6 U-Boot loader, Revision 1.2
(root@fbsd-current-amd64-loos, Sun May 29 01:24:33 CDT 2016)

DRAM: 512MB
Number of U-Boot devices: 3
U-Boot env: loaderdev='mmc 0'
Found U-Boot device: disk
  Checking unit=0 slice= partition=... good.
Booting from disk0s2a:
/boot/kernel/kernel data=0x5b85e4+0x93a1c syms=[0x4+0x805f0+0x4+0x94566]

Hit [Enter] to boot immediately, or any other key for command prompt.
Booting [/boot/kernel/kernel]...   
/boot/dtb/ufw.dtb size=0x7c61
Loaded DTB from file 'ufw.dtb'.
Kernel entry at 0x0x88200100...
Kernel args: (null)
ARM Debug Architecture not supported
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2016 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 11.0-ALPHA1 #0 0671027(master)-dirty: Sun May 29 01:24:06 CDT 2016

root@fbsd-current-amd64-loos:/usr/home/luiz/git/crochet-ubmc/work/obj/arm.armv6/usr/home/luiz/git/freebsd-ubmc/sys/uFW
 arm
FreeBSD clang version 3.8.0 (tags/RELEASE_380/final 262564) (based on LLVM 
3.8.0)
WARNING: WITNESS option enabled, expect reduced performance.
CPU: Cortex A8-r3 rev 2 (Cortex-A core)
 Supported features: ARM_ISA THUMB2 JAZELLE THUMBEE ARMv4 Security_Ext
 WB enabled LABT branch prediction disabled
LoUU:2 LoC:3 LoUIS:1 
Cache level 1: 
 32KB/64B 4-way data cache WT WB Read-Alloc
 32KB/64B 4-way instruction cache Read-Alloc
Cache level 2: 
 256KB/64B 8-way unified cache WT WB Read-Alloc Write-Alloc
real memory  = 536870912 (512 MB)
avail memory = 512077824 (488 MB)
Texas Instruments AM335x Processor, Revision ES1.2
random: entropy device external interface
ofwbus0: 
simplebus0:  on ofwbus0
simplebus1:  on simplebus0
simplebus2:  mem 0x21-0x211fff on 
simplebus1
ti_scm0:  mem 0-0x7ff on simplebus2
aintc0:  mem 0x4820-0x48200fff on simplebus0
aintc0: Revision 5.0
cpulist0:  on ofwbus0
cpu0:  on cpulist0
pmu0:  irq 3 on ofwbus0
am335x_prcm0:  mem 0x20-0x203fff on 
simplebus1
am335x_prcm0: Clocks: System 24.0 MHz, CPU 550 MHz
ti_pinmux0:  mem 0x800-0xa37 on simplebus2
gpio0:  mem 0x44e07000-0x44e07fff irq 96 
on simplebus0
gpiobus0:  on gpio0
gpioc0:  on gpio0
gpio1:  mem 0x4804c000-0x4804cfff irq 98 
on simplebus0
gpiobus1:  on gpio1
gpioc1:  on gpio1
gpio2:  mem 0x481ac000-0x481acfff irq 32 
on simplebus0
gpiobus2:  on gpio2
gpioc2:  on gpio2
gpio3:  mem 0x481ae000-0x481aefff irq 62 
on simplebus0
gpiobus3:  on gpio3
gpioc3:  on gpio3
uart0:  mem 0x44e09000-0x44e0afff irq 72 on 
simplebus0
uart0: console (115384,n,8,1)
iichb0:  mem 0x44e0b000-0x44e0bfff irq 70 on simplebus0
iichb0: I2C revision 4.0 FIFO size: 32 bytes
iicbus0:  on iichb0
iic0:  on iicbus0
icee0:  at addr 0xa0 on iicbus0
icee1:  at addr 0xa0 on iicbus0
iichb1:  mem 0x4802a000-0x4802afff irq 71 on simplebus0
iichb1: I2C revision 4.0 FIFO size: 32 bytes
iicbus1:  on iichb1
iic1:  on iicbus1
sdhci_ti0:  mem 0x4806-0x48060fff irq 64 on simplebus0
mmc0:  on sdhci_ti0
sdhci_ti1:  mem 0x481d8000-0x481d8fff irq 28 on simplebus0
mmc1:  on sdhci_ti1
ti_wdt0:  mem 0x44e35000-0x44e35fff irq 91 on simplebus0
ti_mbox0:  mem 0x480c8000-0x480c81ff irq 77 on simplebus0
ti_mbox0: revision 4.0
am335x_dmtimer0:  mem 0x4804-0x480403ff irq 68 on 
simplebus0
Event timer "DMTimer2" frequency 2400 Hz quality 500
am335x_dmtimer1:  mem 0x48042000-0x480423ff irq 69 on 
simplebus0
Timecounter "DMTimer3" frequency 2400 Hz quality 500
usbss0:  mem 0x4740-0x47400fff on 
simplebus0
usbss0: TI AM335X USBSS v0.0.13
musbotg0:  mem 
0x47401400-0x474017ff,0x47401000-0x474011ff irq 18 on usbss0
usbus0: Dynamic FIFO sizing detected, assuming 16Kbytes of FIFO RAM
usbus0 on musbotg0
musbotg1:  mem 
0x47401c00-0x47401fff,0x47401800-0x474019ff irq 19 on usbss0
usbus1: Dynamic FIFO sizing detected, assuming 16Kbytes of FIFO RAM
usbus1 on musbotg1
am335x_pwmss0:  mem 0x4830-0x483f on simplebus0
am335x_ecap0:  mem 0x48300100-0x4830017f irq 31 on am335x_pwmss0
am335x_ehrpwm0:  mem 0x48300200-0x4830027f on am335x_pwmss0
am335x_pwmss1:  mem 0x48302000-0x4830200f on simplebus0
am335x_ecap1:  mem 

Re: [pfSense] Zero Trust Networks

2016-05-17 Thread Jim Thompson
Hi Randy,

Ex-BYU student here.  M.E. ’84, but I started in Chem, and maintained a vacuum 
distillation apparatus in the basement of ESC that was part of the Chem 
departments research in lasing emulsion dyes.
I have a relative (Steve Walker) in the English department, too.

If you’ve read the original Forester / NIST paper(*), there are three tenants 
to the Zero Trust Model:
• Ensure all resources are accessed securely regardless of location. 
• Adopt a least privilege strategy and strictly enforce access control.
• Inspect and log all traffic.

We are in the process of building a segmentation gateway, leveraging Open 
Daylight as a controller, but this isn’t going to be “pfSense”.  It will be a 
Netgate product.

I don’t really talk about it much outside Netgate.  There are a few people here 
working on it (one of them just up the road from you in SLC.)

The idea is that one could then take pfSense 3.0, which is being re-architected 
to have a central management console (this used to be called “pfCenter” or 
“pfCentral”), and manage pfSense as a (set of) distributed access nodes.
This also serves to explain why we’re making the investment in ARM hardware 
(see several recent tweets, 
e.g.https://twitter.com/gonzopancho/status/731245772721651712), though that 
side will scale to multicore as well.  We can take the same userland-based 
(DPDK/netmap) networking codebase and running it on anything from a tiny ARM to 
a device with a dozen 40G interfaces and dozens of cores.

If you’d like to speak (privately) about this, I’m happy to do so, but I’m not 
ready to share further details publicly.  (Heck, most people here don’t know 
that this is one of the potential uses for what we’re building in the lab.  :-)

Aloha,
Jim
(*) 
http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf

> On May 17, 2016, at 3:17 PM, Randy Morgan  wrote:
> 
> I have been doing some reading on zero trust networks, there is much to learn 
> and this is a major paradigm shift in security thinking.  Can pfSense be 
> configured to work in zones without a trusted zone, or is that something that 
> is planned for a future release?
> 
> Randy
> 
> -- 
> 
> Randy Morgan
> CSR
> Department of Chemistry and Biochemistry
> Brigham Young University
> 801-422-4100
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 2.3_1 ?

2016-05-05 Thread Jim Thompson

> On May 5, 2016, at 6:26 AM, Paul Mather  wrote:
> 
> On May 5, 2016, at 9:13 AM, Vick Khera  wrote:
> 
>> On Tue, May 3, 2016 at 11:24 AM, Jeppe Øland  wrote:
>> 
>>> Does this update actually work?
>>> 
>>> After hitting install and crunching for a while, it showed "firmware
>>> installation failed!" at the top.
>>> 
>> 
>> I just did the upgrade and it succeeded. However, ntpd was not restarted on
>> either of the two systems upgraded. I had to manually restart ntpd.
> 
> 
> Same here.  In fact, in my case, ntpd ended up in the stopped state, and I 
> had to start it manually.

it’s documented that you need to (re)start NTP manually.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPsec - how to assess encryption is active?

2016-04-29 Thread Jim Thompson
Because OpenVPN uses tun/tap, and there is a HUGE amount of overhead in that.

“HUGGGEEE!”  — Donald J. Trump

The statement "On a modern intel system, the intel chip itself (or AMD) has 
AES128 or better implemented in hardware. “ is incorrect.   Modern Intel / AMD 
parts have instructions that can accelerate the AES algorithm.

• AESENC. This instruction performs a single round of encryption. The 
instruction combines the four steps of the AES algorithm - ShiftRows, SubBytes, 
MixColumns & AddRoundKey into a single instruction.
• AESENCLAST. Instruction for the last round of encryption. Combines 
the ShiftRows, SubBytes, & AddRoundKey steps into one instruction.
• AESDEC. Instruction for a single round of decryption. This combines 
the four steps of AES - InvShiftRows, InvSubBytes, InvMixColumns, AddRoundKey 
into a single instruction
• AESDECLAST. Performs last round of decryption. It combines 
InvShiftRows, InvSubBytes, AddRoundKey into one instruction.
• AESKEYGENASSIST is used for generating the round keys used for 
encryption.
• AESIMC is used for converting the encryption round keys to a form 
usable for decryption using the Equivalent Inverse Cipher.
• PCLMULQDQ is used for carryless multiply (CLMUL), which is used in 
AES-GCM.

The other issue is that encryption without a HMAC is all but worthless.   (It 
increases privacy, but not security.)  Typically the HMAC involves an entire 
second pass over the packet, and this isn’t accelerated.  Very new Intel CPUs 
have some acceleration support for SHA (SHA1, SHA256, etc), but it’s not 
anything like hardware offload.

This is why AEAD modes (such as AES-GCM) exist, and why we added support for 
AES-GCM to IPsec for FreeBSD.OpenVPN is supposed to get support for AEAD 
(GCM) in OpenVPN 2.4.
But that’s not going to solve the issue with the overhead of tun/tap.  That’s 
going to take actual work, putting OpenVPN over netmap, or DPDK, or something 
like that.

Versus AES-NI, actual hardware offload, using something like Intel QuickAssist, 
is much (much) faster.   We’ve run nearly 20Gbps using a CPIC card.  This tweet 
says “10Gbps”, but using two tunnels, we got it to 17Gbps
https://twitter.com/gonzopancho/status/703677820694720512  with an otherwise 
unmodified system.   That was AES-CBC-128 + HMAC-SHA1, IIRC.  Yes, QAT will 
accelerate SHA.   That’s not going to happen on FreeBSD without a lot of work, 
because the IPsec stack on FreeBSD needs….. a lot of work.  (It’s a bit of a 
hot mess, see upcoming BSDcan talk.  
http://www.bsdcan.org/2016/schedule/events/727.en.html)

net-net:  we accelerated IPsec using AES-GCM (leveraging AES-NI) first, because 
that was going to be the most benefit.

Jim
(Yes, we tried OpenVPN with QAT, tun/tap is the blocker here.  See above, or my 
repeated statements on this list, the forum, and elsewhere.)


> On Apr 29, 2016, at 1:10 PM, Olivier Mascia  wrote:
> 
> Indeed.
> Why didn't the OpenVPN tunnel show me that level of perf, despite settings 
> for using hardware acceleration, is another story, but I'm happy with the 
> IPsec results and will stick to that on this link.
> 
> Thanks for having confirmed me I hadn't fallen in a rabbit hole.
> :)
> 
> -- 
> Meilleures salutations, Met vriendelijke groeten, Best Regards,
> Olivier Mascia, integral.be/om
> 
>> Le 29 avr. 2016 à 19:58, ED Fochler  a écrit :
>> 
>> On a modern intel system, the intel chip itself (or AMD) has AES128 or 
>> better implemented in hardware.  I get ~700Mb on sftp on my macbook air 2012 
>> like that, so those numbers are exactly where I’d expect the CPU to be maxed 
>> out doing AES128 or AES256 encryption.  That’s what hardware acceleration 
>> feels like.  You should see the CPU (or one core at least) on the IPSec 
>> tunnel ends being fully occupied at that throughput.
>> 
>>  ED.
>> 
>> 
>>> On 2016, Apr 29, at 1:52 PM, Olivier Mascia  wrote:
>>> 
>>> Seeing throughput I did not expected with an IPsec tunnel compared to what 
>>> I was seeing using OpenVPN (which I always used up to the perf discrepancy 
>>> I discovered today on a new link), I wonder if it really encrypts anything.
>>> 
>>> Phase 1 is set for AES256, SHA256 DH group 2.
>>> Phase 2 is set for ESP AES256-GCM 128 bits and SHA256.
>>> 
>>> No other encryption / hash is checked as alternatives on Phase 2.
>>> 
>>> I'd say I'm good to go that way, but I'm driving between 500 and 750 Mbps 
>>> through the tunnel (transfer rate of ~45 to ~80 MB/sec in Windows File 
>>> explorer between filesystems on each side of the tunnel), and I quite 
>>> couldn't believe it.
>>> 
>>> Could something be wrong?
>>> 
>>> -- 
>>> Meilleures salutations, Met vriendelijke groeten, Best Regards,
>>> Olivier Mascia, integral.be/om
>>> 
>>> 
>>> ___
>>> pfSense mailing list
>>> 

Re: [pfSense] APinger times wrong after a few hours

2016-02-24 Thread Jim Thompson
Apinger is… not very good.

This is why we’ve gone to dpinger in pfSense software v2.3


> On Feb 24, 2016, at 7:27 PM, Joe Laffey  wrote:
> 
> Hi,
> 
> I reported this on the forum a while back. Been having this issue since 
> installing version 2.x
> 
> We have a dual WAN setup. If I restart apinger then the RTT latency times are 
> correct, and it seems to ping the selected hosts (one of which is an 
> alternate host, the other is the gateway). However, after a a while (will 
> check and see how long) the RTT times are suddenly MUCH lower, like it is 
> pinging the wrong host, or something.
> 
> Any thoughts on this? Anyone else have incorrect ping times from apinger?
> 
> The issue still persists in 2.2.6-RELEASE.
> 
> Thanks,
> 
> -- 
> Joe Laffey
> The Stable
> Visual Effects
> http://TheStable.tv/?e38916M/
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

2016-02-23 Thread Jim Thompson

> On Feb 23, 2016, at 9:43 PM, WebDawg  wrote:
> 
> Man I was looking at the price point on used 10Gbit nics and I think it is 
> time for a bit of an upgrade.

10Gbit Ethernet will be so common in three years, a 1Gbps interface will be 
only used for management interfaces. 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] PFSense for high-bandwith environments

2016-02-23 Thread Jim Thompson




-- Jim
> On Feb 23, 2016, at 9:38 PM, David Burgess <apt@gmail.com> wrote:
> 
>> On Feb 23, 2016 7:01 PM, "Jim Thompson" <j...@netgate.com> wrote:
>> 
>> perhaps you have a different definition of ‘wire speed’.  You have to
> fill the link with min-sized packets for “wire speed”.
>> (It’s trivial with large packets.)
>> 
>> This is, of course, what is probably happing with 2-3K
> 
> The definition I had in mind was 1000 megabits per second in both
> directions. I wasn't concerned with packet rates at that moment, and I
> can't tell you what numbers I was getting because I don't remember, and
> perhaps I didn't even record them.


Doesn't matter. 

1Gbps of min-sized (64 byte, or 84 bytes including IFG (12 bytes of 'time'), 
preamble, SFD & CRC) equates to 1,488,095  packets per second. 

1Gbps of max-sized (1500 byte, or 1536 bytes including IFG (12 bytes of 
'time'), preamble, SFD & CRC) equates to 81,380  packets per second.

Neither FreeBSD or Linux will forward packets at 1.488Mpps on any conceivable 
commodity hardware. 

netmap-fwd will do 1.2Mpps on a 1.7GHz C2000 (2220) and the type of minimal 
routing table often found in pfSense installations. 

Our DPDK router will do > 10Mpps with a full (570,000 routes) BGP route table, 
and a rather large ACL table on a Broadwell-DE platform. 

> I think we all agree that if the OP has a lot of gamers online then small 
> packets and high packet rates are going to be a concern.

High packet rates are a much larger issue than raw bandwidth. 

> Thanks for the info on the new technologies. Networking is not boring
> pursuit.


"Networking is the Vietnam of computing.  Something can nuke you from behind, 
and it's gone when you turn around. It's impossible to win a guerrilla war 
against a highly distributed enemy." -- Mike Smith

I am Agent Orange. 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

2016-02-23 Thread Jim Thompson

> On Feb 23, 2016, at 7:47 PM, Walter Parker  wrote:
> 
> On Tue, Feb 23, 2016 at 3:19 PM, Giles Davis  wrote:
> 
>> On 19/02/2016 17:12, David Burgess wrote:
>>> I'm a little surprised at your experience. A few years ago I built a
>>> PFSense unit with an Intel motherboard, 1st gen Core i3 CPU, and a
>>> single onboard Intel (em) GBE NIC. All routing was done through vlans
>>> and it had no trouble reaching wire speed with around 50% CPU usage.

perhaps you have a different definition of ‘wire speed’.  You have to fill the 
link with min-sized packets for “wire speed”.
(It’s trivial with large packets.)

This is, of course, what is probably happing with 2-3K ‘hardcore gamers’.  Lots 
of short packets.

>>> I do recommend using the net.inet.ip.fastforwarding=1 tweak if you
>>> can. Note that it breaks IPSEC and captive portal.

You’ll find that there is no such setting in pfSense software version 2.3, 
because we now use
tryforward() which gives you all the speed of ‘fast forwarding’ without 
breaking IPsec or captive portal.

(and therefore, there is nothing to ‘set’)

We tried to put this into FreeBSD 10.3, but there is a rare combination of 
factors that result in it breaking
NAT (but not the NAT used in pfSense).  

>>> As far as 10G NICs, I was sure I read recently that the FreeNAS people
>>> were recommending Chelsio, but I can't find the reference now.
>> I imagine it's probably going to be our ridiculous PPS figures that
>> start to bottleneck things. There's 2-3 thousand hardcore gamers behind
>> these boxes when we run our events all generating shedloads of tiny UDP
>> packets, as well as a big demand for normal web browsing, downloading,
>> streaming on top of all that. What we used to see was the ix (and before
>> the 10G NICs the bge) driver heavily pushing single CPU cores - but at
>> about ~1.2Gbit we just start seeing small amounts of packet loss - even
>> when there's no obvious single cause. I'm guessing its a combination of
>> a few factors, but to be honest we just move traffic off to another box
>> - PL for gamers is the end of the world. :(
>> 
>> I don't think we had set fastforwarding yet - so i'll definitely look
>> into that. Don't care about IPSec or captive portal at all!
>> 
>> We're also getting pricing for Chelsio NICs now too - so perhaps that'll
>> help as well.
>> 
>> Thanks again (and thanks Ed for those stats too).
>> 
>> Cheers,
>> Giles.
> 
> Fun fact, Netflix is using FreeBSD and is pushing >30 Gbps from systems
> using Chelsio NICs. See
> http://www.slideshare.net/facepalmtarbz2/slides-41343025 for details.

Fun fact, this ’Netflix’ success is using the AES-GCM code that Netgate 
co-developed with the FreeBSD Foundation for use with IPsec.
https://lists.freebsd.org/pipermail/freebsd-security/2014-November/008029.html

Fun fact #2, a future variant of that work will leverage QuickAssist.
http://store.netgate.com/QuickAssist-and-Other-Cards-C210.aspx

Fun fact #3, we can achieve much higher PPS with the router we’re writing 
(leverages DPDK) and netmap-fwd than you can with
fastforward.  (Where Chelsio NICs make life a bit more complex.)
https://github.com/Netgate/netmap-fwd/blob/master/netmap-fwd.pdf




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Atheros Issues Abundant

2016-01-16 Thread Jim Thompson
No

-- Jim

> On Jan 16, 2016, at 1:28 PM, mayak  wrote:
> 
> Is there any workaround available?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] SCVMM Agent

2016-01-09 Thread Jim Thompson
We have an official image for Azure coming. 
Should be available soon. We're in final stages with Microsoft. 

-- Jim

> On Jan 9, 2016, at 4:56 AM, "pfsense-l...@y-tech.co.il" 
>  wrote:
> 
> Hi everyone,
> 
> We are struggling for weeks now trying to install SCVMM 2012 R2 agent on 
> PFSense.
> We run a cloud company based on Hyper-V with Azure Pack, we wish to give our 
> customers a great experience with pfsense, we are working with the product 
> for years (outside SCVMM scope) and it's perfect.
> In order to be compliant and have all the features with SCVMM VM networks and 
> automation we must install the SCVMM agent, but there is lack of support for 
> FREEBSD.
> If anyone managed to do so or have an idea how we can accomplish our goal it 
> will be great.
> 
> Thanks,
> Tomer Schwaitzer.
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by Y-Tech MailScanner system, and is
> believed to be clean.
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.2.5-RELEASE Now Available!

2015-11-08 Thread Jim Thompson
https://blog.pfsense.org/?p=1925

-- Jim

> On Nov 7, 2015, at 4:43 PM, Doug Lytle  wrote:
> 
> I see 2.2.5 is available and didn't see any mention of it here.
> 
> https://blog.pfsense.org/
> 
> Doug
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] client VPN on IOS

2015-09-26 Thread Jim Thompson
I use it.  

Note that iOS 9 has AES-GCM and IKEv2. 

We've recently (today) fixed a few bugs in hybrid auth mode. That might have 
stopped you, depending on how you have things setup. 

Also, with iOS 9, it appears that a tunnel with only IPv4 doesn't work. You 
have to config both v4 and v6.  If you don't, the tunnel appears to be up, but 
doesn't pass traffic. 

OpenVPN doesn't scale.  It's fine on a small scale, but the architecture is 
wrong for large deployments. I nearly always recommend IPSec.

-- Jim

> On Sep 15, 2015, at 8:18 AM, Ray Bagby  wrote:
> 
> Greetings,
> 
>Anyone have any luck connecting iphone via VPN?
> 
> Thanks
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Small form factor pfsense box

2015-08-11 Thread Jim Thompson

Erik,

The 2220 has been a difficult process, and we do appreciate the patience that 
customers have shown while we've worked through it. 

I'm not going to detail what has held things up, but I will say that none of 
the delay is due to technical design issues with the board.

Net-net, at this point, yes, I have very strong confidence that we can ship the 
2220 on or  before 31 August.

-- Jim

 On Aug 11, 2015, at 10:04 PM, Erik Anderson erike...@gmail.com wrote:
 
 Jim, is the SG-2220 still targeted for an Aug 31st ship date?
 
 
 On Mon, Aug 3, 2015 at 4:57 AM, Jim Thompson j...@netgate.com wrote:
 Thank you.
 
 These:
 
 http://store.pfsense.org/SG-2220/
 http://store.netgate.com/mobile/ADI/RCC-DFF-2220.aspx
 
 Seem like just what Cheyanne asked for.
 
 -- Jim
 
 On Aug 3, 2015, at 12:48 AM, Walter Parker walt...@gmail.com wrote:
 
 The Project sells hardware: http://store.pfsense.org/hardware/
 
 I bought small form factor routers from Netgate before and I'm happy.
 http://store.netgate.com/Routers-C178.aspx
 
 
 Walter
 
 On Sun, Aug 2, 2015 at 10:04 PM, Cheyenne Deal deal.cheye...@gmail.com
 wrote:
 
 Does anyone have any recommendations for a small form factor machine for
 pfsense?
 I am looking for dual gb interfaces and able to handle at least a 50mb
 internet connection
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 
 
 
 --
 The greatest dangers to liberty lurk in insidious encroachment by men of
 zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Small form factor pfsense box

2015-08-03 Thread Jim Thompson
Thank you. 

These:

http://store.pfsense.org/SG-2220/
http://store.netgate.com/mobile/ADI/RCC-DFF-2220.aspx

Seem like just what Cheyanne asked for. 

-- Jim

 On Aug 3, 2015, at 12:48 AM, Walter Parker walt...@gmail.com wrote:
 
 The Project sells hardware: http://store.pfsense.org/hardware/
 
 I bought small form factor routers from Netgate before and I'm happy.
 http://store.netgate.com/Routers-C178.aspx
 
 
 Walter
 
 On Sun, Aug 2, 2015 at 10:04 PM, Cheyenne Deal deal.cheye...@gmail.com
 wrote:
 
 Does anyone have any recommendations for a small form factor machine for
 pfsense?
 I am looking for dual gb interfaces and able to handle at least a 50mb
 internet connection
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
 
 
 
 -- 
 The greatest dangers to liberty lurk in insidious encroachment by men of
 zeal, well-meaning but without understanding.   -- Justice Louis D. Brandeis
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Power Glitch Took CF Card in Alix Down - Experience

2015-07-23 Thread Jim Thompson


-- Jim

 On Jul 23, 2015, at 12:56 AM, Mehma Sarja mehmasa...@gmail.com wrote:
 
 It took me 2 days to crawl back from a 5 second power glitch which happened
 recently because the CF card in my Netgate Alix machine crashed hard.
 Apparently the card got corrupted; cleaned it off and put a fresh image
 back on it. That's the good news. Even better, is that I bothered.

2.2.4 is wy safer with writes to the card. 

 
 I have a choice to use a new Kickstarter funded project called the Shield
 from Itus Networks sitting on my desk. It's a 3-port fanless IDS machine
 based on OpenWRT and comes with Snort, antivirus and a firewall.

http://store.netgate.com/mobile/ADI/RCC-DFF-2220.aspx

IJS

 It can be connected in-line or off a network port. I plugged it in and things 
 started
 breaking. The network printer went off-line as did a USB external hard
 drive hooked to a wifi router. Nothing in the logs, tried turning the
 firewall off and quickly realized a gaping lack of maturity in this thing.
 I'm not bashing the effort because I believe it will be a great IDS machine
 in the future.
 
 pfSense on my 6 year old Alix just works. It's the result of the work put
 in by Netgate and pfSense team.

Thanks!

 
 Yudhvir
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Access Point Recommendations?

2015-07-20 Thread Jim Thompson

Firetide?

LOL

I’m good friends with the guy who did the design for Firetide.  He was, after 
all, the director of engineering there prior to the VCs moving the company from 
Hawaii to California.
He’s the one who also contributed the OLSR port freeBSD (which pfSense picked 
up).  Said it was just as good, if not better, than the proprietary algorithm 
in the Fireturd firmware.

Firetide was based on Soekris for the longest time.  I don’t know what they do 
these days.

The founding CEO of Firetide had me put together a business plan and technology 
for a competing product.  That’s Concentris today.
http://www.concentris-systems.com/management.php 
http://www.concentris-systems.com/management.php


Just to be pedantic, one needs to be concerned with three things here.

Noise - defined as ‘non-coherent signal’.
Interference - defined as coherent (decodable) signal that you didn’t want.
High ‘enough' signal levels causing the 802.11 MAC to block transmit.  (known 
as ‘clear channel assessment’)  The signal level(s) that cause this are 
different for coherent and non-coherent signals.

First, note that 802.11 very very polite.  This is by design.

Second let’s look at Thermal Noise power.

I can walk you through the equation, or you can JFGI, but at the end of the 
day, for room temp: -174 dBm per Hz 
• 5 MHz is 67 dBs more than 1 Hz 
• increase of 1 million times = 60 dB 
• increase of 5 times = 7 dB 
• 5 MHz Channel Minimum Noise = -174 + 67 = -107 dBm

And, every doubling of the channel bandwidth is another 3dB more thermal noise. 
Double the channel bandwidth, and 3dB more noise shows up.

20MHz: -101 dBm
40MHz: -98 dBm
80MHz: -95 dBm
160MHz: -92 dBm

Now that we know how much background noise to expect in our channel, the next 
step in figuring out the noise floor is to allow for the thermal energy 
generated by the receiving Wi-Fi equipment. All Wi-Fi equipment dissipates 
thermal energy even when not in the act of transmitting. This energy is a 
result of the heat being given off by the electronics of the device. “Noise 
figure” is the term that refers to the thermal energy given off by the 
electronic device being used. The noise figure varies between vendors and 
designs, but will typically be between 1 and 5 dB.

These are the things that are unavoidable.  They are physics, and will be 
present even in a greenfield deployment.

and for a 40MHz 802.11n channel, we’re already down to something between -97 
(you wish) and -93 (more likely) dBm for a true noise floor.

Now then, a Wi-Fi chip is a communications processor – literally a MODEM with a 
non-wire PHY.

It only knows:
- RF Energy that can be demodulated = Wi-Fi (interference)
- RF Energy that can not be demodulated = Noise

Noise is complicated:
Collisions, fragments, corruption, Wi-Fi that is below sensitivity 
threshold of the receiver
Peaks in Wi-Fi activity can cause all of these to occur.

Other, non-802.11 sources.

Now, for CCA there are two types:
- Energy Detect:  This is quick, runs at low power, but is prone to 
false positives   (power matters for devices with batteries)
- Decode Preamble: This takes time, and the receiver is running, so it 
takes power, but is less prone to false positives.

ED CCA threshold for 802.11b/g is -65 dBm
CCA for 802.11a is different -65 dBm ED, if true then 20 dB lower for Preamble 
interrogation needs to be processed, so -85 dBm

For 802.11n/802.11ac, things get more complicated.  You have to sense on both 
the primary channel, and the secondary channel(s)

Channel width   Signal threshold (primary)  Signal threshold (non-primary)  
Energy threshold (non-primary)
20 MHz  –82 dBm –72 dBm 
–62 dBm
40 MHz  –79 –72 
–59
80 MHz  –76 –69 
–56
160 MHz –73 n/a(*)  
n/a(*)

(*) With 160 MHz channels, there are no secondary channels, so these thresholds 
are not defined.

Now look at the room we have left between the thermal NF (including the NF of 
the receiver) without *any* additional noise or interference due to 
non-coordinated operation, and the level at which an 802.11 will block 
transmit. Now let’s look at the *minimum* SNR required to decode 
802.11g/802.11a rates:

802.11a/b/g/ Data Rate (Mb/s)   Minimum Required SNR to decode (dB)
1   4
2   6
5.5 8
11  10
6   

Re: [pfSense] Cannot Spoof MAC

2015-07-12 Thread Jim Thompson

 On Jul 11, 2015, at 10:13 AM, Doug Lytle supp...@drdos.info wrote:
 
 Working on it today, I've tracked it down to pfSense not being able to spoof 
 their MAC address.

That board runs Realtek LAN parts. 

You can run pfSense on what you wish, but the release process doesn't test this 
platform. 

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.2.2-RELEASE Now Available

2015-04-16 Thread Jim Thompson

 On Apr 16, 2015, at 11:54 AM, Chris Buechler c...@pfsense.com wrote:
 
 On Thu, Apr 16, 2015 at 7:53 AM, Vick Khera vi...@khera.org wrote:
 On Wed, Apr 15, 2015 at 6:50 PM, Bob Gustafson bob...@rcn.com wrote:
 
 Today - except for the initial clicks, the process was totally automatic
 
 14:21  Started uploading new version
 14:36  logging started on new version (?)
 14:37  started reinstalling package Asterisk
 15:18  completed reinstalling package Asterisk
 15:18  WebConfigurator starting up
 
 So, roughly an hour - Asterisk reinstall is a big part of this.
 
 
 On modern hardware (pfSense C2758), total time was about 3 minutes from
 command line upgrade invocation (download, install, reboot) until login
 prompt showed up again on the console.
 
 Yeah that's typical of more modern hardware. Or really anything that
 isn't running on CF. The ALIX and CF are really slow when writing a
 lot of data to CF.

and 7551, and 7541, and…

eMMC is so much better here.  CF is a dead end.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pf(4) relative performance: opinions?

2015-04-11 Thread Jim Thompson



 On Apr 11, 2015, at 8:23 PM, Adam Thompson athom...@athompso.net wrote:
 
 I know a lot of performance work has gone into both FreeBSD and pfSense, but 
 I haven't tested the limits in a long time, so I'm asking...
 
 I'm running a pair of firewalls, each with dual Xeon L5520 cpus (4c/8t, 
 2.26GHz, 8M L2), 48GB triple-channel RAM, where all networking occurs on 
 carp(4) interfaces on top of vlan(4) interfaces on top of trunk(4) on top of 
 dual onboard em(4) (Intel 82576). (These are Dell C6100 XS23-TY3 blades, if 
 anyone cares...)
 
 The question is: would pfSense give me better routing performance than 
 OpenBSD on these systems?
 
 Currently these firewalls run OpenBSD, because I needed simultaneous BGP and 
 OSPF, which pfSense [still/once-again] can't do.
 I no longer need to run an IGP at that location, so switching to pfSense is 
 now an option.
 
 OpenBSD's pf(4) engine is still single-threaded, and so are the interrupt 
 handlers, so despite CPU and RAM that would normally be massive overkill, 
 these systems max out at just over 105k-searches per second, which translates 
 to somewhere between 100kpps-200kpps bidirectional.  (I found this out the 
 hard way when someone behind that router decided to scan the entire 
 internet.)  Beyond that, they start dropping packets.  Gracefully, as pf(4) 
 handles queue congestion, but dropped nonetheless.
 
 The OpenBSD team claims that their pf(4) implementation is highly optimized, 
 much more so than it was when FreeBSD imported it.  On the other hand, I'm 
 given to understand that FreeBSD's, or at least pfSense's pf(4) 
 implementation is now multi-threaded, which should theoretically allow 
 scaling further where OpenBSD simply pegs one core.
 
 If I have to, I'll probably just convert one and try to stress-test it.  
 Scanning the entire IPv4 internet should be an adequate stress test :-/.
 
 Comparison data?  *Educated* guesses?  Thoughts?  Although it's pointless to 
 ask, please try to keep baseless fanboi-type opinions to yourselves.  I'm 
 already a fan of pfSense, and I've explained above why I couldn't use it here.

George Neville-Neil and I presented a paper at AsiaBSDcon last month.  Slides 
and paper are attached.  (I hope attachments are OK on-list.)  It clearly
shows that OpenBSD’s “pf” isn’t anywhere near as fast (even on a single CPU) as 
the other popular firewalls.

We’re updating the paper for BSDcan (exploring rtentry locking and why 
11-CURRENT was slower in testing).



Incidentally, one of the results of this paper is an improved (guaranteed 
minimum 3% in PPS, more on large tables), hash algorithm for the pf table(s).  
This is in pfSense 2.2, and has been committed to FreeBSD.

Ryek Floeter gave a rambling presentation on his company Esdenera® Networks 
at the AsiaBSDCon vendor summit.  I don’t think he’d ever put a face with my 
name before the introductions at the start.

Reyk spoke very little about  his product, but made a lot of sideways comments 
about OpenBSD being better, the best distro for security products, etc. 

He, of course, had to make the statements that the “pf in freebsd is old, and 
that the one in openbsd is faster.  I waited.  Then he made a bizarre string of 
statements about the LAGG driver in freebsd being his code stripped of all 
copyright statements. That it would have been nice to get a “thanks”, or a 
donation, or something.   Yes, he really did say, “donation”.

Let’s read the man page together!  
https://www.freebsd.org/cgi/man.cgi?query=lagg%284%29
‘
— quoting —
AUTHORS

The lagg driver was written under the name trunk by Reyk Floeter 
r...@openbsd.org.
The LACP implementation was written by YAMAMOTO Takashi for NetBSD.


Or the actual source code to the driver:

https://svnweb.freebsd.org/base/head/sys/net/if_lagg.c?revision=279891view=markup

— quoting —
/*  $OpenBSD: if_trunk.c,v 1.30 2007/01/31 06:20:19 reyk Exp $  */

/*
 * Copyright (c) 2005, 2006 Reyk Floeter r...@openbsd.org
 * Copyright (c) 2007 Andrew Thompson thom...@freebsd.org
 * Copyright (c) 2014 Marcelo Araujo ara...@freebsd.org
 *
 * Permission to use, copy, modify, and distribute this software for any
[…]


So, it’s there, for everyone to see.

At the end of Reyk’s presentation, when question time came, Warner Losh raised 
his hand, to ask what Reyk meant by his statement that all the copyrights had 
been taken off his code, because he was looking right at them.

So Reyk had to cover with saying that he had read a FAQ entry, somewhere that 
didn’t mention him.   All the FreeBSD people were … floored?  No.  nonplused?  
Yes, etter.

I then asked Reyk about why the OpenBSD people seem to like to apply a label of 
“old” to the pf in FreeBSD.   I asked him to name specifics, *other than 
changes to the grammar of the config file*, and the only thing he could come up 
with is that OpenBSD’s pf will carry the reference to the state table along 
though the pf code, while FreeBSD will perform a second 

Re: [pfSense] Console is in cyrillic

2015-03-17 Thread Jim Thompson
Unless you’ve changed it, the baud rate on an Alix is 38400
https://doc.pfsense.org/index.php/Console_Types 
https://doc.pfsense.org/index.php/Console_Types

Jim

 On Mar 17, 2015, at 4:45 PM, Jeremy Bennett jbenn...@hikitechnology.com 
 wrote:
 
 So I recently resolved my serial port issue and was able to start reviving 
 this Alix box.
 
 Made sure that the firmware was .99h
 
 Wrote the new pfsense 2.2 2 GB image to a CF card.
 
 Slotted it into the Alix – terminal set to 115200 Baud rate, data was 8 bit, 
 parity is none and stop is 1 bit – all per the documentation.
 
 (for reference I'd just done this on another unit and everything worked great)
 
 On this particular unit, the console text appears to be in a cyrillic or 
 greek typeface... is that a problem?
 
 I can login to the normal GUI and all appears fine.
 
 Any ideas on why the console is looking this way? Will this be an issue down 
 the road, or should I just leave well enough alone?
 
 Mahalo,
 Jeremy
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NIC Offloading Setting Questions

2015-03-04 Thread Jim Thompson

 On Mar 4, 2015, at 12:54 AM, Bryan D. pfse...@derman.com wrote:
 
 Today, having received a pair of SuperMicro AOC-SG-i2 NICs from the pfSense 
 store, I asked about the applicable pfSense offloading settings (via the 
 pfSense contact form).
 
 
 Receiving an oblique (non-)response, I re-sent a query that included the 
 following text:
 ---
 [...] specifically, what should the pfSense settings be for:
 - Hardware Checksum Offloading
 - Hardware TCP Segmentation Offloading
 - Hardware Large Receive Offloading
 
 I.E., can each of these be enabled when using AOC-SG-i2 NICs?
 
 With my current systems, segmentation and large receive offloads are 
 disabled.  I don't remember what the default was (and it's not stated on the 
 configurator page) [...]
 
 Understand that the configurator page has warnings about these capabilities 
 being ... broken in some hardware drivers, ... so, even though the NICs are 
 spec'd to support these capabilities, there's still the question whether the 
 drivers work properly [...]  That's the reason for my query.
 ---
 
 
 To which I received the following response (an attitude that left me feeling 
 considerably less enthusiastic about trying to support the project):
 ---
 We do not provide pfSense support for these cards unless they are installed 
 in a system we sell. My suggestion is to search the forums for the tuning you 
 desire.
 
 I know this is not the answer you desire but that is our official response.
 ---
 
 For the record, I don't really consider these questions to be support ... 
 just a clarification of the specs, which should be straightforward given that 
 it's a 1-product organization (and would be best stated on the store's 
 web-page).

Answering any question post-sale is “support”.   You are using a free open 
source product. The only cost to you is to figure out how to make it work.  If 
you are unable or unwilling, then we (and others) offer paid support options.  
There is also, as whomever from Netgate explained, support options including 
the forum and this list.

 Does anyone know the answer to my questions about the various offloading 
 settings that should be used with these cards?

LRO works by aggregating multiple incoming packets from a single stream into a 
larger buffer before they are passed higher up the networking stack, thus 
reducing the number of packets that have to be processed.

LRO should not be used on machines acting as routers, (and it is quite likely 
that you’re using pfSense as a router or, equivalently, a router), as it breaks 
the end-to-end principle and can significantly impact performance.

TSO is similar, but for sending.  It works by queuing up large buffers and 
letting the network interface card (NIC) split them into separate packets just 
before transmit.

Both LRO and TSO can help if you are an endpoint, *not a router*.   If you were 
using pfSense an an appliance (say, for DNS), they would possibly help 
performance.

Now onto “hardware checksum offload”:

First, let’s briefly discuss where checksumming is used.

The Ethernet hardware calculates the Ethernet CRC32 checksum and the receive 
engine validates this checksum. If the received checksum is wrong pfSense won’t 
even see the packet, as the Ethernet hardware internally throws away the 
packet.  (There are exceptions, such as if the interface is in promiscuous 
mode.)

Higher level checksums are “traditionally” calculated by the protocol 
implementation and the completed packet is then handed over to the hardware.  
Recent network hardware can perform the IP checksum calculation, also known as 
checksum offloading. The network driver won’t calculate the checksum itself but 
will simply hand over an empty (zero or garbage filled) checksum field to the 
hardware.

Some cards will additionally process TCP and UDP checksums, as above, this 
isn’t going to be of any value on a router.

It’s possible, if everything else is right, then IP checksum offload can 
provide a modest performance improvement, but this is unlikely to be more than 
“noticeable” at the speeds where most individuals run pfSense.   However, at 
10Gbps (or above),
these engines become quite useful.   Support for these is an important 
component of our “3.0” effort.

In case it’s not clear by now, these settings are all *disabled* by default in 
pfSense.

Jim




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Dual Port NIC ports

2015-02-21 Thread Jim Thompson

 On Feb 21, 2015, at 5:26 PM, Joe Laffey j...@laffey.tv wrote:
 
 Hi,
 
 Is there any advantage or disadvantage to using the the two port on a dual 
 port NIC vs. one port each on two different dual port NICs?

at 1Gbps or below?  No, assuming they’re PCIe NICs and have a correct MSI-X 
implementation.   Anything older than these technologies shouldn’t be going 
into a “new build”.

at rates above 1Gbps?  Yes, depending, ... but I’m not ready to discuss it.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Release 2.2 - Wake on Lan different behaviour on alix and apu

2015-01-27 Thread Jim Thompson
open a bug report.

 On Jan 27, 2015, at 3:51 AM, WolfSec-Support supp...@wolfsec.ch wrote:
 
 Hello,
 
 
 ALIX issue:
 I can confirm this.
 In WebGUI on Alix the WoL is not working any more
 
 I can confirm:
 wake vr0 e0:cb:4e:xx.yy.zz
 is working on command line
 
 May also other platforms are affected ?
 I have actuall only some ALIXes which use WoL feature fore some clients 
 
 Best Regards,
 Stephan
 
 
 
 2015-01-27 9:10 GMT+01:00 Chris Suter chris.su...@loewenfels.ch 
 mailto:chris.su...@loewenfels.ch:
 Hello,
 Upgrade worked fine on multiple hardware installations (all on alix / apu). 
 The only thing I've realised is, that WOL via the Web is not working on the 
 Alix Plattform, on my APU it seems working well.
 If I issue the commands:
 wake vr1 :xx:xx:
 wol -i xx.xx.xx.255 xx:xx:xx:..
 pc seems o wake up correctlly.
 Does someone have the same hardwares who can test?
 
 
 Regards
 Chris
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold 
 https://pfsense.org/gold
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] VFA VPN throughput?

2015-01-20 Thread Jim Thompson

 On Jan 20, 2015, at 4:53 PM, Adam Thompson athom...@athompso.net wrote:
 
 Jim/other:
 
 Do you have any guidelines for sizing VPN throughput when using the pfSense 
 Certified VFA ?
 
 -- 
 -Adam Thompson
 athom...@athompso.net
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold

Adam,

This isn’t really a subject for the list-at-large, but I’ll answer here so 
others don’t think I’ve ignored the request.

Quick questions:

- What is the speed/type of hardware you’re deploying on?  (The bare metal, 
number/type of cores, type of Ethernet(s), etc.)
- Are hw crypto accelerators acceptable?   (We’re enabling QuickAssist (yes, 
for FreeBSD, too), and will probably include same in a future version of the 
appliance.)
- Does the underlying hw support AES-NI?   
- If so, is AES-GCM an acceptable ESP transform?

Jim


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 4 Byte ASN

2015-01-08 Thread Jim Thompson




 On Jan 8, 2015, at 9:23 AM, Seth Mos seth@dds.nl wrote:
 
 Bryant Zimmerman schreef op 8-1-2015 om 15:28:
 We are working on getting our own ASN with ARIN so we can get our own
 blocks of address.
 We are doing this because we are using multiple ISP's and want to
 announce our own addresses, For better fail over.
 
 It's so much nicer then multi-wan, I don't regret it in the least.
 
 We are currently using pfSense boxes with CARP at both our locations.
 Will the open BGP package available for pfSense work correctly with --4
 Byte ASN's
 
 Yes
 
 --Does carp function correctly with Open BGP for fail over.
 
 You do not want to use CARP with with BGP in any situation. Each node
 needs it's own session with the remote BGP peer. You need to use iBGP
 between the nodes instead.

We run a pair of c2758s behind each link and CARP between these, announcing the 
routes out via BGP.  (Technically this occurs on a different pair (R200) boxes 
that play the role of router (one per link).

We run BIRD on these.  It's ... better than OpenBGPD. 

 
 Regards,
 
 Seth
 
 
 ___
 pfSense mailing list
 https://lists.pfsense.org/mailman/listinfo/list
 Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] support costs?

2015-01-05 Thread Jim Thompson
sa...@netgate.com

Mahalo Nui Loa,

-- Jim

 On Jan 5, 2015, at 4:22 PM, Rick Payton r...@mai-hawaii.com wrote:
 
 Aloha,
 
 I'm working on a list of firewalls that can act as a VPN endpoint to 
 recommend for a small remote waste water treatment plant (it currently runs a 
 consumer level netgear router, with VNC port forwarded back to the HMI), and 
 I need to factor in support subscription costs.
 
 Is there a direct e-mail address I can hit at either Netgate or ESF to 
 discuss cost and what's included, or is it ok to discuss it here?
 
 Mahalo,
 
 Rick Payton, I.T. Manager
 Morikawa  Associates, LLC
 (808) 572-1745 Office
 (808) 442-0978 eFax
 (808) 344-8249 Mobile
 www.mai-hawaii.com 
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN

2014-12-10 Thread Jim Thompson


 On Dec 10, 2014, at 1:16 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote:
 
 On 10/12/14 3:30 pm, Giles Coochey wrote:
 http://tools.ietf.org/html/rfc6598
 Ultimately, it's a crap shoot, and the solution is to use IPV6 and 6:4
 NAT for legacy.
 
 If only someone could have forseen that IPv4 would run out sooner or later... 
 oh wait, we did, didn't we, about a decade ago. :-)

About a decade?

We were working on SIP (which became IPv6), TUBA, etc in the early 90s. 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Disconnected

2014-11-04 Thread Jim Thompson


 On Nov 4, 2014, at 6:15 AM, Ryan Coleman ryan.cole...@cwis.biz wrote:
 
 As Jim pointed out so abruptly yesterday (and you have not acknowledged) is 
 that you haven't stated what version of pfSense you are running is.

Without this, we're left to guess. 
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] APU and SSD: full install or NanoBSD

2014-10-31 Thread Jim Thompson

 On Oct 30, 2014, at 3:06 PM, Jeppe Øland jol...@gmail.com wrote:
 
 On Thu, Oct 30, 2014 at 8:33 AM, Jim Thompson j...@smallworks.com wrote:
 On the other hand, I tend to distrust manufacturers that shipped
 completely unreliable drives without any thought.
 Kingston/OCZ/Crucial are all in this boat for me.
 
 I’m sure I’ve been burned at least as badly by these, and others, and I
 still buy from them.
 
 What can you do? The speed increase from SSDs in a PC means its almost
 impossible to go back to an HDD.
 And in a firewall/appliance, the benefits from no moving parts/lower
 power/heat/noise is hard to ignore.
 
 As for Nano, I thought it mounted almost everything as RO and only
 changed settings to write down settings changes, and RRD databases etc
 on reboots?
 
 I think I’ve already responded to this.
 
 nano is a  10 year old “solution” to the problems that existed at the time.
 http://markmail.org/message/rxe4xfpmdwva7q3e
 
 That doesn’t mean it’s a bad solution, but though it’s author is a brilliant
 individual, he obviously didn’t envision SSD in 2004.
 
 Are you saying the nano release only covers the boot-slices?

See how the there are three partitions in the below?  Observe the sizes 
(“922257 sectors”) of the first two.

$ file pfSense-2.1.5-RELEASE-1g-amd64-nanobsd-20140825-0744.img 
pfSense-2.1.5-RELEASE-1g-amd64-nanobsd-20140825-0744.img: x86 boot sector; 
partition 1: ID=0xa5, active, starthead 1, startsector 63, 922257 sectors; 
partition 2: ID=0xa5, starthead 1, startsector 922383, 922257 sectors; 
partition 3: ID=0xa5, starthead 0, startsector 1844640, 102816 sectors, code 
offset 0x31

 I thought the nano/embedded versions also write less to the disk.
 I don't have a full install handy to check, but the nano install
 definitely mounts the drive RO, and all runtime stuff (/var, /tmp) is
 run out of RAM disks.

Yes, and I am aware of the differences with the “nano” builds.

CF devices don’t have the same type of sophisticated wear-leveling and virtual 
block remapping that modern SSDs and eMMC devices have.

Yes, I am saying that compression (which on a modern 64-bit Intel / AMD CPU is 
way faster than disk I/O (yes, even to a SSD)) and making those sectors 
available to the drive has
potentially far greater impact than the crippled nature of the “nano/embedded” 
version.

We’re not changing this for pfSense software version 2.2, but you can bet 
$CURRENCY to $SNACK_FOOD that it’s being evaluated and tested for something 
subsequent.  


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] APU and SSD: full install or NanoBSD

2014-10-30 Thread Jim Thompson


On Oct 30, 2014, at 7:14 AM, Jason Pyeron jpye...@pdinc.us wrote:

 -Original Message-
 From: Jeppe Øland
 Sent: Wednesday, October 29, 2014 18:46
 
 I've been on an Atom board with a Kingston SSD for like 3 
 years now ...
 In that time I've gone through 3 dead SSDs (which Kingston replaced).
 Due to that I'm now running the nano build ... the SSD seems to hold
 
 We use the 32GB sandisk [http://amzn.com/B008U3038I] drives with a nano 
 install, but the slack space is an extra partition which can be used as 
 needed.

One if the ways that SSD life can be extended is to write less than the full 
disk. 


If your device supports it, sometimes these unused sectors can be used for 
remapping and included in the wear-leveling algorithms. 

Of course, the nano builds contain an entire partition full of bits that are 
unlikely to ever be used AND which can't be used as spare blocks (because 
entirely useless bits occupy your SSD.)

Simply using a larger SSD (that has a decent wear-leveling algorithm) will 
greatly increase the TBW figure. 

Compression is another tool. Again, fewer bytes written.

Finally, the eMMC parts we use on the coming Netgate boards can be put in a 
mode that halves the capacity in exchange for a 5X increase in write endurance. 

Just use the nano build isn't going to cut it. 

Jim


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] APU and SSD: full install or NanoBSD

2014-10-30 Thread Jim Thompson

 On Oct 30, 2014, at 9:28 AM, Jeppe Øland jol...@gmail.com wrote:
 
 3 year old Kingston SSDs are not like new Kingston SSDs.
 
 Agreed.
 
 On the other hand, I tend to distrust manufacturers that shipped
 completely unreliable drives without any thought.
 Kingston/OCZ/Crucial are all in this boat for me.

I’m sure I’ve been burned at least as badly by these, and others, and I still 
buy from them.

Samsung 840s are the darling of the “cheap, fast SSD” and they turn out to 
suck, too:
http://www.pcper.com/news/Storage/Samsung-Germany-acknowledges-840-Basic-performance-slow-down-promises-fix

 As for Nano, I thought it mounted almost everything as RO and only
 changed settings to write down settings changes, and RRD databases etc
 on reboots?

I think I’ve already responded to this.

nano is a  10 year old “solution” to the problems that existed at the time.
http://markmail.org/message/rxe4xfpmdwva7q3e 
http://markmail.org/message/rxe4xfpmdwva7q3e

That doesn’t mean it’s a bad solution, but though it’s author is a brilliant 
individual, he obviously didn’t envision SSD in 2004.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] APU and SSD: full install or NanoBSD

2014-10-30 Thread Jim Thompson

 On Oct 30, 2014, at 3:39 PM, Dave Warren da...@hireahit.com wrote:
 
 On 2014-10-30 13:06, Jeppe Øland wrote:
 On Thu, Oct 30, 2014 at 8:33 AM, Jim Thompsonj...@smallworks.com  wrote:
 On the other hand, I tend to distrust manufacturers that shipped
 completely unreliable drives without any thought.
 Kingston/OCZ/Crucial are all in this boat for me.
 
 I’m sure I’ve been burned at least as badly by these, and others, and I
 still buy from them.
 What can you do?
 
 Buy quality instead of junk? I've been burned by OCZ and Crucial for sure 
 (including silent write failures!), although I'm not sure I've ever had a 
 Kingston.
 
 http://techreport.com/review/26058/the-ssd-endurance-experiment-data-retention-after-600tb
 
 tl;dr: Buy Intel, or very specific Samsung SSDs. For non-endurance testing, 
 you'll have better reliability out of a modern, quality SSD than rotational 
 drives, both on a per-drive and per-GB basis.

We’ve already shown that specific Samsung SSDs are flawed.  Others have already 
pointed out that not all “Intel” SSDs are created equal.  

We’re using Kingston eMMCs on the coming netgate hardware.  We ship *specific* 
Intel SSDs (purchased in volume) for those systems sold with an SSD in the 
pfSense Store.

 The speed increase from SSDs in a PC means its almost
 impossible to go back to an HDD.
 And in a firewall/appliance, the benefits from no moving parts/lower
 power/heat/noise is hard to ignore.
 
 There are use cases for rotational drives, primarily where $/GB is a factor 
 and performance isn't, but I tend toward small SSDs over rotational drives 
 unless there is a strong use-case for bulk storage. I really can't imagine 
 using a workstation without a SSD as primary storage though, I just don't 
 have the patience.
 
 Even a cheapo 30GB/60GB/whatever SSD is more than enough for pfSense and 
 makes a far more reliable solution than external flash.

I strongly disagree.SSDs have to be part of a system, especially in an 
embedded environment.   The debacle with the “cheap 30GB” m-sata drive from PC 
Engines earlier in the year (they had to take them all back) should amply 
demonstrate why thinking such as what you express here is deeply flawed.

I’m getting a bit tired of the “shove a bunch of components together; expect it 
to work; complain about pfSense when it doesn’t” approach shown by some in the 
community.

You can do what you wish, of course.  You don’t *have* to be solutions from 
pfSense, but pfSense solutions are “best of breed” (given certain constraints).
We definitely don’t buy “cheapo xx/yy/whatever SSDs”.   The big reason for this 
is that the consequences for “you” (the royal you) being wrong are a few 
hundred dollars.
The consequences for us being wrong can run to hundreds of thousands of dollars 
(or higher).   “Oh crap, my SSD failed” takes on a whole new meaning when you 
realize that there are thousands more in the world that are about to suffer the 
same fate, and you offered a warranty.

The “use case” for rotational drives is still present for high-write 
environments.  (I was just discussing this with a customer at lunch today.)

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] APU and SSD: full install or NanoBSD

2014-10-30 Thread Jim Thompson

 On Oct 30, 2014, at 7:35 PM, Dave Warren da...@hireahit.com wrote:
 
 On 2014-10-30 17:15, Jim Thompson wrote:
 On Oct 30, 2014, at 3:39 PM, Dave Warren da...@hireahit.com wrote:
 Buy quality instead of junk?
 ...
 Even a cheapo 30GB/60GB/whatever SSD is more than enough for pfSense and 
 makes a far more reliable solution than external flash.
 I strongly disagree.SSDs have to be part of a system, especially in an 
 embedded environment.   The debacle with the “cheap 30GB” m-sata drive from 
 PC Engines earlier in the year (they had to take them all back) should amply 
 demonstrate why thinking such as what you express here is deeply flawed.
 
 Sorry if I wasn't clear, I meant a cheapo SSD because it's small -- I'm 
 suggesting you don't need to invest in a large or fast SSD for pfSense, but 
 rather, cheap out on size, while getting a quality device built for lifespan 
 and reliability.

Understood, but even here your suggestion is out of date with respect to the 
current state-of-the-art.Assuming a decent wear-leveling implementation, 
larger drives will last longer for a given amount of data written.  In the same 
way that, when flying an airplane you can trade altitude for glide, with modern 
SSDs, you can trade capacity for endurance.

(It also matters *how* you write the data.)

In the below, I’m quoting JEDEC-219 compliant numbers/stats.

Here’s an equation you might want to think about.

Total writes to the device = (Max endurance cycles) * (total partition 
capacity) / (WAF)

Where Maximum Endurance Cycles = the total number of program erase cycles each 
block in the NAND flash can withstand. For the current generation of MLC flash 
this is 3,000 Program-Erase Cycles.

Write Amplification Factor (WAF) = is a result of wear leveling activity to 
some degree and the nature of writes to the flash. The actual nand flash is 
written in units of pages. For the current generation of flash, this page size 
is typically 16K Bytes. If the nature of writes are sequential within the 16K 
page, then the WAF should be low. However if this write information is not 
contiguous, or is interrupted by another write stream then the partial page 
will be programmed to the NAND flash. In general, random writes will contribute 
to higher WAF.

Ideally we would want WAF to be 1. However, this is the real world, and we have 
seen this go as high as 20 in some applications with non-ideal  writing 
behavior. (Very poorly behaved, always non-contiguous or interrupted write 
streams, e.g. logging or sql databases.)

Example:
Application that writes 100 MB of data to the device per day. 
100 MB / day * 365 days / year = 36.5 GB / year

Let’s assume a standard mode 4GB CF card/USB/… with perfect wear-leveling 
(LOL!):

Best case:
For WAF = 1, standard mode 30GB part:
Total Writes = (3,000) * (4GB) / 1 = 12 TB
 With the above data this yields: 12,000 / 36.5 = 329 years

Worst case:
WAF = 20, standard mode 4GB part:
Total Writes to reach endurance = (3,000) * (4GB) / 20 = 600 GB of data written 
will exceed endurance
With the above data this yields: 600 / 36.5 = 16.4 years

This is how a “commodity” flash/SSD vendor (or a shill^W “technology 
journalist”) will talk to you:  “It will take more than 16.4 years to wear out 
the disk!”

The reality is that with the 3000 program-erase cycles rating of today's 
underlying MLC cells, the 30GB part can support a worst case 600GB of data
writes assuming very poorly behaved, always non-contiguous or interrupted write 
streams.  Best case assuming purely contiguous writes would be 12TB. 

Actual worst case without effective wear-leveling (as was the case with CF 
cards and a lot of the early SSDs) would be 3,000 writes to a single 16K page.  
(Thus the “don’t swap to an SSD!” advice so often heard.)  Do this, and “Boom!” 
the sector is dead (or will be quite soon.)  If this was in a file that you 
needed (or worse, a filesystem metadata block), *poof* goes your data.  Bummer, 
dude.   This is *also* why SLC flash is often recommended for applications that 
require high write-endurance.  SLC flash can endure approximately 10X the 
program-erase cycles of MLC flash in a given lithography.

The direct result is that today you see a lot of people attempting to quote 
“TBW” (terabytes written) when talking about SSD / flash endurance, but even 
then they don’t talk about WAF very often.

Once you start thinking about it, it’s not very difficult to figure out that it 
doesn’t take long to write 600GB on a very busy system, that does a lot of 
short writes due to logging, etc.

Now go run the numbers yourself for a larger SSD (and you can assume 
wear-leveling).   Double the size of the device, and you’ll double the TBW 
figure, assuming everything else stays the same.  Larger density devices will 
yield correspondingly higher total write endurance since (QED!) they have more 
blocks of NAND in them.

Here is the kicker: the eMMCs we’re using on the coming Netgate hardware (that 
yes

Re: [pfSense] APU and SSD: full install or NanoBSD

2014-10-30 Thread Jim Thompson

 On Oct 30, 2014, at 8:00 PM, compdoc comp...@hotrodpc.com wrote:
 
  Things will get outrageous soon with the advent of M.2 PCI SSDs on a x4 
  connection.
 
 The speeds of m.2 on x4 do look amazing. 
 
Now explain why a M.2 PCIe x4 SSD would be more expensive than a M.2 SATA SSD. ___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] cheapest netgate/esf h/w with wireless?

2014-10-26 Thread Jim Thompson




 On Oct 26, 2014, at 12:51 PM, athompso athom...@athompso.net wrote:
 
 Jim, I have three related h/w questions:
 1. what's the cheapest h/w currently available from ESF or Netgate that has 
 (or at least supports) being an AP?

Technically, the Alix, when we can get them.  
Not that you want an Alix. 

 2. Is the APU2 the cheapest pre-built, pre-integrated, supported option that 
 runs pfSense?

If be cheapest you mean least expensive, then yes. 

 3. Is the VK-T40E from ESF the same thing as the APU2 from Netgate, and if 
 so, why the $200 difference in price?

To support the project. 

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfsense h/w

2014-10-24 Thread Jim Thompson

This list is not about Ubiquiti.   (At least not until we make pfSense 
available on Ubiquiti platforms.)

Please take the discussion elsewhere.

jim


 On Oct 24, 2014, at 12:38 PM, Josh Reynolds j...@spitwspots.com wrote:
 
 I am the CIO of a WISP who uses their products, and does a lot of alpha/beta 
 testing for them and other vendors... I may be a little biased.
 
 The M series gear is pretty good kit for point to point or point to multi 
 point applications. AirFiber is great for ~10 mile or less shots, with 
 bandwidth a little over 765Mbps full duplex on short range shots with the 
 AF24. The new UniFi products are looking good, basically local or remote 
 cloud managed routers, switches, access points, and phones, with plans to 
 fold the unifi-video line directly in, as well as the mFi sensor line into 
 the same interface. The camera hardware is getting better, but the native 
 camera feature set needs work... I can't seem to get it pounded into peoples 
 heads that RTSP and cookieless jpg snapshots should be native on the cameras 
 themselves.
 
 1M pps routing for $99 on an edgerouter-lite ain't a bad gig. I'd still like 
 to see more work done on the HA front - I need more than VRRP. The QoS engine 
 and firewall engines could both stand to be rebuilt, and might be in the 
 fairly near future. The standard 8 port edgerouter and edgerouter pro models 
 are pretty nice. I'm excited to see how the carrier and other future models 
 turn out.
 
 There -- that's a quick writeup that should be useful for people on this list.
 
 
 
 
 
 
 
 Did Thompson molt yet?
 Josh Reynolds, Chief Information Officer
 SPITwSPOTS, www.spitwspots.com http://www.spitwspots.com/On 10/24/2014 
 05:53 AM, Ryan Coleman wrote:
 I presume UBNT is Ubiquiti? 
 
 I'm probably going to start testing their hardware for other applications (I 
 work in the video surveillance industry as well as high capacity wifi) and 
 I'd be curious to get some pros/cons from those who know... so please email 
 me off list (so as not to offend the other Thompson on the list... he might 
 molt on me anyway). 
 
 Sliante! 
 
 
 On 10/24/2014 4:03 AM, Adam Thompson wrote: 
 [One public correction, nothing to do with Godwin's law!  -Adam] 
 
 On 14-10-23 08:36 PM, Jim Thompson wrote: 
 Not that UBNT is a paragon of openness, either, 
 “either”? Wow. Strike 2. 
 That wasn't a dig at you or ESF or NG - I was thinking of Brocade when I 
 wrote that.  I could also use UBNT's competitor, MikroTik, as a good 
 example of how to build decent products the wrong way, but Brocade was my 
 target here.  You're a paragon of open-source stewardship in comparison! 
 
 
 ___ 
 List mailing list 
 List@lists.pfsense.org mailto:List@lists.pfsense.org 
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

2014-10-24 Thread Jim Thompson
Josh,


First, did you not read the part where I said, (At least not until we make 
pfSense available on Ubiquiti platforms.)” ??

Note that I’ve *always* said that pfSense software on the ERL will occur 
*after* (emphasis: **AFTER**) the regular 2.2 release.

WAIT, BACK UP. DID YOU READ THE AFTER PART?  I just want to be clear.

A-F-T-E-R

Now, since you asked,

There is currently an upstream problem with the (MIPS) toolchain.  Once we have 
that sorted, the effort will resume.  We’re also in a (much) deeper
relationship with Cavium now, so there is a possibility that we can put some of 
the acceleration bits in with time.

Frankly, there is an internal build of pfSense software for the Beaglebone 
Black, too.  Not that we’re planning on selling BBB (though Netgate
will be selling same) with pfSense software pre-loaded, but it does allow us to 
work out the kinks in the process to support architectures other
than i386 and amd64.

But this is all still very back-burner compared to the effort to get pfSense 
2.2 to a RELEASEd status.

The lizard has spoken.

Jim

 On Oct 24, 2014, at 5:37 PM, Josh Reynolds j...@spitwspots.com wrote:
 
 Shouldn't the EdgeRouter lite support pfsense with the 2.2 release?
 
 Your own post:
 When what I'm trying to do is make pfSense available on an inexpensive
 platform.  It should perform better than an Alix, even without the
 private-SDK stunts.
 
 Jim
 
 from: http://lists.pfsense.org/pipermail/dev/2013-November/000448.html 
 http://lists.pfsense.org/pipermail/dev/2013-November/000448.html
 Josh Reynolds, Chief Information Officer
 SPITwSPOTS, www.spitwspots.com http://www.spitwspots.com/On 10/24/2014 
 10:14 AM, Jim Thompson wrote:
 
 This list is not about Ubiquiti.   (At least not until we make pfSense 
 available on Ubiquiti platforms.)
 
 Please take the discussion elsewhere.
 
 jim
 
 
 On Oct 24, 2014, at 12:38 PM, Josh Reynolds j...@spitwspots.com 
 mailto:j...@spitwspots.com wrote:
 
 I am the CIO of a WISP who uses their products, and does a lot of 
 alpha/beta testing for them and other vendors... I may be a little biased.
 
 The M series gear is pretty good kit for point to point or point to multi 
 point applications. AirFiber is great for ~10 mile or less shots, with 
 bandwidth a little over 765Mbps full duplex on short range shots with the 
 AF24. The new UniFi products are looking good, basically local or remote 
 cloud managed routers, switches, access points, and phones, with plans to 
 fold the unifi-video line directly in, as well as the mFi sensor line into 
 the same interface. The camera hardware is getting better, but the native 
 camera feature set needs work... I can't seem to get it pounded into 
 peoples heads that RTSP and cookieless jpg snapshots should be native on 
 the cameras themselves.
 
 1M pps routing for $99 on an edgerouter-lite ain't a bad gig. I'd still 
 like to see more work done on the HA front - I need more than VRRP. The QoS 
 engine and firewall engines could both stand to be rebuilt, and might be in 
 the fairly near future. The standard 8 port edgerouter and edgerouter pro 
 models are pretty nice. I'm excited to see how the carrier and other 
 future models turn out.
 
 There -- that's a quick writeup that should be useful for people on this 
 list.
 
 
 
 
 
 
 
 Did Thompson molt yet?
 Josh Reynolds, Chief Information Officer
 SPITwSPOTS, www.spitwspots.com http://www.spitwspots.com/On 10/24/2014 
 05:53 AM, Ryan Coleman wrote:
 I presume UBNT is Ubiquiti? 
 
 I'm probably going to start testing their hardware for other applications 
 (I work in the video surveillance industry as well as high capacity wifi) 
 and I'd be curious to get some pros/cons from those who know... so please 
 email me off list (so as not to offend the other Thompson on the list... 
 he might molt on me anyway). 
 
 Sliante! 
 
 
 On 10/24/2014 4:03 AM, Adam Thompson wrote: 
 [One public correction, nothing to do with Godwin's law!  -Adam] 
 
 On 14-10-23 08:36 PM, Jim Thompson wrote: 
 Not that UBNT is a paragon of openness, either, 
 “either”? Wow. Strike 2. 
 That wasn't a dig at you or ESF or NG - I was thinking of Brocade when I 
 wrote that.  I could also use UBNT's competitor, MikroTik, as a good 
 example of how to build decent products the wrong way, but Brocade was my 
 target here.  You're a paragon of open-source stewardship in comparison! 
 
 
 ___ 
 List mailing list 
 List@lists.pfsense.org mailto:List@lists.pfsense.org 
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 
 
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org

Re: [pfSense] pfsense h/w

2014-10-23 Thread Jim Thompson


 On Oct 23, 2014, at 5:18 AM, Zia Nayamuth zedestruc...@gmail.com wrote:
 
 Lots of suggestions on the hardware, but I see nobody mention anything based 
 around the new and much more powerful Avoton platform. The platform is 
 officially supported, and the pfSense store has hardware based on it (looks 
 to be the Supermicro 5018A-FTN4,

It is. The FW-7551 runs a two core version of the same SoC. 

The SoC in both is based on Rangeley, which is like Avoton, but more Ethernets 
and a crypto core named QuickAssist. 

We have a line of similar hardware coming out early next year.   You can see 
the beginnings of same on the Netgate site.  Don't stress about the dev board 
pricing, it's far higher than production boards / systems will be. 

This will be the hardware that pfSense is tested on, and released for.  Other 
platforms will continue to work, but if you want to run the solution that the 
pfSense team uses, develops for, and tests on, look in the store. 

Before someone accuses (because this always comes up), we don't cripple other 
solutions (witness the AES-NI acceleration available to all in pfSense version 
2.2), but we do polish things we sell.  When we decided to sell the C2758 
(5018A-FTN4), we made sure all the Ethernets worked (this was released in 
2.1.1) and did some tuning such that the platform worked well using pfSense 
2.1.x.

We don't release the tuning info, and, incredibly, a couple people a month 
write in demanding it.

Anyway, the point is, the community is still free to run pfSense software on a 
given platform, but, as was always true, YMMV with platforms we don't support. 

Someone asked in the blog if we would be enabling the crypto part on the 
Watchguard he had purchased on eBay. 

The answer is no.  Not only because the hardware is slower than a software-only 
solution on a modern cpu, but also because SafeNet (the company that made that 
part) no longer supports them, nor is the technical documentation available.

And then there is the main reason:  We don't have infinite time and other 
resources.

Also, while the end user can change things to enable or even optimize a given 
platform choice, load additional packages, etc., nobody can distribute the 
result and call it pfSense.  Simple trademark law demands same. 

Anyway, the point is, things we don't sell aren't on developers desks, and are 
not in the test rack, and thus, not exercised by the test harness. 

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfsense h/w

2014-10-23 Thread Jim Thompson

Adam,

(Three people rushed to my office, saying, “Here we go again!”)

There is a metaphor I like to use to explain the situation, it is roughly this:

Can you buy a bottle of Coca-Cola, and then sell or give it to someone 
else?
Yes you can.  Without getting too deep into the legalities, you have 
certain rights in the first sale.

Can you buy a bottle of Coca-Cola, open it, change the contents 
(anything here from adding salt,
or distilled water, to adding battery acid), recap the bottle and offer 
someone the result as “a bottle of Coke”?

No you can not, and nearly everyone understands ‘Why not”.

Similarity:  Can you distribute the pfSense software that you received from us, 
*as you received it from us*?   Yes you can.
Can you put the pfSense software you received from us, and, without altering 
it, put it on the hardware platform of your choosing, and sell the result?
Yes, but here trademark comes into play.   You can sell the result as, e.g.  
“My firewall with pfSense software.”   You can’t sell it as a “pfSense 
firewall”.

The first (“with pfSense software”) states a fact.  The second uses the mark 
without a license.

We ask that people using the mark in a fact adhere to several ‘rules’ in order 
to help us preserve the mark.

First, that the mark is only ever used with genuine pfSense software.
Any change to the software means that the “genuine” requirement is 
violated.

Second, that “pfSense” should always be used as an adjective, never as a noun.  
 
Example of allowed use as adjective:  “… with pfSense software” 
Examples of disallowed use as noun:  “… with pfSense”, “powered by 
pfSense”.

Third, we ask that in any country where the pfSense mark is registered, that 
the “circle R” mark be appended to the first use in any view (web page, 
marketing collateral, etc.)
“my firewall with pfSense® software”

A *current* list of countries where the mark is registered follows: United 
States of America, its territories and possessions, Australia, Brazil, Canada, 
China, (every country in the) European Community, India, Israel, Japan, Mexico, 
New Zealand, Norway, Philippines, Singapore, South Korea, Switzerland, Turkey, 
Ukraine, and Vietnam

Others are pending, but not yet issued.

Fourth, we ask that attribution occur at the bottom of the ‘page’ in any use of 
the registered mark.  Our suggested language is:
pfSense® is a registered trademark of Electrical Sheep Fencing LLC.”

My purpose in all of the above is to engage the community in helping preserve 
the trademarks.  (The registration in IC9 protects the use of the mark on 
hardware, software and similar.  The registration in IC42 protects the use of 
the mark when used with services including support.   Looking at the above, 
“pfSense support” isn’t allowed (other than for ESF and its licensees), but 
“support for pfSense® software” is.)

To address your point, But, at least here, I'm quite sure I can install 
pfSense on some random hardware and still call it pfSense.”

True, but you can’t call the solution “pfSense”, see above.  

I’m with you in the opinion that fully-supported high-throughput (or even 
“high-value”) solutions are best for the market.

Jim

 On Oct 23, 2014, at 11:39 AM, Adam Thompson athom...@athompso.net wrote:
 
 One nit: yes, I can sell something called pfSense, as that's the 
 freely-downloadable software under a (IIRC) BSD license.
 I can't sell something called NetGate.
 I can't produce a derivative work and call it pfSense. (This is a gray area, 
 admittedly.)
 But, at least here, I'm quite sure I can install pfSense on some random 
 hardware and still call it pfSense.
 
 Having said that, if there's a high-throughput hardware option that's fully 
 supported and tested and optimized, I don't know why I would *sell* anything 
 else.
 I'll continue to install pfSense in VMs and on existing repurposed hardware, 
 but that's an entirely different market segment anyway, and all I'm selling 
 is my time.
 
 -Adam
 
 On October 23, 2014 11:06:42 AM CDT, Jim Thompson j...@netgate.com wrote:
 
 
  On Oct 23, 2014, at 5:18 AM, Zia Nayamuth zedestruc...@gmail.com wrote:
  
  Lots of suggestions on the hardware, but I see nobody mention anything based 
 around the new and much more powerful Avoton platform. The platform is 
 officially supported, and the pfSense store has hardware based on it (looks 
 to be the Supermicro 5018A-FTN4,
 
 It is. The FW-7551 runs a two core version of the same SoC. 
 
 The SoC in both is based on Rangeley, which is like Avoton, but more 
 Ethernets and a crypto core named QuickAssist. 
 
 We have a line of similar hardware coming out early next year.   You can see 
 the beginnings of same on the Netgate site.  Don't stress about the dev board 
 pricing, it's far higher than production boards / systems will be. 
 
 This will be the hardware that
 pfSense is tested on, and released for.  Other platforms

Re: [pfSense] pfsense h/w

2014-10-23 Thread Jim Thompson

 On Oct 23, 2014, at 4:42 PM, Adam Thompson athom...@athompso.net wrote:
 
 On 14-10-23 04:29 PM, Chris L wrote:
 I’m not asking what the changes are - I’m asking if these boxes require a 
 special version of pfSense for maximum performance.
 I can't answer that with 100% certainty, but I believe the packaging is 
 tweaked slightly.  Whether you call that a special version or not is up to 
 you...  AFAIK the kernel is the same, and the pfSense layered code is the 
 same.  Netgate may add *more* stuff on top of that, I'm not sure - I don't 
 even own one right now.

The kernel is the same.  All the patches are in the tree, and all the code 
except for what is described next is also in the tree.

We currently add the ‘tuning’ (or other other platforms such as the APU, the 
bits necessary to be able to successfully load and reboot the system), and,
as of version 2.1.5, the Amazon VPC wizard is in the “Netgate” build, which is 
loaded on everything sold via both store.pfsense.com and store.negate.com.
We can do this because we’re the trademark holder (technically we’re licensed 
by the holder, but the point is minutia.)

That’s it.

 If it’s just sysctl values then it’s not possible to keep it secret.  sysctl 
 -a, sysctl -a, diff
 Granted... my point stands, it's not the secrecy, it's the time taken to 
 match the values to the hardware.  No two systems (models) are identical.

It’s sysctl values.   It’s not “secret” if you dig it out, and no steps were 
taken to prevent same.  If you buy the tools and have the knowledge, you ‘tune’ 
the ECU in a car or truck
for more power and/or better milage, too.   Some enterprising individuals sell 
pre-tuned computers, or a new ‘chip’ with the changes made to the various 
lookup tables (MAP .vs RPM,
TPS, etc.) though the factory tends to look askance at these in the same way 
that we look askance at individuals who come to us with “I bought my own 
Supermicro, and didn’t pay your markup, give me your bits.”

 If it’s a custom kernel, etc, then I have to take waiting for netgate to 
 issue patches into consideration.  Now and in the future.
 Perhaps you've forgotten that Netgate/ESF is the pfSense project *sponsor* 
 and that all/most (?) of the core developers work for Netgate/ESF?

There are package developers outside Netgate/ESF, but everyone at the core 
works for Netgate (technically Rubicon Communications) or ESF.   We’re likely 
to consolidate this
in the coming weeks, too.

In many ways you can think of Netgate as the “home of pfSense”.

 I don't think you'll be waiting very long.  I wouldn't be at all surprised if 
 the Netgate build gets updated first, in fact.

Point in fact, the “Netgate build typically occurs after the, (for lack of a 
better term) “community build” occurs.

 And I do *not* mean that they deliberately wait before releasing patches for 
 the generic pfSense build, I just mean that I would expect the Netgate update 
 to be available +/- 15 minutes compared to the generic pfSense update.

We try to release in parallel.   There is a testing phase of both that proceeds 
in parallel, *after* the build is done.

 I get that Jim rubs a lot of people the wrong way (myself included),

Darn, you’d think that sharing a last name would count for something...

 but I don't understand the vitriol and/or suspicion directed at Netgate, 
 which, after all, is who's paying to keep pfSense free.

I think some people are waiting for “the other shoe to drop”.  For us to take 
the pfSense project in a direction similar to what happened with Vyatta. This 
is not happening, but everyone seems to love chatting up conspiracy theories.   
Fluoride in the water and chemtrails overhead are evidence of government 
mind-control experiments, Paul Mccartney died in 1966, 9/11 was a “false flag” 
operation, pfSense is going closed source, and Jim Thompson is actually a blood 
thirsty, extra-terrestrial, shapeshifting reptile.  (Paging Alex Jones to the 
white, courtesy router.  Alex Jones to the white courtesy router, please.)

I also think that some people are upset that the trademark is enforced, and 
they can no longer build their own version of “pfSense” (software), or sell 
hardware branded with “pfSense”.

Finally, I think there is still a segment of the community who views me with 
distrust because I put a license agreement and contributor agreement in front 
of access to the source code for the pfSense project.   We didn’t articulate 
the reasons for doing this very well, and the execution when we did it wasn’t … 
optimal.   But the source code is still open.  All the contributor agreement 
does is cover the ‘rules’ in play if you send us a contribution to the source 
code (a “patch” or “pull request”), and all the license agreement really does 
is put the rules in-play that cover a fork.  (attribution, can’t call it 
“pfSense”, can’t relicense, etc.)

Nobody lost anything, but I will always and forevermore be the ahole for taking 
the steps.  I’ve learned to live

Re: [pfSense] pfsense h/w

2014-10-23 Thread Jim Thompson

 On Oct 23, 2014, at 7:48 PM, Adam Thompson athom...@athompso.net wrote:
 
 [Hmm... half of this doesn't need to be on-list.  Sorry if I'm polluting. 
 -Adam]
 
 
 On 14-10-23 05:57 PM, Jim Thompson wrote:
 I get that Jim rubs a lot of people the wrong way (myself included),
 Darn, you’d think that sharing a last name would count for something...
 Sorry, no.  ;-)
 Kind of in the same way Theo de Raadt rubs people the wrong way.

Wow.   You just compared me to Theo.

I’m done.

Anyone want to buy a firewall company?

It’s either that, or I invoke Godwin’s law.  (Or its corollary, “Thompson’s 
Law”:   That the thread is over once someone compares one of the participants 
to Mr. de Raadt.)

(It’s left to you to decide who gets the eponymous glory.)

 Mostly just idiots  newbies take offense.  And it's mostly driven, I think, 
 by having your lifetime supply of tolerance for people who speak first and 
 think second be long-since exhausted.  So as long as you don't start saying 
 incorrect or technically-invalid things, your audience sticks around.  See 
 closing comments, below.
 
 I think some people are waiting for “the other shoe to drop”.  For us to 
 take the pfSense project in a direction similar to what happened with Vyatta.
 Yeah... it's a possibility.  OTOH, I'll point out that UBNT essentially 
 forked Vyatta (and renamed it EdgeOS, IIRC) when Brocade started to close 
 it all up.  Not that UBNT is a paragon of openness, either,

“either”?  Wow.  Strike 2.   You probably don’t want to know that Jamie and I 
nearly bought Ubiquiti from Mr. Pera, or that we let the company live when he 
owed us a pile of cash.

I’m not going into details, but Ubiquiti did violate Vyatta’s license, got 
called on it, and had to reverse direction for a bit.

 but that's the benefit of the appropriate license - everyone can feel free to 
 copy (or fork!) pfSense from any of the multitude of places it lives online 
 right now, and feel free to burn it to archival WORM media Just In Case 
 Something Bad Happens To The Project.
 
 As Jim pointed out, however, when you resurrect it (and somehow replace all 
 the infrastructure and developers in one fell swoop, *ahem*), you can't call 
 your new project pfSense.  You can have an FAQ entry explaining how it used 
 to be pfSense, you can even leave the GIT, or SVN, or even SCCS repository up 
 as-is with the pfSense name throughout it, but as soon as you create a 
 derivative work: new project.
 
 ... pfSense is going closed source,
 Technically, this could happen, but realistically, someone will probably fork 
 it.  And that project will likely die out or remove itself from public 
 participation, as these things tend to do.
 For that matter, remember that pfSense is (sort of) a fork of m0n0wall from a 
 decade ago in the first place.  For different reasons, but nonetheless.

As if I didn’t know, had forgotten, or wish people would forget.   

Just in-case you have forgotten, Netgate originally shipped m0n0wall on WRAP 
boards, then cut-over to pfSense quite early after the fork.

  and Jim Thompson is actually a blood thirsty, extra-terrestrial, 
 shapeshifting reptile.
 Well, that explains a few things!  grin

It explains everything, actually.

 Finally, I think there is still a segment of the community who views me with 
 distrust because I put a license agreement and contributor agreement in 
 front of access to the source code for the pfSense project.   We didn’t 
 articulate the reasons for doing this very well, and the execution when we 
 did it wasn’t … optimal.
 I wasn't affected by that, and - AFAIK - neither were most of the people who 
 whine and cadge about a commercial entity being involved.
 
 I don't recall what the license used to be, but clearly the current one is a 
 custom license that doesn't even attempt to follow the UCB/BSD license.  As 
 long as ESF covered all their legal bases properly, they can do whatever the 
 f*** they want with the license. I can see how old contributors might not 
 like the new CLA, though. And I don't know of any project that has ever 
 pivoted on a license change this way ... optimally.

There is an agreement that allows access to the pfsense-tools repo.  As 
pre-requisite to that agreement, a contributor agreement must be in-place.  
Once you have the code, you’ll find the license in the individual files to be 
the same as it always was (mostly BSD 3 clause, but there are a smattering of 
other files.)   Doesn’t matter, you already agreed to the other license, that’s 
the hack.

The license is non-transferable, but if you build and release a version 
otherwise in compliance with the license, you must license your version under 
substantially similar terms.

 Ugh…  were you around for the 2.1.5 release with the “Gold” menu 
 front-and-center (and the resultant shitstorm)?
 Long before that, yes, but I think I managed to skip the affected versions by 
 accident, so I forgot all about it / never saw it myself.  Since I've

Re: [pfSense] pfsense h/w

2014-10-22 Thread Jim Thompson
Seems up now.  I’ve let Gregory know that there may have been an issue.

http://www.osnet.eu/en/products/FWA http://www.osnet.eu/en/products/FWA

 On Oct 22, 2014, at 10:07 AM, Nick Upson n...@telensa.com wrote:
 
 thanks for the suggestion but
 
 
 The web page at http://onset.eu/ http://onset.eu/ might be temporarily down 
 or it may have moved permanently to a new web address.
 Error code: ERR_NAME_RESOLUTION_FAILED
 
 
 Nick Upson, Telensa Ltd, Senior Operations Network Engineer
 direct +44 (0) 1799 533252, support hotline +44 (0) 1799 399200
 
 On 22 October 2014 16:06, Jim Thompson j...@smallworks.com 
 mailto:j...@smallworks.com wrote:
 Talk to onset.eu http://onset.eu/. 
 
 -- Jim
 
 On Oct 22, 2014, at 9:32 AM, Nick Upson n...@telensa.com 
 mailto:n...@telensa.com wrote:
 
 
 I'm suffering in my efforts to install 2.1.5 onto my box, so can I change 
 the box?
 
 A proven hardware platform, available in the UK with at least 6 physical 
 network ports, I can probably justify buying. 
 
 Suggestions anyone?
 
 
 
 Nick Upson, Telensa Ltd, Senior Operations Network Engineer
 direct +44 (0) 1799 533252 tel:%2B44%20%280%29%201799%20533252, support 
 hotline +44 (0) 1799 399200 
 tel:%2B44%20%280%29%201799%20399200___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org mailto:List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list 
 https://lists.pfsense.org/mailman/listinfo/list
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

2014-10-22 Thread Jim Thompson

 On Oct 22, 2014, at 12:10 PM, Chris Buechler c...@pfsense.com wrote:
 
 On Wed, Oct 22, 2014 at 11:29 AM, Jim Thompson j...@smallworks.com wrote:
 Seems up now.  I’ve let Gregory know that there may have been an issue.
 
 http://www.osnet.eu/en/products/FWA
 
 
 Pretty sure Jim got auto-corrected originally, it's osnet.eu as linked
 there, not onset from the original.

http://www.damnyouautocorrect.com   (warning:  NSFW)



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-18 Thread Jim Thompson
Corrections inline. 

I blame beer. 

-- Jim

 On Oct 18, 2014, at 1:21 AM, Jim Thompson j...@netgate.com wrote:
 
 So,
 
 The only people getting a google fiber connection *today* live in Provo, UT 
 or Kansas City. 
 
 Google Funer

Fiber. 

 is being built out in Austin, but won't be available until early 2015.  My 
 neighborhood will get it in the second pass, but I have a Grande 1Gbps/1Gbps 
 connection to my house today, and Grande terminates in the data center next 
 to pfSense World HQ. (We have a 10Gbps fiber connection to our cabinet there.)
 
 So I have a 10ms RTT 1Gbps path from home to work, today.  In the next 
 couple months, I'll have two. :-)
 
 Neither pfSense or FreeBSD will forward at 1.488Mpps on a C2758 today, but 
 running the l3fwd app from DPDK on a 2

8

 core C2758 CPU fitted with a dual port 10Gbps card will run at 14.88Mpps. 

 
 https://github.com/Pktgen/Pktgen-DPDK/tree/master/dpdk/examples/l3fwd
 
 (And it's trivial to make 1.488 happen in the igb ports. Don't go there.)
 
 A simple bridge over netmap will yield the same result. (With pkt-gen running 
 on either side.)
 
 So the problem is not (as you assert) in the hardware, but rather, in the 
 FreeBSD (and, honestly Linux too) stack(s).
 
 But I've already explained that we're working on it. 
 
 -- Jim
 
 On Oct 17, 2014, at 5:54 PM, compdoc comp...@hotrodpc.com wrote:
 
 I wanted to add one more thing. Maybe this will help avoid future 
 misunderstandings...
  
 Ulrik Lunddahl asked:
  Will A SMB without L3 capable switches, that needs routing between 3-4 
  local subnets (LAN, SERVERS, WIRELESS/GUEST, OTHER/DMZ) as close to 
  wirespeed as possible, be happy with a C2758. ?
  
 Now, I realize that the vast majority of users and businesses in the world 
 don’t need a wirespeed router, and they have no idea what one is. Their 
 internet connections just aren't fast enough to require one, and they don’t 
 use them internally.
  
 The fact that Ulrik was asking this question means that he not only knows 
 what one is, but he has a specific requirement.
  
 I've seen others asking this same question on IRC but with a different 
 requirement: they were getting Google Fiber connections and they knew enough 
 to want a server powerful enough to take full advantage of the connection. 
 One guy I saw chose a system with fairly expensive dual Xeon cpus. I thought 
 he was crazy.
  
 Their questions made me curious, and I decided to see just which hardware I 
 had on hand could reach gigabit line-rates. (pkt-gen measures this bandwidth 
 as 714.23 Mbps (raw 999.92 Mbps), at 1.488Mpps)
  
 I was surprised at the results. Nics connected to the PCI bus were dogs. 
 Nics connected to the PCI-e bus were lots faster, and some could reach 
 1.488Mpps. Also, nics with 4 pci-e lanes were faster than nics with 1 pci-e 
 lane.
  
 Furthermore, I found that to forward packets at 1.488Mpps requires not only 
 a fast NIC, but also a cpu that was capable of pushing traffic through that 
 fast.
  
 The only cpus I had on hand there were capable, was an Intel i5, and a newly 
 released Amd Kaveri APU. (with Steamroller cores)
  
 Anyway, Ulrik asked if he'd be happy with a C2758, and I had read on the 
 BSD-RP site that the C2758 board they were testing wasn’t capable of 
 1.488Mpps. It was about half that, even though it had Intel based nics.
  
 And while that’s still blazing fast, I felt it might not be fast enough for 
 the knowledgeable people asking these questions.
  
 It would be a shame for anyone to buy something so expensive and expecting 
 certain results, and not getting them.
  
 Even a cheap 5 port gigabit switch can forward traffic at 1.488Mpps, so if 
 the devices sold by pfSense and elsewhere are capable of full wirespeed, 
 then those devices would be an excellent buy.
  
 More so, because of the tuned software and support they'd be getting along 
 with it.
  
 compdoc
  
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-16 Thread Jim Thompson

 On Oct 16, 2014, at 2:06 AM, compdoc comp...@hotrodpc.com wrote:
 
  I am well-aware of Olivier’s work in this area, as are many in the FreeBSD 
  community.
  There is no proof, except that which is documented and reproducible.  We're 
  doing something like science here. 
  
 Hmm, proof. Well, maybe a scientist like yourself can appreciate my concern 
 over this direct quote from the BSD Router Project, of which you are so 
 well-aware:
  
 Intel Rangeley: Atom C2758 (8 cores) at 2.4GHz
 Embedded Intel i354 4-port gigabit Ethernet
 8Gb of RAM
 Debugging slow throughput in progress…
 With the default value of igb(4) drivers that use all 8 cores, this system 
 is not able to received more than 585Kpps (far from the gigabit line-rate 
 1.488Mpps) on one port ?!?!
 Last modified: 2014/03/13 20:16 by olivier
 

As I said before, I am aware of Olivier's work.  That you are concerned is 
understandable, but also immaterial, as it is clear from this thread that your 
understanding of the issues, tools(!), terms of art and resolutions is limited. 
 

The concern I have is not your lack of understanding. We all lack knowledge. 
It's what comes next that marks the difference between progress and the crabs 
in a bucket mentality that often impedes progress. 

Here, you perform an act commonly known as I read it on the Internet (so it 
must be true.)

The difference between Olivier's setup and ours (assuming pfsense 2.1.1+), is 
tuning.  It's well-understood that the default install isn't optimal.  We 
addressed this earlier in the year.

Since then we've been concentrating more on a proper test infrastructure, 
(Conductor), support for AES-GCM mode for IPSec, (with support for AES-NI 
acceleration), and measuring the performance of pf with the on-chip 
performance counters. 

The first result of the pf performance work is an improved (at least 9% faster 
with 95% confidence) hash function for pf. 

A second result (not yet available in pfSense as it requires work from FreeBSD 
-HEAD) yields another 25% improvement compared to the stock pf in 10.0/10.1. 

Work continues. 

 As I said in my original post, I'm know the C2758 is capable according to its 
 specs, however buyer beware...

Again with the insult and denigration.  Do you own a C2758?


Jim___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-16 Thread Jim Thompson

 On Oct 16, 2014, at 11:14 AM, compdoc comp...@hotrodpc.com wrote:
 
  The difference between Olivier's setup and ours (assuming pfsense 2.1.1+), 
  is tuning
  
 The only way to prove what you say is with numbers. Tuning pfSense won't fix 
 this hardware problem, *if* it exists in your boards.

Your assumption (that there is a hardware problem) is unwarranted.   The 
problem is that FreeBSD (especially FreeBSD 8.3, upon which the current 
“release” version
of pfSense software (v2.1.5) is based), is not well-tuned to multi-core 
hardware.   We took certain steps to fix the problem (as well as it can be 
fixed on 8.3) and are working
to improve the situation for both FreeBSD and pfSense.  (FreeBSD 10 is better 
than 8.3, but, as Olivier also discovered, imperfect.)

There is a lot of work to do in this area, including enabling RSS (for 
forwarding, there is recent work for reception in FreeBSD -HEAD), thread 
pinning,
additional work on a per-core copy of the state table, more work on flow-table, 
etc.

It’s all roughly planned, and the subject of some discussion while I have all 
the pfSense coreteam in Austin this week to discuss this, and what we’re going 
to do
after the 2.2 release of pfSense.
 
  As I said in my original post, I'm know the C2758 is capable according to 
  its specs, however buyer beware...
  
 Again with the insult and denigration.  
  
 Is it an insult that I think Intel's cpu is capable? Or is it that I suggest 
 a person be cautious when buying these products? 

Is your position that you are unaware of the meaning of “Caveat emptor”, and 
it’s history in both English common law and statutory law in all 50 United 
States?
(Apologies to readers outside the US, but OP is based in Denver, CO, so the 
point stands.)

You might wish to perform an Internet search for “buyer beware” and see the 
type of thing that comes up, and then reconsider my reaction in light of same.

You may also wish to review Laidlaw v. Organ, 15 U.S. 178 (1817)” if you still 
don’t know what I’m talking about.
Your noisy attempts at persuasion of the consumer base actually require the 
vendor (that’s me) to respond.
(Never mind the whole “silence is assent” attitude that many hold.)

You gave some results of some tests you performed on an AMD A8-7600 and an 
i5-2400.   I asked for additional details, and you refused to provide any.

You asserted that pfSense crashes under load.  (You reported that this “was 
tested by someone else”)   I asked for details, and you refused to provide any.

You asserted that BSDRP is a “tool to test hardware”.   You stated that it “has 
very little overhead and runs on freebsd.”

The reality is that BSDRP is a slightly customized distribution of FreeBSD, it 
doesn’t “run on FreeBSD”, it *is* FreeBSD, as packaged by Olivier to suit his
purposes at Orange.   This is a good thing.   That you’ve repurposed it to 
“test your hardware” is also fine, but your assertion that BSDRP is “a tool to 
test hardware”
is still false.

Many people use screwdrivers as levers.  This doesn’t mean that their usage is 
correct, nor does it make “a screwdriver is a tool to open paint cans” true.

  Do you own a C2758?
  
 Have you actually bothered to read anything I've said in this conversation?
  
 It's time to end this nonsense. Prove what you say, or shut up. 

Fair warning:  Being rude will eventually get you removed from the list.

Published numbers are forthcoming, as soon as we’re ready to make the results 
public.   I’ve already exposed the tools we’re using, and some of the 
improvements we’ve seen.
There  is a long history in the project of people making-up benchmark numbers 
to suit their agenda.  There is also a long history in the project of people 
posting ‘fixes’ for various 
issues, including performance issues, where these ‘fixes’ have nothing to do 
with the actual issue.

The number of times I’ve seen recommendations to sysctl -w 
kern.ipc.maxsockbuf=huge number” or to set the TCP/UDP default buffer sizes, 
or set window scaling in an attempt
to increase forwarding performance through ‘pf' makes me cringe.  (recent 
reference:  https://forum.pfsense.org/index.php?topic=71949.0)

There are a number of things currently in pfSense that do not lend to absolute 
performance.   mbuf tags and ALTQ are two examples.  ALTQ is about a 10% impact 
on PPS performance.
mbuf tags are the work of the devil.   FreeBSD’s penchant for looking up the 
ARP entry for every single packet (even though it just looked up the ARP entry 
for the last packet, which was to the same destination) is also a problem.   
There are some great results from Luigi Rizzo (actual author of the pkt-gen 
tool) on putting ipfw (the competing packet filter in FreeBSD) over netmap, 
reaching 7-10Mpps.   We will explore pf over netmap (again, after we get 
pfSense 2.2 released), and hope for similar results.

The point is, we’re focused on it (especially after we get pfSense 2.2 
released, such that work we do on pfSense can be 

Re: [pfSense] NIC support

2014-10-16 Thread Jim Thompson

 On Oct 16, 2014, at 12:45 PM, compdoc comp...@hotrodpc.com wrote:
 
  do you realize who  you’re arguing with compdoc?  
  
 Yeah, I'm arguing with a guy that not only attacked me for suggesting a 
 person be careful about buying certain hardware, he also attacked the work of 
 Olivier from BSDRP.
 

I never attacked Olivier.  I have a ton of respect both for him and BSDRP.

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-15 Thread Jim Thompson


 On Oct 14, 2014, at 5:15 PM, compdoc comp...@hotrodpc.com wrote:
 
 as close to wirespeed as possible, be happy with a C2758. ?
  
 Very
  
  
 That C2758 has nice specs and should be able to keep up, however there seems 
 to be a throughput problem on at least one brand of board running the C2758.

When I speak of the C2758, I speak of the product sold at the pfSense store, as 
sold by the pfSense store, not the generic pfsense release running on some 
brand of board@.

 (I think it’s more a problem with the nics than the cpu)

You seem confused. 

 I recently tested various nics and cpus to see if the systems I was building 
 could reach Gigabit Ethernet's max throughput of  1.488Mpps on one port

Please show your work.  Which pkt-gen switches are in use?

 Tests were run on AMD FM1+ and AM1 APUs, an FX-4100, and an Intel i5-2400 
 Sandy Bridge.
None of these is the system in question.  They don't even run the same cpu. 

 Tests used the BSD Router Project (BSDRP) OS, and a program named 'pkt-gen'.

- I am quite familiar with pkt-gen.  

- this list is about pfsense, not the BSDRP

 During routing tests, I found that an AMD A8-7600 Kaveri was the only cpu I 
 had that was equal in performance to the Intel i5-2400. (the routing tests 
 involved a 3rd test machine, and aren't covered in the scores below)

Pkt-gen does not test routing.  What tests did you run?

 Anyway, I hope you find this helpful...

I don't see where a C2758 is tested. 

 In these tests, I used the two fastest test machines connected to each other. 
 One sends, and one receives:
  
 Realtek  8169sc 32-bit PCI card
 266935 pps (283752 pkts in 1063001 usec)
 Speed: 267.19 Kpps Bandwidth: 128.25 Mbps (raw 179.55 Mbps)
  
 Realtek RTL8111DL, Onboard
 405708 pps (406113 pkts in 1000998 usec)
 Speed: 404.78 Kpps Bandwidth: 194.29 Mbps (raw 272.01 Mbps)
  
 Intel pro 1000 32-bit PCI card
 307102 pps (307586 pkts in 1001577 usec)
 Speed: 276.49 Kpps Bandwidth: 132.72 Mbps (raw 185.80 Mbps)
  
 Intel Pro 1000, x1 PCI-e card (no heatsink)
 1367299 pps (1453440 pkts in 1063001 usec)
 Speed: 1.36 Mpps Bandwidth: 654.85 Mbps (raw 916.79 Mbps)
  
 Intel Pro 1000, x1 PCI-e card, server version (with heatsink)
 1488012 pps (1490981 pkts in 1001995 usec)
 Speed: 1.49 Mpps Bandwidth: 714.23 Mbps (raw 999.92 Mbps)
  
 Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter  (with heatsink)
 1488012 pps (1490981 pkts in 1001995 usec)
 Speed: 1.49 Mpps Bandwidth: 714.23 Mbps (raw 999.92 Mbps)
  
  
 ***
  
 These tests were using the lowest TDP(watt) APUs I had.

APUs?   I thought we were talking C2758. 

 The Intel server nics were the fastest nics tested, and used the least cpu 
 time, so I used those in these tests:
  
 AMD 5150 quad core APU @ 1.6GHz
 Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter  (with heatsink)
 1179367 pps (1180530 pkts in 1000986 usec)
 Speed: 1.17 Mpps Bandwidth: 562.85 Mbps (raw 787.99 Mbps)

AMD CPU.  NON-identified NIC. 

 AMD 5350 quad core APU @ 2GHz
 Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter  (with heatsink)
 1488106 pps (1489615 pkts in 1001014 usec)
 Speed: 1.48 Mpps Bandwidth: 709.33 Mbps (raw 993.07 Mbps)

AMD CPU.  NON-identified NIC.

 AMD 5350 quad APU @ 2GHz
 Onboard RTL8111/8168B PCI Express Gigabit Ethernet controller
 560938 pps (561565 pkts in 1001117 usec)
 Speed: 558.35 Kpps Bandwidth: 268.01 Mbps (raw 375.21 Mbps)

AMD CPU.  NON-identified NIC.

 AMD A4-6300 dual core APU @ 3.7GHz
 Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter  (with heatsink)
 1129784 pps (1130961 pkts in 1001042 usec)
 Speed: 1.09 Mpps Bandwidth: 521.00 Mbps (raw 729.39 Mbps

AMD CPU.  NON-identified NIC. 

Now the track has been completely lost. 

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-15 Thread Jim Thompson

-- Jim
 On Oct 15, 2014, at 10:06 AM, compdoc comp...@hotrodpc.com wrote:
 
  When I speak of the C2758, I speak of the product sold at the pfSense store,
  as sold by the pfSense store, not the generic pfsense release running on 
  some
 brand of board@.
  
 I was speaking of a C2758 board that was tested by someone else, and which 
 wasn’t able to reach Ethernet's maximum throughput. Clearly not all C2758 
 boards are the same. Buyer beware.
  
 If you have tests results that prove the product you mentioned doesn’t have 
 this problem, feel free to post them. I'd love to see.
  
  
  You seem confused. 
  
 Not at all. You seem defensive.
  
  
 - this list is about pfsense, not the BSDRP
  
 Never said it was. BSDRP is a tool to test hardware.

Actually it's not.  Olivier uses it in his work at Orange. 
There has been some testing using BSDRP, but it is not a tool to test 
hardware.

 If the hardware cannot achieve maximum throughput, then pfSense cannot 
 achieve maximum throughput.

This is a true statement but it ignores the reality that software also plays a 
part. 

  Pkt-gen does not test routing.  What tests did you run?
  
 Here's a clue:  BSD *Router* Project. I doubt you’ve done this sort of 
 testing, so I'm not going to spoil this learning opportunity for you...

You seem defensive.

You were testing forwarding, by the look of it.   This is not all there is to 
routing.  I will not further ecludiate because you are obviously an expert. 

While you doubt we have done this sort of testing you should look at: 
https://github.com/gvnn3/conductor

Quoting README

   [...]
A common use for Conductor is to test a network devices, such as a router or 
firewall, that is connected to multiple senders and receivers.  Each of the 
senders, receivers, and the device under test
(DUT) are a Player, and another system is designated as the Conductor.

[...]
 
This work supported by: Rubicon Communications, LLC (Netgate)
Conductor uses pkt-gen or iperf, though our preference going forward is 
pit-gen. Recent additions to pkt-gen include playback of pcap files, for more 
repeatable testing.  It's also important to be able to test multiple senders 
and receivers.  I will not further ecludiate because you are an expert. 

 However, I will mention one thing: if you try to route 1.488M packets per 
 second through the 'generic' pfSense, it will crash after a minute or so. 
 (and that's not a criticism of pfSense)

That's an interesting result.  We've not seen it. 
Which particular hardware were you using?
Which version of pfsense?
Any tunables?
What switches to pkt-gen?

  
 I don't see where a C2758 is tested. 
  
 I clearly stated what I was testing and how. You seem confused. The OP was 
 asking what hardware might serve his purpose. I offered suggestions.
  
 You're welcome to prove anything I've said was wrong - but with actual test 
 results, and without the misplaced rancor.
  
 Also, it's better to reply to the list, and not send emails directly to me.
  
  
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-14 Thread Jim Thompson
 Will A SMB without L3 capable switches, that needs routing between 3-4 local 
 subnets (LAN, SERVERS, WIRELESS/GUEST, OTHER/DMZ) as close to wirespeed as 
 possible, be happy with a C2758. ?


Very.  

Is a dual socket Xeon a bit faster? Yes.  
Does your application need that speed? Unlikely. 

Really depends on what you mean by wirespeed. 

-- Jim

On Oct 14, 2014, at 2:48 AM, Ulrik Lunddahl u...@proconsult.dk wrote:

 In general HP servers work really well with FreeBSD.
 
 When you say looking are you in possession of one and need to make it 
 work, or are you about to buy one?  Is there some specific requirement about 
 that hardware that makes you want to get it over anything else?
 
 I personally have found that the C2758 sold by both netgate and pfsense 
 directly to be a spectacularly capable device and it is fairly priced and 
 includes support. I would recommend that based on what you've described 
 above unless there's some other special need you have.
 
 I know that:
 
 - Blistering fast Intel® AtomT Rangeley C2758 8 core SoC   This is not your 
 father's Atom!
 
 Probably is a beast compared to what we normally expect form the Atom range, 
 but to compare it with an up to date Dual Xeon Platform is just not going to 
 make a lot of sense.
 
 Hardware quality on the two boxes is also almost incomparable, both are 
 general-purpose platforms, but from different ends of the scale.
 
 Will A SMB without L3 capable switches, that needs routing between 3-4 local 
 subnets (LAN, SERVERS, WIRELESS/GUEST, OTHER/DMZ) as close to wirespeed as 
 possible, be happy with a C2758. ?
 
 
 Med venlig hilsen, Best regards
 Ulrik Lunddahl
 
 Sales Manager - Salgschef
 PROconsult Data A/S - Landbrugsvej 2 - 5260  Odense S
 Tel: +45 6311 - Tel dir: +45 63113341 - Mobil: +45 26363341
 E-mail: u...@proconsult.dk - Web site: www.proconsult.dk
 
 
 
 VSP - Infrastructure Optimization Solutions + VSP - Business Continuity
 VTSP - VMware Infrastructure Virtualization + vExpert - 2009, 2010, 2012
 VMSP - Veeam Sales Professional + VMTSP - Veeam Technical Sales Professional
 
 
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] upgrade from 1.2.3

2014-10-07 Thread Jim Thompson

We've seen a lot of instances where the hw has run for years, but has developed 
silent, undiagnosed issues (bad blocks, mostly). 

The upgrade doesn't cause a failure, but it gets blamed.

While it might work, I'm absolutely certain we've never tested upgrading from 
1.2.3 to 2.1.5. 

-- Jim

 On Oct 7, 2014, at 8:57 AM, Chris Bagnall pfse...@lists.minotaur.cc wrote:
 
 On 7/10/14 2:41 pm, Jim Thompson wrote:
 Best option is to replace it, likely.
 
 This.
 
 Or at least install a recent pfSense on an unused device you have kicking 
 around, set things up how you want them (to mirror the old config), then swap 
 devices out of hours when interruptions will be minimal.
 
 It's possible I've just been unlucky in the past, but in my experience trying 
 to in-place upgrade across anything apart from minor point releases usually 
 ends in tears. And I don't just mean pfSense - same applies to pretty much 
 any critical network device :-)
 
 Kind regards,
 
 Chris
 -- 
 This email is made from 100% recycled electrons
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] bogon networks

2014-09-28 Thread Jim Thompson
Perhaps if you specified your block?



 On Sep 28, 2014, at 5:59 AM, Andrew Mitchell andrew.k.mitch...@att.net 
 wrote:
 
 My company has just recently been assigned it's own block from ARIN. We have 
 a handful of pfSense boxes we need to connect to from that block. I have 
 noticed we can't when Block bogon networks is enabled on the WAN interfaces.
 
 Interestingly enough I also noticed that our block can't connect to 
 updates.pfsense.org as well.
 
 Any thoughts, ideas, advise or thoughts would be greatly appreciated.
 
 Thanks,
 
 Drew
 ___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


  1   2   3   >