Re: [pfSense] Configs or hardware?

2018-02-15 Thread Joe Landman



On 02/15/2018 09:14 AM, Michael Munger wrote:

TL; DR.

On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.

Who's got working configs / hardware combos that do 1Gbps easily?


My home pfSense system is a 16GB ram, 4 core Intel E3-1220 with a quad 
port i350-t4 card.  I moved over to it yesterday from the VM I had been 
using.  Performance difference is striking.  Best effort out of the VM 
was about 44Mb/s for download on a 1Gb line.  Raw port was about 660 
Mb/s.  "New" (old from Ebay) unit is about 800 Mb/s +/- some.


As you get to higher bit rates, you need a) sufficient processor power, 
b) sufficiently powerful NIC hardware to offload the CPU for things the 
CPU doesn't do as well as the NIC.  I expect to keep this combo going 
until we get multi Gigabit service in our area.




Background.

I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.

There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.



This unit is a cheap version of the small 1U boxen I used at my previous 
$dayjob for compute cluster/file system clients.  They were testing 
boxes, not too powerful for the high end of compute/networking (40Gb 
Infiniband), but able to drive load.  Lower spec boxes can't generally 
hack high data rates for any number of reasons.


--
Joe Landman
t: @hpcjoe
g: https://github.com/joelandman

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Hardware and usage opinion

2016-08-09 Thread Joe Landman



On 08/09/2016 09:53 PM, Joseph L. Casale wrote:

I have a site that has grown significantly over time and the role pfsense plays
went from only providing internet and vpn connectivity to routing between 2
dozen vlans at gig speeds. We are considering replacing the hardware and aren't
sure if the site is at the point where dedicated equipment is in order or 
possibly
a pair of pfsense units in a cluster. Truth is, managed switches that route 
with acls
are significantly more money that what a pfsense box can do.

How many of you guys have implementations which route lan traffic at these 
speeds
and high volumes? Anyone doing this with lags and a cluster?


A few years ago, we built a number of such units for customers, and for 
our own use.  4x 10GbE NIC ports on 2 NICs, 4x 1GbE NIC ports on 2 
NICs.  LAGed (actually multiple LAGs, typically ~4 per unit). Units 
handled multiple gigabit inbound speeds without issue for a long time 
(customers site).


We've built a number of others for other customers.   They usually come 
in much less expensive and often significantly more performant than the 
managed network/routers/firewalls from other places.






Thanks,
jlc

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
e: land...@scalableinformatics.com
w: http://scalableinformatics.com
t: @scalableinfo
p: +1 734 786 8423 x121
c: +1 734 612 4615

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] testing email

2015-04-08 Thread Joe Landman



On 04/08/2015 03:09 PM, Jeppe Øland wrote:

Same here ... hard to believe Gmail is bouncing...


They've been black holing some of my email (to and from) on this and my 
personal account.  Not going to SPAM either.  I also got the re-enable bit.




On Wed, Apr 8, 2015 at 11:58 AM, Mike Montgomery
onezero1010...@gmail.com wrote:

I got the same re-enable email to my gmail account.

On Wed, Apr 8, 2015 at 2:48 PM, WebDawg webd...@gmail.com wrote:


Same here,


Viruses being detected by my ASSP spam filter coming in from the list and
denying delivery.  Had to re-enable my account this AM.

Doug

--
Ben Franklin quote:

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety.




I am on gmail and I received an email to follow to re enable my account.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
e: land...@scalableinformatics.com
w: http://scalableinformatics.com
t: @scalableinfo
p: +1 734 786 8423 x121
c: +1 734 612 4615

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] problems running pfSense 2.1.5 running in a kvm session

2014-11-05 Thread Joe Landman

Hi folks:

  We are working on running pfSense in a VM on a machine for a trade 
show.  The installation went fine, then I rebooted.  The attached image 
shows where it died.  Any thoughts on this?  Is this known not to work?


  I am using two bridges on a linux host, one each for 
internal/external network.  Using the virtio network device.  I'll try 
others, but would welcome any thoughts on this.


  VM config is:

2x virtual cores
4GB ram
8GB disk
2 nets, one WAN, one LAN, both virtio based

  Used the pfSense LiveCD 2.1.5 to install

  Thanks!


--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
twtr : @scalableinfo
phone: +1 734 786 8423 x121
cell : +1 734 612 4615
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Unbound

2014-02-15 Thread Joe Landman

On 02/15/2014 01:33 PM, Brian Caouette wrote:

CACHING


dnsmasq caches quite nicely.



On 2/15/2014 1:29 PM, Chris Bagnall wrote:

On 15/2/14 6:22 pm, Brian Caouette wrote:

I've been trying to use unbound with poor results. Currently it resolves
very very slowly. About 4 times longer then the default dns forwarder.
Once the site is found and loaded however browsing the site is
incredibly fast. Curious what might be the cause of the slow down on
initial lookup and how I might correct it?


OOI, what does Unbound offer you that the default DNS forwarder doesn't?

Kind regards,

Chris


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
twtr : @scalableinfo
phone: +1 734 786 8423 x121
cell : +1 734 612 4615
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] is it possible to rename gateways in 2.1 release AMD64?

2014-01-07 Thread Joe Landman

Hi folks:

  I am trying to match a spec we've been given as precisely as 
possible.  I can't rename the gateways from the web interface.  Is it 
possible to rename them from hand editing the config.xml file? or some 
other method?


  Thanks!

Joe

--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
twtr : @scalableinfo
phone: +1 734 786 8423 x121
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] is it possible to rename gateways in 2.1 release AMD64?

2014-01-07 Thread Joe Landman

On 01/07/2014 03:09 PM, Walter Parker wrote:
Once you create a gateway, you can not rename it from the GUI. I had 
to delete and re-create my gateway in order to rename it.


Got it.  Thanks!


--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
twtr : @scalableinfo
phone: +1 734 786 8423 x121
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] is it possible to rename gateways in 2.1 release AMD64?

2014-01-07 Thread Joe Landman

On 01/07/2014 03:02 PM, Matthias May wrote:

Am 07.01.2014 20:52, schrieb Joe Landman:

Hi folks:

  I am trying to match a spec we've been given as precisely as 
possible.  I can't rename the gateways from the web interface. Is it 
possible to rename them from hand editing the config.xml file? or 
some other method?


  Thanks!

Joe


Not sure i follow.
What is not working with:
Click on the System -- Routing -- Gateways on the e button next 
to the gateway you want to change the name of.

Set the name you want in the Name field.


It doesn't allow you to change names of gateways once they are set. I am 
not sure precisely why, but it simply does not work.





Regards
Matthias May
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
twtr : @scalableinfo
phone: +1 734 786 8423 x121
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Multi Wan via gateway groups breaking some websites

2013-12-12 Thread Joe Landman

On 12/12/2013 04:41 PM, Benjamin Swatek wrote:


On 11, Dec2013, at 15:14 , Joe Landman 
land...@scalableinformatics.com 
mailto:land...@scalableinformatics.com wrote:




[...]

So ... my question is, what diagnostics should I try to be able to 
identify the issue (some sites not working when the system is set in 
load balanced mode)?  I did try setting the sticky mode 
(System-Advanced-Miscellaneous), though I am not sure this is 
correct for outbound load balanced multi-wan.


Maybe an issue with HTTPS?
https://doc.pfsense.org/index.php/Multi-WAN_Version_1.2.x#Setting_up_for_protocols_that_don.27t_like_load_balancing

Ben


Could be ... Is there a way to make specific protocols sticky with 
respect to the gateway beyond what I did above?  I would imagine that 
SIP has to be (and our phones are working fine).




--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
twtr : @scalableinfo
phone: +1 734 786 8423 x121
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Multi Wan via gateway groups breaking some websites

2013-12-11 Thread Joe Landman

Hi folks

 I've run into an issue that has me somewhat confused.  Our multiwan 
router is up and working.  This is 2.1 release.  I've got 2 ports to 
two different network providers (different technologies at that).


Following the directions ( 
https://doc.pfsense.org/index.php/Multi-WAN_2.0), I


1) set up a Gateway group called MultiWANGW which has both gateways.  
Both were originally set as tier 1.  More on this in a moment.


2) set up outbound LAN-any mapping to use the MultiWANGW in the Gateway 
of the LAN rule governing outbound traffic.


3) I have two distinct DNS servers set up per gateway under 
Systems-General.


I've verified that gateway monitor reports them working.  Actually 
everything appears to be working ... except ...


One or two sites (Ariba http://www.ariba.com  and a few others) seem to 
have some significant problems if I leave both gateways at tier 1.  Once 
I change it so that one (the slower backup one) is tier 2, it works.  
This has the impact of not doing an explicit load balance from what I 
have read on it.


So ... my question is, what diagnostics should I try to be able to 
identify the issue (some sites not working when the system is set in 
load balanced mode)?  I did try setting the sticky mode 
(System-Advanced-Miscellaneous), though I am not sure this is correct 
for outbound load balanced multi-wan.


Overall, its working nicely, with a few strange things like this, with 
one larger exception that I have a work-around for.  More in next email.


--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
twtr : @scalableinfo
phone: +1 734 786 8423 x121
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] 1:1 NAT not working, but the equivalent port forward everything coming into a VIP to the internal unit is ...

2013-12-11 Thread Joe Landman

Hi folks:

  Trying to figure this one out.  Very simple concept, I want to take 
one virtual IP (VIP), and tie it to an internal (isolated) machine for 
customer/partner use.   I've done this before using other firewall 
appliances, and it works pretty well for its use case.  I just tried to 
do the same thing here.



External IP: a.b.c.d
Internal IP:  e.f.g.h
Internal Machine:  i.j.k.l

I started at Firewall-NAT-1:1

Added the rule:

External subnet IP:a.b.c.d
Internal IP: e.f.g.h
Destination:   i.j.k.l

Made sure I had a VIP setup with a.b.c.d.  I've got ping set up for 
testing, and it worked nicely.


Next I tried sshing to that box

ssh -vvv user@a.b.c.d

Nothing.  No negotiation, which usually means it can't reach it.  So I 
logged into the pfsense box, and did a


tcpdump -i em5  # the private NIC going to the isolated machine

at the shell.  I did not see the ssh traffic, or the pings.

Ok, I tried a few other combinations (changed internal IP to destination 
IP, and the converse of that).  Still nothing.


So I deleted that rule, and did a simple multi-port forward.  All 
TCP/UDP showing up for any port 1-65000 on a.b.c.d is port forwarded to 
the destination starting at port 1.


That worked.  I see the traffic with tcpdump, I can ssh in, etc.

But I don't like that, as it seems ... hack-ish.  I would think the 1:1 
would be cleaner (and use fewer states?), but I am not sure about this.


Is there any magic incantation, burn offerings, or typing one can do to 
diagnose this?  The tcpdump on the internal port on the pfsense box is a 
good indicator if packets are getting through.  Is there somewhere else 
to look on the system to watch the decision processes it makes during 
the pf filter pipeline?


Or should I simply be happy that it works, and not worry about it? I am 
happy to file a bug report if it makes sense, I figured I'd ask first to 
see if someone thinks this is pilot error (very well could be).


Thanks!


Joe

--

Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
twtr : @scalableinfo
phone: +1 734 786 8423 x121
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] 1:1 NAT not working, but the equivalent port forward everything coming into a VIP to the internal unit is ...

2013-12-11 Thread Joe Landman

On 12/11/2013 02:38 PM, Justin Edmands wrote:



Monitor blocked attempts under Status -- System Logs -- Firewall ... 
filter for the IP you want. If you see the block, click the small grey 
arrow with a plus sign next to the destination IP. This will create a 
rule and allow you to go to Firewall -- Rules to indentify the proper 
rule setup to pass these SSH attempts.


Next, notice that these rules are in order...top to bottom. Here is 
the sentence at the bottom of all firewall rule pages:


*Hint: *

  * Rules are evaluated on a first-match basis (i.e. the action of the
first rule to match a packet will be executed). This means that if
you use block rules, you'll have to pay attention to the rule
order. Everything that isn't explicitly passed is blocked by default.


PS: By default, all blocked attempts are logged. After creating a 
rule, you can also turn on logging for the rules that pass. This will 
allow you to see the source/destination that is using the rule.





Thanks!


--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
twtr : @scalableinfo
phone: +1 734 786 8423 x121
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Multi-Wan config question(s)

2013-10-20 Thread Joe Landman

Hi folks

  We are replacing a black box multi-wan FW appliance with 2.1 running 
on one of our boxen.  Our config is multi-wan (ipv4 only), and we want 
to do load balancing (asymmetric, by the bandwidth ratio).  We'll have 
standard desktop and server machines running behind it, as well as SIP 
phones.


  I'd set up non-load balanced units before with CARP and VIPs for 
failover.  This is a single unit for the moment, though we might do the 
CARP with VIP for failover here as well at some point (I might just set 
up one side, so I can do the other side later on).


  I looked at the multi-wan docs

https://doc.pfsense.org/index.php/Multi-WAN_2.0

https://doc.pfsense.org/index.php/2.1_New_Features_and_Changes#Multi-WAN

https://doc.pfsense.org/index.php/MultiWanVersion1.2


http://www.netlife.co.za/tech-guides/46-linuxoss-and-networking/34-bsd-dual-wan-router-using-pfsense.html


http://www.netlife.co.za/tech-guides/46-linuxoss-and-networking/47-advantagesdisadvantages-of-dual-wan-routing.html


Basically my questions are on the setup side for a single box in the 
CARP scenario.  I am assuming that the following is the right path, 
based upon the documentation


1) setup a gateway group using both WANs.  The documentation sometimes 
refers to setting up 3 gateway groups for failover and load balance.  Is 
this still recommended?


2) when we create the WAN connections, is it necessary to provide a 
default gateway for a port?  That is, I have 2 WANs, call them WANa, and 
WANb.  During setup WANa is the initial default WAN, and it requires a 
gateway to be setup.  During config of WANb (one of the OPT interfaces), 
a gateway is not required per se, but may be configured.


This question boils down to this.  Should I configure a WANa and WANb 
default gateway (thats default for the WAN connection)?  It seems that 
both should have it, but I am not entirely sure.


3) SIP and related configuration:  Do we need to do anything special 
with outbound NAT (maybe point to the gateway group rather than the 
default GW), and have the states be sticky for a particular path (so if 
they start going out WANb, that session remains going out WANb so as not 
to break things, absent a failure of WANb)?


4) are there any updated tutorials on this, or should I use the 2.0 doc 
from above?


Thanks in advance!

Regards

Joe


--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
   http://scalableinformatics.com/siflash
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] [Filters engaged]

2013-10-09 Thread Joe Landman
I just worked out setting up new filters for the recent S/N destroying, 
high tin-foil-hat content, on gmail.  Since people pleading for this to 
go away hasn't worked, technological measures to restore S/N for my 
inbox on this list have been engaged.


Please folks, take the tin foil hat discussion elsewhere.  Please?


--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics, Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
   http://scalableinformatics.com/siflash
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] 2.1 timeline?

2012-06-27 Thread Joe Landman
Hi folks ...  any guidance on the 2.1 timeline?  Is it considered stable 
for end user use yet?  I'd prefer to deploy things actually marked as 
stable (we have 2.0.1 in use at customer sites, and are playing with it 
internally).  I'd like to get 2.1 up for better driver support (and ease 
of building drivers).  Thanks!


Joe

--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
   http://scalableinformatics.com/sicluster
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] High interrupt load on LAGG with LACP

2012-06-04 Thread Joe Landman

On 06/04/2012 09:38 PM, Glenn Kelley wrote:

Chris

That is good to know.
I have some wireless backhauls pushing well over 100mbps

So better to know now vs later
any suggestions on hardware for the sky in that case?


We've built some boxen for customers for pfSense with up to 8x 1GbE 
ports, and several with dual 10GbE ports.  Building the 10GbE driver for 
2.0.1 was a bear, and it doesn't load correctly on some of the units*, 
but these are fairly capable units, and we were pushing about 1Gb/s 
through a unit at a customer site.


People are inclined to skimp on these designs ... its a mistake if you 
have lots of traffic to move.


* a request for the next pfSense release would be driver building 
environment installable package (much like the other packages) with the 
minimum subset of tools we need to compile drivers for pfSense.  We can 
usually fix/port drivers for alternative versions of FreeBSD, but 
sometimes, its very helpful to have the exact version of the kernel 
headers/compilers used.



--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
   http://scalableinformatics.com/sicluster
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] question on NAT capabilities/methods and VPN setup

2012-05-09 Thread Joe Landman


Here's what we are trying to do .   I've got pfSense up and I've got 5 
WAN IP addresses in the WAN subnet.


a.b.c.d
a.b.c.d+1
a.b.c.d+2
a.b.c.d+3
a.c.d.d+4

I would like to NAT by specific address, and add VPN functionality to 
only specific IPs.  So d is our primary for most traffic, d+1 should get 
OpenVPN traffic, d+2 to d+4 should NAT to specific machines.  A few 
ports on each are fine, though we could do a full on 1:1 NAT if needed.


My question is how, precisely to go about this.  That is, I have the 
major functions (ssh, web, mail) traversing the d address, and NATting 
to a specific set of machines handling those functions.  That works 
well.  How do I get the NATting working on the other IPs?  IP Aliasing 
the WAN address and then mapping to that alias?  I ask as I've tried 
quite a few things that seem sensible, and none of them work.


Now I want to set OpenVPN on d+1.  Should I IP Alias the d+1 and give it 
a name?  And while I am at it, is there a way to debug the OpenVPN 
setup?  I've set OpenVPN up many a time by hand, without problems.  My 
first attempts now ... I can't even get it to start negotiating. 
OpenVPN is quite finicky, but I think this is repeated pilot error on my 
part, and its mostly with the user interface.  Do I need to build the 
CA, then the server certs, then the user certs for this (this is what 
I've done).


I am assuming pfSense can handle what I want here, both on the NATting 
and OpenVPN side.  But I seem to be lost on this.  I've set up many such 
systems (using different appliances and software stacks) in the past ... 
not a complete noob ... but I did get stuck here.  Any hints are 
welcome, and I'm going to keep pouring over the book.


Thanks!

--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
   http://scalableinformatics.com/sicluster
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Question on how to install a build environment for drivers

2012-04-18 Thread Joe Landman

Hi folks

   I need to compile a driver for pfSense (specifically the Solarflare 
10GbE driver, but possibly others).  I tried with a VM of FreeBSD 8.1 on 
a different machine, but I couldn't see the driver after pkg_add ... 
and a kldload sfxge .  Is there a way to pull a full build environment, 
specifically for drivers, into an install of pfSense?  I am running 
2.0.1-STABLE.


   Thanks!

Joe

--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
   http://scalableinformatics.com/sicluster
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


[pfSense] Running into some very basic problems: can't seem to get port forwarding working ...

2012-04-15 Thread Joe Landman

Hi folks:

 Have pfSense 2.0.1 stable installed on a machine we are using for 
testing.  2x em network ports. Have em0 configured as WAN with IP 
10.100.241.121/16, and em1 configured as LAN with IP 192.168.3.1/16.


I can reach the LAN port with ssh/others easily.  No issues.  I turned 
on ICMP response on the WAN, and can ping that as well.


Ok.  Want to set up a simple external port forward from WAN-LAN 
(specific IP on LAN).  Logged in through GUI, and set this up


WAN TCP *   *   WAN net 22 (SSH)192.168.1.171   22 (SSH)

This host uses a different default gateway ... 192.168.1.1/16 .  I can 
(and have) set up a virtual machine on the 192.168.3.0/16 net using the 
3.1 machine as a gateway, and redirected ssh there.  This works, fine as 
it turns out.


My question is, how (if at all) can I configure pfSense to handle the 
case where it isn't the primary gateway?  That is, its being used as a 
router for external traffic, but the primary gateway is on a different 
router.  Do I need to add a specific route back on the client side, or 
is this something pfSense can automagically handle?



--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
   http://scalableinformatics.com/sicluster
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Running into some very basic problems: can't seem to get port forwarding working ...

2012-04-15 Thread Joe Landman

On 04/15/2012 03:57 PM, Ernst den Broeder wrote:

The host sees the packet as coming from !192.168.0.0/16 and will
route to its default gateway.  If your just playing around, you could
add a route for 10.100.0.0/16 on your host to 192.168.3.1.


I did try this, but I don't think it worked.



The way you refer to 193.168.1.1/16 and 192.168.3.1/16 make me wonder
if you understand that they are both in the same subnet.  (just


Yes ... this is something specific a customer wants, with their internal 
gateway as a primary, and various sites routed through the pfSense firewall.


I didn't add any specific NAT rule entries beyond the basic entry I had 
done.


I am sure I am missing something obvious (and pilot error is strongly 
suspected on my part).


--
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics Inc.
email: land...@scalableinformatics.com
web  : http://scalableinformatics.com
   http://scalableinformatics.com/sicluster
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list