Re: [pfSense] Bandwidth Mismatch between pfSense and Data Center Provider...

2018-05-23 Thread Melvin Backus 
Is it possible these numbers are for both interfaces on the pfSense box? If
so, do they include both inbound and outbound traffic for both? That would
effectively double the true data transfer if traffic isn't being routed
between other subnets / interfaces on the firewall.  I don't have RRD loaded
so this is strictly speculation on a possible cause.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chuck
Mariotti
Sent: Wednesday, May 23, 2018 1:57 PM
To: list@lists.pfsense.org
Subject: [pfSense] Bandwidth Mismatch between pfSense and Data Center
Provider...

We've run into a data overage situation at a datacenter... We get charged a
premium per GB over 500GB (yes I know, stupid). Their reporting system seems
to indicate significantly less data usages vs pfSense's RRD reporting...
their billing system seems to be indicating overage similar to their
reporting... Uploads seem to be growing significantly. Any idea why the
pfSense box seems to be counting differently than the datacenter's metrics?
We need to track down where this usage is happened, but I know users have
only grown ~5% over that same period of time.

Here are stats for each month:

JanuaryFebruary
March   April
May (to 23rd)
Datacenter (Upload/Download):   618.95GB/76.01GB
365.25/47.15GB799.92/79.81GB801.67/105.01GB
581.57/76.26GB
pfSense RRD (Upload/Download):1372.41GiB/148.91GiB
1388.65/149.60GiB   1697.71/152.24GiB
1706.53/200.86GiB   1177.95/139.55GiB


Any suggestions how or why there is a mismatch?

Regards,

Chuck
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Upgrades to 2.4.3.x failing after updating metadata

2018-05-17 Thread Melvin 
Lots of ISPs still make you do that for managed circuits.

⁣Sent from BlueMail ​

On May 17, 2018, 10:56, at 10:56, John Johnstone 
 wrote:
>On 5/16/18 12:25 PM, WebDawg wrote:
>
>> It is high risk compared to serial, but when you are doing the job
>> remotely, and the pfsense device is your core router, how do I log in
>> and see the serial data?
>
>Dial-up modem?  Just couldn't resist...
>
>-
>John J.
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense on watchguard xtm 810?

2018-02-16 Thread Melvin 
I've had good luck in similar cases by installing on a generic machine then 
putting the media in the target box.

On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen  wrote:
>Hi List,
>
>I need to install pfsense 2.4 on watchguard xtm 810. there is issue as
>it
>does not boot from usb stick, only from cf or sata.
>
>Any idea how to install pfsense on it? it works with 2.3 nano-vga
>image,
>but such is not available for pfsense 2.4
>
>--
>Eero
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] CARP Demotion Not Working

2017-11-03 Thread Melvin 
But think of the time you would have wasted instead. Just trading a little 
pride for time. Seems like a good deal most times. 

On Nov 3, 2017, 15:02, at 15:02, Andrew Kester  wrote:
>Actually, it looks like Node B was indeed in maintenance mode.  Setting
>
>it back to normal seems to have resolved the problem.
>
>(That always seems to happen: send mail to a mailing list and it's 
>something silly on my end)
>
>---
>Thanks!
>
>Andrew Kester
>The Storehouse
>https://sthse.co
>
>On 11/3/17 11:23 AM, Steve Yates wrote:
>>  Are you using the "enter persistent maintenance mode" here?  I'm
>trying to remember when I looked at this a couple years ago but overall
>if we shut down node A, node B takes over, and when A boots up it
>becomes Master again.  However if I enter maintenance mode first
>(forcing B to Master) then B stays as Master after A comes up again.
>> 
>>  I have seen the occasional situation where we exit maintenance mode
>and the IPv6 CARP WAN IP ends up with *both* routers showing as Master,
>but at that point I restart node B and it clears out (we have CARP IPs
>for two LANs and a WAN, and both IPv4 and IPv6, on two virtualized
>routers).
>> 
>> --
>> 
>> Steve Yates
>> ITS, Inc.
>> 
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
>Andrew Kester
>> Sent: Friday, November 3, 2017 10:49 AM
>> To: list@lists.pfsense.org
>> Subject: Re: [pfSense] CARP Demotion Not Working
>> 
>> An update on this, if the master node is rebooted during a failure,
>the
>> secondary node takes cover correctly and remains the master as would
>be
>> expected.
>> 
>> This makes me think that the priority is set correctly but the second
>> node for some reason isn't honoring the advskew set by the master
>correctly.
>> 
>> To illustrate what I mean-
>> 
>> ---
>> | Node A | Node B |
>> ---
>> | M M| B B| Normal, Node A is master on all CARP IP's
>> | M X| B M| Failure, incorrect though.  Node B should be
>master.
>> | - -| M M| Node A Offline, B takes over as master correctly
>> | B X| M M| After restart, correct behavior.  Node B is
>master.
>> ---
>> M - Master
>> X - Down
>> B - Backup
>> 
>> I've also ran through the CARP troubleshooting guide here to no
>avail.
>> https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting
>> 
>> Let me know if you need more information or clarification, I'm not
>sure
>> the best way to illustrate / communicate my problem.
>> 
>> ---
>> Thanks,
>> 
>> Andrew Kester
>> The Storehouse
>> https://sthse.co
>> 
>> On 11/1/17 3:30 PM, Andrew Kester wrote:
>>> Hi List,
>>>
>>> I'm having an issue with CARP preempt.  I have two pfSense machines
>>> running 2.4.1-RELEASE.  CARP fails over all individual IPs
>correctly,
>>> but doesn't preempt correctly in the case of a single failure.
>>>
>>> On both machines, I've checked that net.inet.carp.preempt is
>enabled.
>>> The master appears to be detecting the demotion, as it sets
>>> net.inet.carp.demotion to 240 during a failure, but ifconfig still
>>> reports advskew as 0.
>>>
>>> I'm not 100% sure if that number should update, or if the demotion
>>> number is added to the advskew reported by ifconfig.
>>>
>>> Relevent sysctl, ifconfig, and log output taken from the master
>firewall
>>> during a failure is attached.
>>>
>>> Any help is greatly appreciated!
>>>
>>> ---
>>> Thanks,
>>>
>>> Andrew Kester
>>> The Storehouse
>>> https://sthse.co
>>>
>>>
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold
>>>
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
>> 
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] speed problems with SG-1000

2017-05-15 Thread Melvin 
Based on the product page the max throughput as you described would seem to
be 200Mbps.

https://www.netgate.com/products/sg-1000.html

See the notes at the bottom of the page.


-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of John DeSoi
Sent: Monday, May 15, 2017 6:42 PM
To: list@lists.pfsense.org
Subject: [pfSense] speed problems with SG-1000

I just purchased a SG-1000 for use with my Google Fiber installation. I did
minimal configuration of the SG-1000, only changing the LAN address to
192.168.200.X (GF is 192.168.100.X). I hooked the WAN port to one of the GF
ethernet ports and then my laptop to the LAN port on the SG-1000. Using GF
performance test, the upload/download speed is only about 10% of what I get
compared to plugging my laptop directly into the GF ethernet port (1000 Mbps
versus 100 Mbps using the SG-1000). The SG-1000 shows both ethernet
connections are 1000baseT. Shouldn't this device be able to basic routing at
the full speed of the WAN connection?

I did the same setup with a consumer router (ASUS) and it has no problem
with upload/download over 900 Mbps. 

John DeSoi, Ph.D.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] bind domain specific forwarder

2016-09-22 Thread Melvin 
What you're trying to accomplish is something we commonly do with conditional 
forwarders, but they would forward all requests to a specific domain so 
site1... and site2... would have to be separate domains.  I don't use bind to 
do that personally but I would assume it has that capability. Perhaps that will 
at least give you the proper search terms to find more info.



On Sep 22, 2016, 15:58, at 15:58, Steve Yates  wrote:
>I don't know if you need forwarding for this.  Can you just add an NS
>record to the example.com zone for site2.example.com pointing to
>10.0.10.1 (well, a hostname that points to that IP)?
>
>--
>
>Steve Yates
>ITS, Inc.
>
>-Original Message-
>From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Satish
>Patel
>Sent: Thursday, September 22, 2016 2:54 PM
>To: pfSense Support and Discussion Mailing List
>
>Subject: [pfSense] bind domain specific forwarder
>
>I have two office connected over VPN, and both sites has own bind
>running in Pfsense. now i site1 client can resolve their DNS entries
>but i want site1/2 both can resolve each other entires. in short i want
>to tell DNS if you see site2.example.com then forward that query to
>site2 DNS server.  I have tired couple of stuff but didn't work. I have
>disabled DNS resolver/ DNS forwarder services. I am only using bind
>server, it has enable DNS Forwarding but if do that it didn't start my
>bind service.
>
>
>site1 ---VPN-site2
>
>
>I want something like this in bind but don't know how do i add this?
>
>zone "site2.example.com" IN {
>type forward;
>forwarders {
>10.0.10.1;
>};
>};
>___
>pfSense mailing list
>https://lists.pfsense.org/mailman/listinfo/list
>Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Firewall Hardware/Setup for Datacenter...

2015-02-06 Thread melvin 
If you're going to have 2 systems you can cluster them and make anything you're 
running HA even without duplicate vms.

div Original message /divdivFrom: Chuck Mariotti 
cmario...@xunity.com /divdivDate:02/05/2015  22:22  (GMT-05:00) 
/divdivTo: pfSense Support and Discussion Mailing List 
list@lists.pfsense.org /divdivSubject: Re: [pfSense] Firewall 
Hardware/Setup for Datacenter... /divdiv
/div  Thanks… I am leaning that way I think… just trying to wrap my head 
around if it is worth trying to buy more ram + more storage (HW RAID) to make 
them ESXI worthy to run VMs, or if I should just keep it basic… the ESXI is 
tempting since I can at least make the secondary server do other stuff instead 
of just waiting for a failure on primary. Trying to think of a useful virtual 
machines to run that are not mission critical if a machine dies (since not 
raid), don’t have license to real-time replicate it on the VMWare side, but 
that might be useful for datacenter...
  
  
  
   From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jason Whitt
 Sent: February-05-15 3:23 PM
 To: pfSense Support and Discussion Mailing List
 Subject: Re: [pfSense] Firewall Hardware/Setup for Datacenter...
 
 
 
 
  I would add that for quot;data centerquot; workloads the apu's may not be 
 the best choice ... Those 8 core atoms are plenty for multi 1gig feeds and 
 the nic's are solid.

 
  
 
 
  
 Sent from my iPhone

 
  
 On Feb 5, 2015, at 12:38 PM, Jeremy Bennett jbenn...@hikitechnology.com 
 wrote:

 
Jason is correct. Those Supermicro boxes are awesome. Be careful when 
 ordering though... they want ECC memory. 

  
 
 
  The APUs from Netgate are nice too–the year of bundled support has already 
 saved my bacon a number of times. Well worth the cost.

 
 
  
 
  On Thu, Feb 5, 2015 at 9:19 AM, Jason Whitt jason.wh...@gmail.com wrote:

Ive ran as vm's using vmxnet3's as well as physical on these 
 http://m.newegg.com/Product/index?itemnumber=16-101-837

 
  
 
 
  Both are viable options.

 
  
 
 
  Jason
 
 Sent from my iPhone

 
  
 On Feb 5, 2015, at 11:11 AM, Walter Parker walt...@gmail.com wrote:

 
I've used pfSense in a VM on my ESXi application server. This is mostly to 
 firewall the Windows VMs from the Internet. 

  
 
 
  If you want fail-over, I'd suggest getting one of the new Netgate 
 (http://store.netgate.com/NetgateAPU2.aspx or 
 http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or pfSense 
 (https://www.pfsense.org/hardware/#pfsense-store) embedded systems with an 
 SSD. Then you can run a full install that supports package installs with a 
 power budget of ~10-15 Watts for the APU units. Then you have a choice of 
 getting a second HW unit for an additional $400 to $1000, or setting up 
 pfSense in a VM (not on a separate VMware server, on an existing VM server).

 
  
 
 
  The higher end HW systems on those pages are 8 core Atom systems built for 
 run pfSense (of course, the power requirements will be in the 100W range). 
 With an SSD, these systems should last for a long time with no issues.

 
  
 
 
  How much firewall horsepower do you need? What are your constrains (time, 
 money, space)?

 
  
 
 
  P.S. You can run packages on embedded in 2.2, you just want to be careful 
 not to run packages that would trash the SD card with too many writes. 

 
  
 
 
  
 
 
  Walter

 
 
  
 
  On Thu, Feb 5, 2015 at 9:40 AM, Chuck Mariotti cmario...@xunity.com wrote:

Have been using pfSense for years at our datacenter, very happy with it 
 running on old dedicate hardware with failover. The hardware is overdue to be 
 retired and I’m wondering what people are doing/recommending for a datacenter 
 setup. We want to use OpenVPN Server, IDS, dBandwidth, etc… so need to keep 
 out option open for the ability to run packages... behind it we are running 
 multiple servers and vCenter/ESXI servers.

  

 What’s the go-to setup for a datacenter these days?

  

 Do we stick with two dedicated boxes?
 Since we pay for power, nice to have lower power… So do we go as low as using 
 embedded hardware? It used to not be recommended for packages… still the case 
 I assume?

 So I’m leaning towards some of the newer SuperMicro Atom boxes (quad core, or 
 8 core!!??! etc…).

  

 But then I see so many people running pfSense in VMWare and I wonder if we 
 should consider this. Then I think about the hardware needs and VMWare 
 Licensing (would like to avoid)… and what else can I run on the hardware 
 along side without hurting pfSense from running properly, etc…

  

 If pfSense is setup to failover, that means the hardware can be cheap…. No 
 RAID needed.

 If dedicated, do I go with Hard Drives/SSD drives? USB? We need packages… can 
 I run it off of USB stick then or do I still need HDD/SSD?

  

 If setting up new hardware so can run pfSense as Virtual Machines… I would 
 need two VM Hosts running pfSense as VM’s so would have the failover... What 
 should we

Re: [pfSense] Traffic routing issue

2014-12-12 Thread melvin 
What you're sewing is the proxy doing what you've told it to do. When the pc on 
the lan side (any vlan) requests a connection to a server the proxy makes that 
request on its behalf and returns the packets sent back from that request.  In 
order for that to happen on a secured connection the proxy must set up a secure 
connection to he remote server (or in your case other interface server) as well 
as a separate secure connection between the proxy and the originating client 
pc. Doing it any other way requires either passing the traffic directly through 
the firewall or breaking the secure connection.  This is one of the 
consequences of doing NAT. I'm guessing the main complaint is that the firewall 
cert isn't trusted and triggers browsers. 

div Original message /divdivFrom: Ryan Clough 
ryan.clo...@dsic.com /divdivDate:12/12/2014  13:58  (GMT-05:00) 
/divdivTo: pfSense Support and Discussion Mailing List 
list@lists.pfsense.org /divdivSubject: Re: [pfSense] Traffic routing 
issue /divdiv
/divOliver,


I apologize, I should have been more clear. The problem is exhibited from all 
VLANs if I force the use of the web server's public IP. I only just discovered 
it while testing the guest WiFi on the restricted VLAN.


To answer your questions:

The pfSense router is not aware of any VLANs, we use a layer 3 switch that 
sits just inside from the pfSense router that routes traffic that must exit 
the LAN to the pfSense router.


I have attached screen shots of my port forward rule and the auto-generated 
firewall rule.


Thank you very much for your help.




Ryan Clough
Information Systems
Decision Sciences International Corporation


 
On Fri, Dec 12, 2014 at 9:15 AM, Oliver Hansen oliver.han...@gmail.com 
wrote:What does the allow rule on the restricted vlan and the NAT rule look 
like? 
 On Dec 11, 2014 11:24 PM, quot;Ryan Cloughquot; ryan.clo...@dsic.com 
 wrote:


I am hoping that one of you out there can assist me with this rather 
interesting problem I am having. Let me set the stage.


I am running the latest stable version of pfSense:
2.1.5-RELEASE (amd64)
built on Mon Aug 25 07:44:45 EDT 2014
FreeBSD 8.3-RELEASE-p16

I am running transparent Squid and Squidguard, and all IP ranges have access 
to use the proxy.


I have two WAN connections, each with a handful of public IPs. I have created 
an IP alias virtual IP of one of my public IPs on WAN1, which is used to NAT 
to a web server.


We have an internal DNS server that resolves the domain name of a web server 
to the local LAN IP address. So, all computers on unrestricted VLANs access 
the web server without having to hit the pfSense router at all. This works as 
expected and the valid certificate is served and the web page loads.


We have one restricted VLAN that is used for guest WiFi access and this VLAN 
is assigned external DNS servers and therefore resolve the domain name to the 
public IP.



Now my problem. When connected to the guest WiFi on the restricted VLAN and 
attempting to access the web server on its public IP, which is assigned to a 
virtual IP on WAN1, I get served the certificate from the pfSense router. I 
can tell that this is the pfSense self-signed certificate because of the 
details of the certificate displayed in the warning. I also get this behavior 
if I force a computer on an unrestricted VLAN, using the hosts file, to 
resolve the host name of the web server to its public IP.


What is going on here? I can provide more information if needed. Thank you for 
your time.

Ryan Clough
Information Systems
Decision Sciences International Corporation


 










 
 

This email and its contents are confidential. If you are not the intended 
recipient, please do not disclose or use the information within this email or 
its attachments. If you have received this email in error, please report the 
error to the sender by return email and delete this communication from your 
records.
___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list

 
___
 List mailing list
 List@lists.pfsense.org
 https://lists.pfsense.org/mailman/listinfo/list


 
 This email and its contents are confidential. If you are not the intended 
 recipient, please do not disclose or use the information within this email or 
 its attachments. If you have received this email in error, please report the 
 error to the sender by return email and delete this communication from your 
 records.___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Making an install CD

2014-10-31 Thread melvin 
Yes windows burns  I SO  files as bootable disk. I do it regularly. 

div Original message /divdivFrom: Ryan Coleman 
ryan.cole...@cwis.biz /divdivDate:10/29/2014  00:57  (GMT-05:00) 
/divdivTo: Mark Hisel mark_hi...@yahoo.com, pfSense Support and 
Discussion Mailing List list@lists.pfsense.org /divdivSubject: Re: 
[pfSense] Making an install CD /divdiv
/divDoes windows 7 actually burn disc images? Have you tried active ISO 
instead to burn the image? I believe it's free. 

--
Ryan Coleman
Publisher, d3photography.com
ryan.cole...@cwis.biz
m. 651.373.5015
o. 612.568.2749

On Oct 28, 2014, at 20:07, Mark Hisel mark_hi...@yahoo.com wrote:

I can't seem to make an install CD.  I downloaded the ISO, unzipped it from the 
gz file using 7-ZIP, and burnt the disk image using win7.  The CD has a bunch 
of directories but only one file; the copyright.  What did I do wrong? I'm 
trying to install onto an HP DL380 but the CD is a non-system disk.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
___ 
List mailing list 
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list