[pfSense] Strange Limiter Behaviour
I am sure that I did something wrong here and I was wondering if someone could explain what. I have a cable connection that is rated at 50/10 Mb. If I let it go on it's own I will get about 60/12 Mb but I will also get bufferbloat in the range of 2000 to 3000 ms. To deal with this I wanted to use limiters and limit the traffic on my WAN to about 55/10 MB. I created a limiter for download speed and one for upload and then created a floating rule with the interface of WAN, direction of in, and set my limiter. Then I created another floating rule for the out direction. Here is the strange part, the limiter seemed to do what I wanted but With the limiter active, this is what I see in a traceroute to Google DNS # traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 bulldog (10.1.1.1) 0.261 ms 0.233 ms 0.213 ms 2 google-public-dns-a.google.com (8.8.8.8) 0.573 ms 0.370 ms 0.755 ms 3 google-public-dns-a.google.com (8.8.8.8) 0.733 ms 0.915 ms 1.103 ms 4 google-public-dns-a.google.com (8.8.8.8) 8.309 ms 9.100 ms 9.098 ms 5 google-public-dns-a.google.com (8.8.8.8) 11.277 ms 11.266 ms 11.251 ms 6 google-public-dns-a.google.com (8.8.8.8) 11.598 ms 11.409 ms 11.379 ms 7 google-public-dns-a.google.com (8.8.8.8) 10.632 ms 8.283 ms 9.084 ms 8 google-public-dns-a.google.com (8.8.8.8) 12.264 ms 12.008 ms 13.683 ms 9 google-public-dns-a.google.com (8.8.8.8) 11.283 ms 13.656 ms 11.252 ms 10 google-public-dns-a.google.com (8.8.8.8) 13.577 ms 13.581 ms 13.572 ms 11 google-public-dns-a.google.com (8.8.8.8) 12.265 ms 12.253 ms 12.041 ms 12 * * google-public-dns-a.google.com (8.8.8.8) 5.030 ms 13 google-public-dns-a.google.com (8.8.8.8) 4.196 ms 8.344 ms 8.337 ms 14 google-public-dns-a.google.com (8.8.8.8) 9.941 ms 9.625 ms 9.462 ms But, with the limiter disabled, things look more normal. # traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets 1 bulldog (10.1.1.1) 0.243 ms 0.215 ms 0.200 ms 2 10.1.10.1 (10.1.10.1) 0.374 ms 0.360 ms 0.536 ms 3 border.hoganzoo.com (gw_address) 0.728 ms 0.723 ms 0.897 ms 4 96.120.13.133 (96.120.13.133) 7.680 ms 8.870 ms 8.651 ms 5 ae-105-rur102.aurora.co.denver.comcast.net (162.151.38.37) 11.258 ms 11.447 ms 11.429 ms 6 ae-2-rur101.aurora.co.denver.comcast.net (68.86.128.33) 12.526 ms 12.323 ms 12.306 ms 7 ae-24-ar01.denver.co.denver.comcast.net (68.86.103.13) 13.553 ms 12.348 ms 12.535 ms 8 be-33652-cr02.1601milehigh.co.ibone.comcast.net (68.86.92.121) 13.707 ms 9.035 ms 9.424 ms 9 be-11721-cr02.denver.co.ibone.comcast.net (68.86.86.77) 9.826 ms 10.056 ms 10.227 ms 10 be-11795-pe02.910fifteenth.co.ibone.comcast.net (68.86.83.6) 9.619 ms 9.606 ms 10.558 ms 11 173.167.58.142 (173.167.58.142) 9.559 ms as1239-pe01.ashburn.va.ibone.comcast.net (75.149.228.174) 10.154 ms 10.136 ms 12 108.170.252.193 (108.170.252.193) 10.131 ms 108.170.252.209 (108.170.252.209) 10.112 ms 108.170.252.193 (108.170.252.193) 10.102 ms 13 64.233.175.71 (64.233.175.71) 14.131 ms 64.233.175.43 (64.233.175.43) 14.102 ms 64.233.175.71 (64.233.175.71) 8.878 ms 14 google-public-dns-a.google.com (8.8.8.8) 8.848 ms 9.255 ms 9.852 ms Ahhh, What ?!?!? Thank for any ideas. Regards, Tim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] [Bulk] IP Alias -vs- Proxy ARP for NAT
I have seen that page and I don't know about saying it all. I still cannot figure out what the advantages and disadvantages are. All I want is to be able to do a 1:1 NAT with some public IP addresses. These addresses do not need to be used by the firewall directly. So in this case it would sound like using Proxy ARP would be the best choice. But are there any disadvantages? What about performance? Regards. On 3/8/2015 7:42 AM, PiBa wrote: Says it all: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses Which is better, that depends on what you need it to do. Tim Hogan schreef op 8-3-2015 om 13:48: I am setting up my firewall to do 1:1 NAT with a block of public IP addresses. I have found several posts about setting up 1:1 NAT and some of them say to use Proxy ARP when creating the Virtual IP and others say to use IP Alias. Can someone full explain the difference between the two and offer an opinion as to which would be better to use? Regards ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Design Best Practice Question
Ed, I like your idea with using 1:1 NAT but just one question; If you use SSL with the certificate on the web server, will the 1:1 NAT mess with that? Regards, Tim On 3/6/2015 9:52 PM, ED Fochler wrote: Bridging will disable firewall and DHCP on modem, this should be expected. If it works, then you’re using it just fine. I have my DMZ hosts like that on a separate network on OPT1 with their own IP range and 1:1 nat rules. It feels more segregated that way to me than the bridging firewall scenario. That would be my inclination on firewall best practices and least privilege blah blah blah. ED. On 2015, Mar 6, at 4:16 PM, Tim Hogan t...@hoganzoo.com wrote: I am looking for some advice from the group about the best way to put pfSense in my environment so that it can filter all traffic. The cable provider that I use has given me a /29 of static IP address and one of those addresses is assigned to the cable modem. When I asked about putting the modem into bridging mode I found out that their idea of bridging is to disable the firewall and DHCP service on the modem. So this is what I have come up with so far. Cable Modem: 70.70.70.94 pfSense WAN: 70.70.70.93 (also my NAT address for the LAN) pfSense LAN: 10.100.100.1/24 pfSense OPT1: bridged to WAN interface, no IP address The OPT1 interface is connected to a switch that has the other devices with the remaining IP address in the 70.70.70.89/29 space and I have the firewall rules for this space on the WAN interface. It seems to work but I am wondering if I am using the bridging feature correctly. Any thoughts? Thanks, Tim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Design Best Practice Question
Yes, I guess I want to know if the bridge is set up correctly when one of the interfaces in the bridge has an IP address that is being used for the NAT address for my internal LAN. Regards, Tim On 3/6/2015 3:07 PM, WebDawg wrote: On Fri, Mar 6, 2015 at 2:16 PM, Tim Hogan t...@hoganzoo.com mailto:t...@hoganzoo.com wrote: I am looking for some advice from the group about the best way to put pfSense in my environment so that it can filter all traffic. The cable provider that I use has given me a /29 of static IP address and one of those addresses is assigned to the cable modem. When I asked about putting the modem into bridging mode I found out that their idea of bridging is to disable the firewall and DHCP service on the modem. So this is what I have come up with so far. Cable Modem: 70.70.70.94 pfSense WAN: 70.70.70.93 (also my NAT address for the LAN) pfSense LAN: 10.100.100.1/24 http://10.100.100.1/24 pfSense OPT1: bridged to WAN interface, no IP address The OPT1 interface is connected to a switch that has the other devices with the remaining IP address in the 70.70.70.89/29 http://70.70.70.89/29 space and I have the firewall rules for this space on the WAN interface. It seems to work but I am wondering if I am using the bridging feature correctly. Any thoughts? Thanks, Tim I do not understand the question. Using the bridge feature correctly? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Design Best Practice Question
I am looking for some advice from the group about the best way to put pfSense in my environment so that it can filter all traffic. The cable provider that I use has given me a /29 of static IP address and one of those addresses is assigned to the cable modem. When I asked about putting the modem into bridging mode I found out that their idea of bridging is to disable the firewall and DHCP service on the modem. So this is what I have come up with so far. Cable Modem: 70.70.70.94 pfSense WAN: 70.70.70.93 (also my NAT address for the LAN) pfSense LAN: 10.100.100.1/24 pfSense OPT1: bridged to WAN interface, no IP address The OPT1 interface is connected to a switch that has the other devices with the remaining IP address in the 70.70.70.89/29 space and I have the firewall rules for this space on the WAN interface. It seems to work but I am wondering if I am using the bridging feature correctly. Any thoughts? Thanks, Tim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] How do I stop noise to logs
Hello All, I am using pfSense v2.2 and I have been seeing a bunch of firewall log entries blocking traffic to the 169.254.0.0/16 netblock. This traffic seems to be created by an older NAS that I have and I really do not want these message in my logs. So, my thought was that I would create a rule on my LAN to block that traffic and I would just make sure that the log traffic option was unchecked. That did not work. When I look at the log entry I see the following message. The rule that triggered this action is: @8(100102) block drop in log quick inet from any to 169.254.0.0/16 label Block IPv4 link-local Where on earth is that rule so I can remove the log option? Or is there a setting that I missed somewhere? Thanks, Tim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 2.2-RELEASE now available!
I was able to get vnstat to work by running the following commands cd /var mkdir lib cd lib ln -s /cf/conf/vnstat After running those commands all of my previous data was available. Regards, Tim On 1/25/2015 3:54 AM, Doug Lytle wrote: Brian Caouette wrote: Lightsquid and vnstat2 do not work with 2.2 Can anyone else confirm? I cannot comment on Lightsquid, but I can confirm my vnstat2 is non-functional. I've just re-installed the package, I'll see if that fixes it. Doug ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold