Re: [pfSense] looking for silent and powerful pfsense hardware

2017-03-31 Thread compdoc

On 03/31/2017 02:15 PM, Jim Thompson wrote:

I claim that a simple "fill the pipe with large packets" test is 
useless to understand the performance of the system.  All the work is 
on a per-packet rather than per byte basis, unless you don't have DMA 
or are doing some type of DPI.

​


I suppose there as many goals as there are people in search of 
solutions. My point of view is as a system builder, and I'm sure is very 
different from yours. For myself and others Ive seen, its all about 
choosing the right x86_64 parts for the job...


One of my goals was to provide just enough performance to pass a dsl 
speed test for my connection. Plus to keep the power bill low. Comcast 
provides the fastest connections in my area, and my own connection is 
only 60/6 down/up and is fairly expensive.


For that, a cheap 25w tdp AMD 5350 cpu can handle pfsense, snort, 
pfBlockerNG, nut, and a couple of ipsec tunnels without breaking a sweat.


A nearby client has a 118/21 Mbps connection, however they had other 
needs, so pfsense (plus snort & pfBlockerNG) is running as a guest on an 
ubuntu server with qemu-kvm.


That system is an Ivy Bridge i5 that they provided, and also has a 
win7pro and a centos 6 guest, running alongside pfsense. I could only 
make that that work with a fast cpu like their i5.


Anyway, others Ive seen in the IRC channel, and I think in this list, 
who are lucky enough to have 1G connections, are wanting to squeeze 
every drop of speed out it. Using off the shelf PC hardware because we 
like building, and because we're cheap bastards.


Luckily for you, there are people and businesses who just want a fast 
and reliable and *small* appliance, along with excellent support.





___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] looking for silent and powerful pfsense hardware

2017-03-31 Thread compdoc
(My last email seemed to go to the wrong area. Hope you don't mind if I 
try again...)



On 03/28/2017 10:32 AM, compdoc wrote:

Of the cpus I had to test, only an Intel i5-2400 (sandy bridge) and a 
newer model AMD APU could keep up.



I wanted to clarify what I said before. You don't need an i5. Any sandy 
bridge class cpu, or newer has the ability. Including the 4/8 core Atoms 
and sandy bridge Celerons.


Its because of their bus speed of 5 GT/s DMI . Newer cpus have 8 GT/s DMI.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for silent and powerful pfsense hardware

2017-03-31 Thread compdoc

On 03/28/2017 10:32 AM, compdoc wrote:

Of the cpus I had to test, only an Intel i5-2400 (sandy bridge) and a 
newer model AMD APU could keep up.


I should clarify what I said. You don't need an i5. Any sandy bridge 
class cpu, or newer has the ability. Including the 4/8 core Atoms and 
sandy bridge Celerons.


Its because of their bus speed of 5 GT/s DMI . Newer cpus have 8 GT/s DMI.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] looking for silent and powerful pfsense hardware

2017-03-28 Thread compdoc

On 03/28/2017 08:41 AM, WebDawg wrote:


It seems to me that NAT and general firewalls should be easily handled?  Am
I wrong here?  I mean, how much hardware do you need for pf to function at
1gbps??  Would not offloading help here too?


Ive run tests on AMD and Intel cpus that I happened to have in stock 
using BSDRP. This is simple, router only software based on BSD. It has 
no services running, (nat, snort, ect) so no overhead to slow it down.


To get the full bandwidth of gig ethernet required using Intel nics. I 
also found that sending or receiving full gigabit was easy even for 
low-power cpus. But routing it, meaning in one port and out another, 
required a more powerful cpu.


Of the cpus I had to test, only an Intel i5-2400 (sandy bridge) and a 
newer model AMD APU could keep up. All these tests were using standard 
x86_64 desktop hardware. No server-based parts were needed.


However, I think that router-boards can route full Gig ethernet without 
such powerful cpus. Even cheap gigabit network switches can pump gig 
ethernet in one port and out another, at full speed. I'm not sure how 
router-boards and network switches do this. Im guessing its done using 
specialized hardware.


None of the urls or examples posted in this thread so far address the 
actual throughput of the equipment being used, so dont assume everything 
suggested will work at the speed you want.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfsense really slow

2016-09-02 Thread compdoc
>though the web interface is incredibly slow.

I think I remember that if your CPU doesn't support a certain built-in
feature, the gui can be slow. 

But then it could be something else. Is cpu use high?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 3 hard locks this week... any ideas?

2016-09-01 Thread compdoc
>I'd suggest that before you slag programs, you not rely on old, outdated, 
>biased information.

 

 

Spinrite 6 is a twelve year program that seemed cool back in the day, but I 
would never recommend it to anyone now. 

 

Repairing computers for a living, Im always on the lookout for useful tools. I 
don’t find Spinrite useful.

 

I once watched spinrite work on a failing HDD for a day and a half, and did 
nothing more than place additional wear on the drive. Does that make me biased?

 

Speaking of outdated... In 2013 Steve Gibson said he would finally update it, 
but nothing so far? 

 

Here's an interesting quote:

 

Gibson said that he could "see absolutely no possible benefit to running 
SpinRite on a solid-state drive" and later "SpinRite is all about mechanics and 
magnetics, neither of which exist, by design, in an SSD"

 

And for your information, SMART records events. Some of those events will 
happen under load, since that’s the nature of mechanical drives. 

 

However, a bad sector is a bad sector and load or no, that does not change. 
Once they start to fail you replace the HDD, not try to repair it.

 

Modern drives automatically reallocate sectors, meaning bad sectors are 
replaced with spares. Not even spinrite can recover lost data from these spare 
sectors that have never been used before.

 

As for me, these days I install only SSDs in desktop systems that run 24/7, and 
also use them as boot drives for servers. Over the years I have had only one 
SSD fail, and it did show pending sectors in SMART.

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] 3 hard locks this week... any ideas?

2016-09-01 Thread compdoc
>>Coming back tonight to do memtest, SpinRite on the SSD, etc...,

Spinrite on an ssd is a terrible idea. It's an ancient program thats even a
bad idea to use on hard drives. 

It doesn't even work on drives larger than 1TB, because it was written in a
time when drives were not that big. And there was no such thing as an SSD
back then. Toss spinrite in the trash.

If you want to know if a drive is failing, you just have to ask it. Just
read the SMART info recorded in the drive. 

Memtest86+ on the other hand is a great idea, but you should let it run as
many passes as possible. One or two passes is fine for new equipment, but
with old ram that might be flakey, its best to run overnight or at least 4
or 5 passes. 

If the motherboard is 4 or 5 years old, you might check for swollen
capacitors, and many of the low cost power supplies go bad in a year or two.


A bad PSU will have swollen caps and burned components inside, but it can be
risky opening it if you aren't a technician.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] How to determine supported packages without installing

2016-06-17 Thread compdoc
I didn't even realize that Nut was back. That's great. 



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] How to determine supported packages without installing

2016-06-17 Thread compdoc
I'm sure there's a webpage with the list, but this seemed something I could
do easily while waiting for a proper response. 





-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Bryan D.
Sent: Friday, June 17, 2016 4:18 PM
To: pfSense Support and Discussion Mailing List
Subject: Re: [pfSense] How to determine supported packages without
installing

On 2016-Jun-17, at 2:35 PM, compdoc <comp...@hotrodpc.com> wrote:
> I think this is complete:
> <snip'd>

Thanks.  Looks like I can proceed with an update to 2.3.

Regardless, I still think there should be a way to authoritatively determine
this info via the pfSense web site -- ideally, for all releases, minimally
for the current release.  Perhaps the generation of such a page could be
added to the build/release tools?  Alternatively, porting pfSense's packages
pages to run on the pfSense site could provide the current-release info.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] How to determine supported packages without installing

2016-06-17 Thread compdoc
I think this is complete:

2.3.1-RELEASE-p5 (amd64) 
 built on Thu Jun 16 12:53:15 CDT 2016 
FreeBSD 10.3-RELEASE-p3


arping  1.2.2_1
AutoConfigBackup1.45
Avahi   1.11_2
Backup  0.4_1
bind9.10_8
blinkled0.4.7_1
Cron0.3.6_2
darkstat3.1.2_1
freeradius2 1.7.3_1
FTP_Client_Proxy0.3_2
gwled   0.2.4_1
haproxy 0.47
haproxy-devel   0.47
iftop   0.17_2
iperf   2.0.5.5_1
LADVD   1.2.1_2
Lightsquid  3.0.4
mailreport  3.0_1
mtr-nox11   0.85.6_1
nmap1.4.4_1
Notes   0.2.9_2
nrpe2.3.1_1
nut 2.3.0
OpenBGPD0.11_4
Open-VM-Tools   1280544.13_2
openvpn-client-export   1.3.8
Quagga_OSPF 0.6.13
routed  1.2.3_2
RRD_Summary 1.3.1_2
Service_Watchdog1.8.3
Shellcmd1.0.2_2
siproxd 1.1.2_2
softflowd   1.2.1_2
squid   0.4.18
squidGuard  1.14_3
sudo0.2.9_2
suricata3.0_7
syslog-ng   1.1.2_3
System_Patches  1.1.4_1
zabbix-agent0.8.9_2
zabbix-proxy0.8.9_2

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Snort or Suricata

2016-06-13 Thread compdoc
> How do you have Snort configured to differentiate between incoming and 
> outgoing traffic?

 

I guess used a poor choice of words. It's mainly 'HTTP Inspect' that’s the 
problem. It watches any http traffic, which is mainly outgoing in our case. 

 

On the Services / Snort / Interfaces page, edit your interface. And then click 
the 'WAN Preprocs' tab. 

 

I used to just disable HTTP Inspect, but at some point in time snort in pfSense 
started displaying a large warning. 

 

So, in that section there's a 'Server Configurations' option. I have one 
configuration named 'default', and you might have the same. 

 

Edit default, and there's a Ports area where you specify an alias which 
contains the ports snort should watch for HTTP traffic. I use port 10, but can 
be any unused port. Now snort listens on port 10 for HTTP traffic and never 
hears any. 

 

Also on the WAN Preprocs tab, there's an option 'Portscan Detection' which I 
enable. I think I leave most of the other options on defaults.

 

Mine is configured for the VRT rules, GPLv2 Community Rules, Emerging Threats 
(ET) Rules, and a list named 'emerging-compromised-ips.txt' on IP lists tab. 

 

However, I edit the snort interface and check 'Use IPS Policy' and then choose 
'IPS Policy Selection: Connectivity'. I believe when you do this, snort decides 
which one of the rulesets it will use.

 

Occasionally, as rules get updated snort will start blocking something that it 
wasn’t blocking before, and you have to add those rules to the suppress list. 
This doesn’t happen too often, though. 

 

 

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Snort or Suricata

2016-06-12 Thread compdoc
>Maybe is suricata better? What are the difference?

I've never tried suricata so I cant say if its better, but snort works
pretty well. There is one problem with snort, however. It can watch incoming
traffic as well as outgoing traffic. 

But when snort watches outgoing traffic, it flags and blocks almost
everything. That's too much trouble for me, so I have snort setup to only
watch incoming traffic. 

Even then, you will have to watch the alert and blocked lists to make sure
it doesn't block sites you need. That doesn't happen too often, though. 

When it does happen, you just click to add those rules to the suppress list
and remove the ip addresses from the blocked list. 

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] PFSense for high-bandwith environments

2016-02-18 Thread compdoc
> Using Intel E3-1270s and Intel 10G Nics

I can't point to a specific setup, but something to look at...

Your xeon is a sandy bridge with a max transfer rate of 5 GT/s, which is
very nice but the new Skylake cpus are 8 GT/s.

Also, there's always a possibility of equipment failure/setup problems... 



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] pfblockerng

2016-01-23 Thread compdoc
>> The top10-2.txt file has last been updated in July 2015 according to 
>> my curl command and is not auto-documented.

I find I'm only using "http://www.malwaredomainlist.com/hostslist/ip.txt;
these days. 

Am I already hacked?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Two queries from intending new user

2015-11-18 Thread compdoc
>Does installing pfSense, especially, using the "Quick/Easy Install option",
allow for installation so as to allow for multiple boot options

No, it will erase the hard drive and set up a freebsd file system. Might be
worth using another drive altogether to preserve the old drive, or use
clonezilla to make a copy of the drive to a network share, or saved as a
file to another drive.



>Is it possible, with the "Quick/Easy Install option", to retain the current
LAN configuration, 

They use the 192.168.1.1/24 address to make it easy to navbigate to the
first time. But when you begin to configure it, it asks what address you
want to use. 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Status - Traffic Shaper - Queues

2015-09-24 Thread compdoc
> This message never made it to the list

Received this one...




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Kernel problem after upgrade 2.2.3 to 2.2.4

2015-08-03 Thread compdoc
 Thanks for your response, but my installation is on 
a physical machine, and there was no disk space issue.


Be sure to check the hard drive's SMART info. It's the best way to tell if
the drive is failing.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Access Point Recommendations?

2015-07-20 Thread compdoc
A lot of good info in these posts, but no real hardware recommendations...



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Access Point Recommendations?

2015-07-17 Thread compdoc
Does anyone have any recommendations for small office access points?


I use a Zyxel WAP3205 v1, which was fairly inexpensive. I use pfSense to
provide DHCP and rules for the clients, and have the features in the WAP
that are said to be easy to hack disabled. (like WPA Compatible, and WPS) 

So, it's basically used as a dumb  802.11 b/g/n  radio. However, I do use
the mac filter in the WAP. This is more work for me to add a device, but I
only have a couple of devices that use it.

Range is great, and I actually set the Output Power to 50% so it can't be
seen as far away. 

Newer versions are about $45 on amazon.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Cannot Spoof MAC

2015-07-11 Thread compdoc
I ended up spending over an hour trying to get that little system
 to pick up a DHCP address for their Comcast router.


Once upon a time, Comcast used to install their modems and register the mac
address of the NIC of the customer's computer. Sort of a way of preventing
their customers from stealing service, I suppose. 

But now, they don't care. All you have to do is power down the modem, attach
it to whatever NIC you like, and power it up. It will see the change of MAC
and dhcp assign an ip to whatever is there. 

I've heard, that you can also just clear the ARP table of the modem to do
the same thing, but power off/on might be easier. 



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] IPSEC Tunnel with NAT not working under 2.2.3

2015-07-07 Thread compdoc
 I updated to 2.2.3 over the weekend, and now my tunnel no longer works
correctly, even though my settings havent changed.


The same thing happened to me. I had to change the Encryption algorithm from
AES256 to 3DES to get it to work. 

There's talk this will be fixed in the next release. 



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] How to Install PFSENSE in VM

2015-06-30 Thread compdoc
 I use Ms. Windows 7 32 bit, and I use Vmware Workstation 7...

Make sure you use a 32bit version of pfSense. I assume Vmware Workstation 7
is already installed and running?

Always go 64bit Operating Systems in the future. 



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] pfsense behind netscreen

2015-05-01 Thread compdoc
There is an oncology clinic using a Juniper SSG5. They have a couple of
ipsec connections that require policy-based routing with mapped IP
addresses. (MIP)

I can't provide that with pfSense, but I do want to use pfSense to give them
protection like squid w/ antivirus, and snort, and pfblocker. 

From what I can tell, all the attack detection and other security features
of that type in the Netscreen are disabled. 

They recently added a second WAN connection because their Integra connection
is about 4.5 Mbps. So, they have two WAN connections that I need to support.

I'm thinking I could place the pfSense box in front of the Juniper and
forward ipsec to it, or I could place pfSense behind the Juniper.

The customer wants to know which websites are being accessed by its users,
so if pfSense were behind the Juniper the reports could better associate the
users' addresses with the websites they're going to. (I think)

Any thoughts?

Thanks!

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Squid + Squidguard

2015-04-21 Thread compdoc
 The command '/usr/pbi/squid-amd64/sbin/squid -k reconfigure' returned exit
code '1'
...
squid: ERROR: No running copy'


If you type the following on the command line, do you get any output?


 squid -k shutdown  

Use your browser to start squid again.


useful log:

/var/squid/logs/cache.log


Also, you might try squidGuard-devel if you have the 'squid' package
installed, instead of squid3.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] no stable ipsec connection after upgrade to 2.2

2015-02-25 Thread compdoc
 peer client ID returned doesn't match my proposal

I have two ipsec tunnels and after the upgrade, for one tunnel I had to
change the 'Peer identifier' on my side to use the IP address it was seeing.
Been working great since. 




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Dual Port NIC ports

2015-02-21 Thread compdoc
 Is there any advantage or disadvantage to using the the two port on a dual
port NIC vs. one port each on two different dual port NICs?


Hopefully, the dual-port Intel Nics are pci-e, and so will be the fastest.
The legacy Intel NIC could be PCI, and will be a bit faster than the Marvel
nics. 

I use the slower nics for connecting to stuff like waps, or less critical
nets.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] 2.2 Packages

2015-01-30 Thread compdoc
 Where is a good place to monitor for package updates for 2.2?

 

If you click the text in the Status column on the Available Packages tab, 
you're taken to a page that shows the change logs for that package. 

 

 

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] New pfSense 2.2 install

2015-01-29 Thread compdoc
 The link I'm working with is:

http://www.malwaredomainlist.com/hostslist/ip.txt


When an alias is created with this url, do you know where the list is stored
on pfSense? I just want to see if I've created the alias correctly and that
the list matches the ip addresses in the url. 

Thanks



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Release 2.2 - more problems than success by upgrades / looping packet installations / sshd is not working any more / crashes on X5550 CPU

2015-01-27 Thread Compdoc
 Do have more of you had similar problems ?

I upgraded one firewall and everything works fine except that I use the squid 
and  HAVP packages together, but HAVP is broken. Running commands like clamd 
and freshclam don't work. 
I don't know how to file a bug report so I created a topic in the forums, and 
others have the same problem. Also, in the irc support channel, people are 
having odd problems like yours. Might be best to wait on upgrades.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] How to change driver for NIC

2015-01-07 Thread compdoc
 It is only pfSense 2.2, that has this not usuable speed from other VM's 
in the Xenserver.

I installed xenserver with a pfSense guest on a machine, and had the same
problem. Traffic from hosts on the lan through the pfSense guest to the wan
is nice and fast, but traffic from other guests through pfSense drops to a
crawl. 

From what I can gather, this is a problem with the freebsd 10 drivers, and
not really related to pfSense. 

And unfortunately, you can't change the NIC emulation in xenserver for
guests. I tried in several ways. Freebsd 10 senses the xen environment and
installs the xen NIC drivers and there seems no way to change this. 

There are enough people with freebsd having this problem that I'm sure this
will be fixed before long.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] How to change driver for NIC

2015-01-04 Thread compdoc
 Can anyone give me a description of, how to change driver ?

Well, you would need to change the NIC itself. I haven't tried this, but the
following url explains the problem and might help fix the problem. 

http://www.netservers.co.uk/articles/open-source-howtos/citrix_e1000_gigabit

I switched to KVM because of the limitations of XenServer's networking.



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] How to change driver for NIC

2015-01-04 Thread compdoc
 Is it impossible to try to improve on pfSense 2.2's problem in pfSense

You might not be the only person having the problem, but I haven't
researched to know for sure. 

Sometimes, it's possible to do the work and discover the problem yourself.
There are a few areas of experimentation that might lead to the problem, or
to the solution...

First of all, it's possible that there is a problem with that version of
pfSense. Something that may be fixed before or after its release. 

Or, its possible there is a problem with the drivers for the virtual nics in
that version of freebsd. Guess that would be either the 100baseT Realtek NIC
emulation, or the xenserver NIC drivers if you have managed to install
those. 

You can see if a better or newer driver exists. I have compiled realtek's
newest freebsd drivers myself and used them, for example.

If you were to try the e1000 emulation as suggested in the url I posted and
saw no improvement, that knowledge might be a great help to the community.  

Finally, there's the actual server hardware itself. Its takes a certain
speed and type cpu to host virtual machine firewalls. Also, certain brands
of network cards perform better than others. Maybe you can describe these...

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] APU and SSD: full install or NanoBSD

2014-11-26 Thread compdoc
 Bottom line, squid and SSD are not a good combo.

Ive used several SSDs over the years running pfSense and linux and windows 
OSes. Work just like hard drives, except might actually be more reliable.

There is one exception: none of the SSDs I used were PC Engines.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] problems running pfSense 2.1.5 running in a kvm session

2014-11-05 Thread compdoc
 Any thoughts on this?  Is this known not to work?

If you know vi commands, you can type:

sudo virsh edit pfSense  (substitute the actual VM name)

Look for the line like:

type arch='x86_64' machine='pc-i440fx-trusty'hvm/type

This line will be different depending on the version of KVM and the choices you 
made when you created the VM. The example above is from a working pfSense VM, 
but sometimes 
machine='pc-1.0' works too. 

Also, in Virt Manager, I usually select Processor  Configuration  Copy host 
CPU configuration, to give the guest all the features of the host's cpu. 
However, if this causes problems, selecting  'qemu64'  can work well for some 
systems.

By the way, although pfSense/freebsd does support virtio, you have to take 
steps to enable the driver. It's usually less work and more reliable to use 
e1000 nics.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] APU and SSD: full install or NanoBSD

2014-10-30 Thread compdoc
 Things will get outrageous soon with the advent of M.2 PCI SSDs on a x4
connection.

 

 

The speeds of m.2 on x4 do look amazing, but the prices and sizes of them
probably means that not many people will be tossing them into their
firewalls anytime soon. 

 

For projects like firewalls, and to act as server boot drives, I use 60GB
ssds that I find on sale. With 60, 120, etc. sata drives you get the latest
technologies. 

 

I've owned and installed almost every brand over the last few years, and
have only had one OCZ drive fail. The first two ssd's I purchased were 60GB
Vertex 2 drives that still work fine. 

 

Of course, you deal with far more of them than I do, but I trust SSDs as
much as hard drives.

 

By the way, I use zfs on several large arrays, and don't see why anyone is
against it. Guess I missed the discussion.

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Making an install CD

2014-10-29 Thread compdoc
I can't seem to make an install CD.  I downloaded the ISO, unzipped 

it from the gz file using 7-ZIP, and burnt the disk image using win7. 

 

 

Those are the same tools I use to create bootable CDs/DVDs. Windows 7 can burn 
an iso without having to install any programs.

 

I would have to guess something went wrong with the download, or with the 
mirror you used to d/l the file . Did you actually try booting the cd after 
burning it?

 

Do you have the url for your download? I could test it...

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

2014-10-22 Thread compdoc
 A proven hardware platform, available in the UK with at least 6 physical 
 network ports, I can probably justify buying

 

Not much info. Got an url for that? 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] trying to install

2014-10-22 Thread compdoc
 Thanks for that link, none of it seems to apply as the box is not booting 

from the media at all, says there is not a bootable media present

 

Just a shot in the dark, but is there a bios/firmware update for your system? 
Sometimes they correct problems they find after its been sold for a while

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] trying to install

2014-10-21 Thread compdoc
 I've been trying to install 2.1.5 into a 
 http://www.mini-itx.com/store/~FX5624 

 

The specs look ok. I would think it supports most 'nix distros. 

 

Unfortunately, that website doesn’t say if it supports booting from USB. Does 
the manual say it can?

 

 

 I've tried several ways to write the .iso to disk

 

I like to be sure about what people are saying. You're not trying to copy the 
iso file onto a cd or disk? You're using burning software, right?

 

Can you boot your FX5624 with other live cd's, like Ubuntu or freebsd, etc? 

 

Or maybe try booting memtest86. That’s small and boots quickly, and it's always 
good to test the ram.

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-17 Thread compdoc
I wanted to add one more thing. Maybe this will help avoid future 
misunderstandings...

 

Ulrik Lunddahl asked:

 Will A SMB without L3 capable switches, that needs routing between 3-4 local 
 subnets (LAN, SERVERS, WIRELESS/GUEST, OTHER/DMZ) as close to wirespeed as 
 possible, be happy with a C2758. ?

 

Now, I realize that the vast majority of users and businesses in the world 
don’t need a wirespeed router, and they have no idea what one is. Their 
internet connections just aren't fast enough to require one, and they don’t use 
them internally.

 

The fact that Ulrik was asking this question means that he not only knows what 
one is, but he has a specific requirement. 

 

I've seen others asking this same question on IRC but with a different 
requirement: they were getting Google Fiber connections and they knew enough to 
want a server powerful enough to take full advantage of the connection. One guy 
I saw chose a system with fairly expensive dual Xeon cpus. I thought he was 
crazy.

 

Their questions made me curious, and I decided to see just which hardware I had 
on hand could reach gigabit line-rates. (pkt-gen measures this bandwidth as 
714.23 Mbps (raw 999.92 Mbps), at 1.488Mpps)

 

I was surprised at the results. Nics connected to the PCI bus were dogs. Nics 
connected to the PCI-e bus were lots faster, and some could reach 1.488Mpps. 
Also, nics with 4 pci-e lanes were faster than nics with 1 pci-e lane.

 

Furthermore, I found that to forward packets at 1.488Mpps requires not only a 
fast NIC, but also a cpu that was capable of pushing traffic through that fast. 

 

The only cpus I had on hand there were capable, was an Intel i5, and a newly 
released Amd Kaveri APU. (with Steamroller cores)

 

Anyway, Ulrik asked if he'd be happy with a C2758, and I had read on the BSD-RP 
site that the C2758 board they were testing wasn’t capable of 1.488Mpps. It was 
about half that, even though it had Intel based nics. 

 

And while that’s still blazing fast, I felt it might not be fast enough for the 
knowledgeable people asking these questions. 

 

It would be a shame for anyone to buy something so expensive and expecting 
certain results, and not getting them. 

 

Even a cheap 5 port gigabit switch can forward traffic at 1.488Mpps, so if the 
devices sold by pfSense and elsewhere are capable of full wirespeed, then those 
devices would be an excellent buy. 

 

More so, because of the tuned software and support they'd be getting along with 
it.

 

compdoc

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-16 Thread compdoc
 I am well-aware of Olivier’s work in this area, as are many in the FreeBSD 
 community.

 There is no proof, except that which is documented and reproducible.  We're 
 doing something like science here. 

 

Hmm, proof. Well, maybe a scientist like yourself can appreciate my concern 
over this direct quote from the BSD Router Project, of which you are so 
well-aware:

 

Intel Rangeley: Atom C2758 (8 cores) at 2.4GHz

Embedded Intel i354 4-port gigabit Ethernet

8Gb of RAM

Debugging slow throughput in progress…

With the default value of igb(4) drivers that use all 8 cores, this system is 
not able to received more than 585Kpps (far from the gigabit line-rate 
1.488Mpps) on one port ?!?!

Last modified: 2014/03/13 20:16 by olivier

 

 

As I said in my original post, I'm know the C2758 is capable according to its 
specs, however buyer beware...

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-16 Thread compdoc
 The difference between Olivier's setup and ours (assuming pfsense 2.1.1+), is 
 tuning

 

The only way to prove what you say is with numbers. Tuning pfSense won't fix 
this hardware problem, *if* it exists in your boards.

 

 

 As I said in my original post, I'm know the C2758 is capable according to 
 its specs, however buyer beware...

 

Again with the insult and denigration.  

 

Is it an insult that I think Intel's cpu is capable? Or is it that I suggest a 
person be cautious when buying these products? 

 

 

That you are concerned is understandable, but also immaterial, 

as it is clear from this thread that your understanding of the issues, 

tools(!), terms of art and resolutions is limited.  

...

 Here, you perform an act commonly known as I read it on the Internet (so it 
 must be true.)

 

This is a much better example of insult and denigration. You don’t know me, 
my methods, or my thinking. 

 

 

 Do you own a C2758?

 

Have you actually bothered to read anything I've said in this conversation?

 

It's time to end this nonsense. Prove what you say, or shut up. 

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-16 Thread compdoc
 do you realize who  you’re arguing with compdoc?  

 

Yeah, I'm arguing with a guy that not only attacked me for suggesting a person 
be careful about buying certain hardware, he also attacked the work of Olivier 
from BSDRP.

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-15 Thread compdoc
 When I speak of the C2758, I speak of the product sold at the pfSense store, 

 as sold by the pfSense store, not the generic pfsense release running on 
 some 

brand of board@.

 

I was speaking of a C2758 board that was tested by someone else, and which 
wasn’t able to reach Ethernet's maximum throughput. Clearly not all C2758 
boards are the same. Buyer beware. 

 

If you have tests results that prove the product you mentioned doesn’t have 
this problem, feel free to post them. I'd love to see.

 

 

 You seem confused. 

 

Not at all. You seem defensive.

 

 

- this list is about pfsense, not the BSDRP

 

Never said it was. BSDRP is a tool to test hardware. If the hardware cannot 
achieve maximum throughput, then pfSense cannot achieve maximum throughput.

 

 

 Pkt-gen does not test routing.  What tests did you run?

 

Here's a clue:  BSD *Router* Project. I doubt you’ve done this sort of testing, 
so I'm not going to spoil this learning opportunity for you...

 

However, I will mention one thing: if you try to route 1.488M packets per 
second through the 'generic' pfSense, it will crash after a minute or so. (and 
that's not a criticism of pfSense)

 

 

I don't see where a C2758 is tested. 

 

I clearly stated what I was testing and how. You seem confused. The OP was 
asking what hardware might serve his purpose. I offered suggestions. 

 

You're welcome to prove anything I've said was wrong - but with actual test 
results, and without the misplaced rancor. 

 

Also, it's better to reply to the list, and not send emails directly to me.

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-15 Thread compdoc
 I am well-aware of Olivier’s work in this area, as are many in the FreeBSD 
 community.

 

You’ve failed to disprove anything I've said, even the part about tools. 

 

 

 You’re still assigning fault to pfSense

 

Not at all. But it would be nice if any of this pleasant banter becomes useful 
by pushing someone to actually try this type of testing, to find out why it 
happens. And if not, oh well...

 

By the way, does the C2758  hardware sold by pfSense include pps performance 
information? Has anyone with this hardware tested it? (speaking to others who 
might be reading this)

 

You suggest it can operate at near 'wirespeed', or at least that the OP will be 
very happy with a C2758 , but you’ve not proven it. 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] NIC support

2014-10-14 Thread compdoc
as close to wirespeed as possible, be happy with a C2758. ?

 

Very

 

 

That C2758 has nice specs and should be able to keep up, however there seems to 
be a throughput problem on at least one brand of board running the C2758. (I 
think it’s more a problem with the nics than the cpu) 

 

I recently tested various nics and cpus to see if the systems I was building 
could reach Gigabit Ethernet's max throughput of  1.488Mpps on one port.

 

Tests were run on AMD FM1+ and AM1 APUs, an FX-4100, and an Intel i5-2400 Sandy 
Bridge. Tests used the BSD Router Project (BSDRP) OS, and a program named 
'pkt-gen'.

 

During routing tests, I found that an AMD A8-7600 Kaveri was the only cpu I had 
that was equal in performance to the Intel i5-2400. (the routing tests involved 
a 3rd test machine, and aren't covered in the scores below)

 

Anyway, I hope you find this helpful...

 

 

In these tests, I used the two fastest test machines connected to each other. 
One sends, and one receives: 

 

Realtek  8169sc 32-bit PCI card

266935 pps (283752 pkts in 1063001 usec)

Speed: 267.19 Kpps Bandwidth: 128.25 Mbps (raw 179.55 Mbps)

 

Realtek RTL8111DL, Onboard

405708 pps (406113 pkts in 1000998 usec)

Speed: 404.78 Kpps Bandwidth: 194.29 Mbps (raw 272.01 Mbps)

 

Intel pro 1000 32-bit PCI card

307102 pps (307586 pkts in 1001577 usec)

Speed: 276.49 Kpps Bandwidth: 132.72 Mbps (raw 185.80 Mbps)

 

Intel Pro 1000, x1 PCI-e card (no heatsink)

1367299 pps (1453440 pkts in 1063001 usec)

Speed: 1.36 Mpps Bandwidth: 654.85 Mbps (raw 916.79 Mbps)

 

Intel Pro 1000, x1 PCI-e card, server version (with heatsink)

1488012 pps (1490981 pkts in 1001995 usec)

Speed: 1.49 Mpps Bandwidth: 714.23 Mbps (raw 999.92 Mbps)

 

Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter  (with heatsink)

1488012 pps (1490981 pkts in 1001995 usec)

Speed: 1.49 Mpps Bandwidth: 714.23 Mbps (raw 999.92 Mbps)

 

 

***

 

These tests were using the lowest TDP(watt) APUs I had.

The Intel server nics were the fastest nics tested, and used the least cpu 
time, so I used those in these tests:

 

AMD 5150 quad core APU @ 1.6GHz

Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter  (with heatsink)

1179367 pps (1180530 pkts in 1000986 usec)

Speed: 1.17 Mpps Bandwidth: 562.85 Mbps (raw 787.99 Mbps)

 

AMD 5350 quad core APU @ 2GHz 

Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter  (with heatsink)

1488106 pps (1489615 pkts in 1001014 usec)

Speed: 1.48 Mpps Bandwidth: 709.33 Mbps (raw 993.07 Mbps)

 

AMD 5350 quad APU @ 2GHz 

Onboard RTL8111/8168B PCI Express Gigabit Ethernet controller

560938 pps (561565 pkts in 1001117 usec)

Speed: 558.35 Kpps Bandwidth: 268.01 Mbps (raw 375.21 Mbps)

 

AMD A4-6300 dual core APU @ 3.7GHz

Intel PRO/1000 PT, Dual Port, 4x PCI-e, Server Adapter  (with heatsink)

1129784 pps (1130961 pkts in 1001042 usec)

Speed: 1.09 Mpps Bandwidth: 521.00 Mbps (raw 729.39 Mbps)

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense

2014-10-08 Thread compdoc
Stefan Fuhrmann, here's my settings. They work well for me, but there may be
some fine-tuning you should do...

 

First, I choose the rules on the Global Settings tab. I applied for a free
Oinkmaster Code, which I use on a few firewalls. Then I set the Removed
Blocked Hosts Interval to 15 minutes, just in case I do something remotely
that Snort doesn't like and locks me out. I think everything else is
default:

 

http://imgur.com/dLIsp7v

 

Then I force a download of the rules on the Update tab...

 

http://imgur.com/bV7Pqoa

 

Next, create the Snort Interface. On the Wan Settings tab, I use defaults
except I check Block Offenders and I use a Pass List and Suppression List
which need to be selected here.

 

On the WAN Categories tab, I select an IPS Policy which disables selection
of some rules. This is normal. However, do select the other rules that are
available:

 

http://imgur.com/PwVqjU2

 

And then the last thing I change is on the WAN Preprocs tab. Everything is
default, except that I check Auto Rule Disable, I disable HTTP Inspect, and
enable Portscan Detection. 

 

HTTP Inspect will block many legitimate websites like Amazon, and will
require that you add all the blocked sites to the pass or rule suppress
lists. I feel this is too much work.

 

After Snort is up and running, there will be times when you need to suppress
some rules to suit your users. For instance, one user's iPhone was
triggering a POP3 rule whenever he tried to connect, and was being blocked. 

 

When this happens go to the Blocked tab and unblock the address, then go to
the Alerts tab, find the address, and add the rule to the Suppress list by
clicking the appropriate button.

 

Good luck!

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] a notification is not sent when a gateway is down[https://redmine.pfsense.org/issues/3306]

2014-10-08 Thread compdoc
And then an email should be sent, which it is not being sent.

-Jason

On a firewall with two wan connections, one connection is faster than the
other so I use one for incoming connections and one for outgoing. 

User's outgoing traffic is routed to the gateway that's working using
gateway groups. (fallover)

I've noticed that if the outgoing connection goes down briefly, no emails
are sent. Possibly because that's the route the emails would normally take? 

But if the incoming connection goes down for a moment, I get several emails.
(too many) 

Maybe pfSense isn't caching the emails to send when switching connections,
or for when the link comes back up? 

Fortunately, the links don't go down that often so I can't say for
certain...




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Snort as IPS in Pfsense

2014-09-29 Thread compdoc
 Here is a good place to start regarding Suricata or Snort. 

http://www.linux.org/threads/suricata-the-snort-replacer-part-1-intro-install.4346/




Is the free to use version of Snort going away? I scanned the page mentioned 
above but it seems unclear. 

 

Suricata sounds like an excellent replacement given the advanced features, but 
I have to say Snort is doing a fine job for us. 

 

I use the free Registered User rules and the free Emerging Threats rules, and 
Snort is busy blocking port scans and all kinds of activity, while not 
bothering/blocking our user's activity.

 

Not that we rely solely on Snort - no unnecessary ports are listening to the 
web. No management ports like 22 are open. 

 

Anyway, Snort doesn’t use much cpu time for our 30 user office, and pfSense 
makes it (kinda) easy to use. Until Suricata arrives for pfSense, I think its 
fine.

 

By the way, if you have a decent speed quad-core server with at least 8GB ram, 
you can easily run pfSense, Suricata, and whatever else side by side in virtual 
machines.

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

2014-09-29 Thread compdoc
 The Pfsense firewall has to be setup as BRIDGE if  want to put it between the 
 router and the corporate firewall ???

 

 

Connect like this?

 

www - isp router - pfSense - corporate firewall - lan

 

 

Don’t think you have to use bridge mode. Can Snort work in bridge mode?

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

2014-09-29 Thread compdoc
 But you say: one interface for WAN, a second for 

LAN...and which interface is for managing ???

 

 

You manage with a browser from LAN, and optional also from the WAN port. And 
with ssh from the LAN.

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Snort as IPS in Pfsense

2014-09-29 Thread compdoc
 do I have to have 3 network interfaces or 2 interfaces are enough to 
 implement the IPS?

 

With Snort, just need one for wan, one for lan. That’s all. I use a 3rd for 
wifi at home. 

 

The office is a virtual machine with two wan ports, one lan, one wifi, and one 
connection for the host. 

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] recommandation: snort IDS, web http traffic, pfsense

2014-09-28 Thread compdoc
 I need a recommandation for following setup:
 
 pfsense-cluster
 loadbalancers
 webservers

I can't help with these.



 There are some thousend visits per day and I want to secure with 
 pfsense and snort. Snort runs on lan-site.

 In the moment there are several thousend alerts per day!

There are always many alerts, but you should not block them. Only the bad
things are blocked. 

I can tell you how I set up snort to prevent it from creating too many false
positives, if that's what you want. 

My settings might be a little different than others, but it's what I had to
do





___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] How do I fix this?

2014-09-03 Thread compdoc
 Why not try the upgrade. Maybe the problem will go away..

 

There are also three settings for apinger that can be useful: Alternative
monitor IP, Probe Interval, and Down

 

Is this a new install, or a machine that recently developed a problem?

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How do I fix this?

2014-09-03 Thread compdoc
I have tried the alternate IP. No change. Not sure what the other two do?

 

Some connections might be slow to respond occasionally, or not handle
constant pings well. You can send fewer pings, (every 3 seconds for
instance) and wait a longer period of time before declaring the link is
down.  (like 30 seconds or so)

 

 The hardware is a dell 2850, i have a 15x1 cable connection.

 

If you have nothing better to do with the PowerEdge, might as well use it.
They look like they might consume some watts, though. Yours has only Intel
nics?

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Strange problems with pfSense 2.1.4

2014-08-10 Thread compdoc
Jason M. wrote:
I'm using the PFW201 hardware from Tranquilnet

According to Tranquilnet:

 *Note: These units may run hot to the touch and we recommend eith a wall
mount or to place them on a cool, dry and hard surface with proper air flow

I can build systems that are much faster and more powerful for less than
half the price so I've never used a PFW201, but I have seen it mentioned
that units like them often have a cpu heat sink that makes contact with the
case. Or, that they have a metal shim that connects the heat sink to the
case. 

Heat transfer for these systems is often critical. Is yours overheating? Are
you testing with one of the Tranquilnet units, or one of the units you got
direct from the supplier?



 Now my question is, what is going wrong? I've tried the same 
config on multiple devices, so I don't think it's hardware. Could 
my config have become corrupted?

I don't follow your logic about it not being the hardware, but yes, your
config could have become corrupted. Try another CF card? Try installing from
scratch and restoring a backup xml file?



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread compdoc
 OPT1 interface - actually has the VM's WAN MAC address (the second
interface rather than the third interface)

If you haven't yet, you might want to reassign interfaces on the console
login screen. The Option is number (1) in the list. 

Then reboot.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Another OPT1 routing question

2014-08-10 Thread compdoc
em1 third MAC address (up) -- shouldn't that be the second MAC address?


Are you saying two interfaces have the same mac address even after
reassignment? That's not right. 



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Failed Downloads

2014-08-07 Thread compdoc
I use squid and squid guard

 

I don't think anything in squid would block, but check to make sure
everything is set to zero and only 'Throttle only specific extensions' is
checked on this page: Proxy server: Traffic management

 

You mentioned HAVP in another post and some downloads don't work for me
unless I uncheck:  Antivirus: HTTP proxy: Scan Broken Executables

 

I don't use squid guard. But Snort is another one that needs some tuning. 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Transparent Squid with Multiwan on 2.1.3?

2014-08-02 Thread compdoc
 With Squid disabled, fail over works as expected.

 

In the lab I created to test this machine, I have squid with havp set to 
transparent. Also have snort. I don’t use squidguard. 

 

If I disconnect wan #1, most browsers will time out. But I can often just 
refresh to get them going again. Squid never complains.

 

There are a couple of remote clients and programs that have to be closed and 
then opened again after the gateway fails. (maybe because they cache 
something?) 

 

I'm pretty happy with it.

 

 

(49) Can't assign requested address

 

What is your client connecting to? Is it some sort of secure remote session? A 
disconnect cannot be avoided with any type of secure connection. You're 
changing external ip addresses when it falls over, after all.

 

Are you able to recover normal connections to google or youtube, etc.? Close 
the browser and try again after waiting for the switch to happen. 

 

There are settings for how long it takes pfSense to decide a gateway is down, 
and how it determines its down. I use just 'packet loss'.

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Transparent Squid with Multiwan on 2.1.3?

2014-08-01 Thread compdoc
 Is there a way to make Squid redirect http connections on Wan2 in case Wan1 
 is down?



I'm setting up my first dual-wan firewall for a customer. No load balancing 
because one wan is a lot faster than the other, so just fall-over with a 
gateway group. 

It looks to me as though squid listens on the lan port, and doesn’t care which 
wan is operating. I'll know more when I put this server into operation in a few 
days...

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] KVM virtualization: Fatal trap 9: general protection fault while in kernel mode

2014-08-01 Thread compdoc
graphics type='vnc' port='5901' autoport='yes'/

By the way, if you ever install vncserver, that port used for the VM will
cause a conflict



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Failed Downloads

2014-08-01 Thread compdoc
 When i'm connected to pfsense downloads are failing.

 

Are there any other packages installed?

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] KVM virtualization: Fatal trap 9: general protection fault while in kernel mode

2014-07-31 Thread compdoc
 Did you ever had troubles with virtio drivers?

I have a pfSense guest that runs fine with all virtio drivers (lan,storage)
but you might want to switch back to IDE just to see if your virtio storage
driver is causing the issue. 

Your xml file looks very much like a pfSense guest I have running on Ubuntu
12.04, except mine has these differences:

type arch='x86_64' machine='pc-0.14'hvm/type
(I've had problems with some OSes with the wrong 'machine' type)

disk type='file' device='disk'
driver name='qemu' type='raw' cache='writeback'/
(I use files because I don't have a need to dedicate a disk, and pfSense
uses very little drive space. Also makes it easy to back up the guest by
copying the file)


Speaking of drives, do you have a way to read the SMART values from the hard
drives on your raid controller? Drives can fail slowly, but to know you have
to read the following SMART values:

Reallocated sector count
Current Pending sector count
Uncorrectable sector count
GSense error rate (if the drive has experienced a shock while running. More
likely on laptops)


Also, when you're seeing weird problems, booting and running memtest86 on
the host for several passes will test the systems RAM. Best to let it run 4
or 5 passes, or even letting it run overnight if possible.






___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] KVM virtualization: Fatal trap 9: general protection fault while in kernel mode

2014-07-30 Thread compdoc
 The VM is configured with VirtIO disks, emulated e1000 network cards.

I use kvm and have had no problems running any of the 2.1 releases. I'm
building a VM server right now that will run pfSense and one other guest OS.

I have used the virtio drivers for nics, storage, and memory ballooning, but
because of the steps you have to take to switch to virtio, I'm using e1000
and IDE emulation on this one to keep it simple. 

What host OS are you using, and what hardware is it running on? (real cpu,
ram, and storage)

Is it possible to see the results of virsh dumpxml for the guest?


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfsense slowing wan speed

2014-07-05 Thread compdoc
 I have a PFsense box on a 50/5 DSL connection

 

How much swap is being used? What is swap stored on?

 

Any overheating of the nic or cpu? What happens if you disable or remove squid?

 

I have no experience with HT and pfSense. Sometimes HT can help and sometimes 
it can hinder. Try disabling, but turn it back on if it makes no difference.

 

Personally, I like at least 1 gig ram, (but use 2 gigs) and two real cores. 
Squid with havp, snort using ac-bnfa, and two ipsec tunnels take up 43% of 1930 
MB, and very low cpu use. 

 

This gives me room to tweak settings on the installed packages, or try other 
packages.

 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Install on one machine, deploy on another

2014-06-09 Thread compdoc
 Will I have any problems if I install a new version of pfsense on one 
machine and then move the hard drive to another machine?

You probably will have some problem. Let us know how it goes...

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] apu.4c silently dies

2014-06-04 Thread compdoc
 Even if adding more memory corrects the issue, I still don't like to know 
 that pfsense can suddenly die and leave no clues behind :-|.

 

pfSense is pretty stable. I've tested it in many VMs and 'bare metal' systems 
and it doesn’t freeze on me. Of course, I might not be using the same 
combinations of packages as you, but I would suspect the hardware, or 
troubleshooting as you’ve done: increasing the ram. Overheating can be a 
problem. 

 

I use KVM on centos and ubuntu server, and freebsd does not like some settings. 
It can fail to boot with the default CPU emulation, for example. 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Annoying Comcast Issue When Changing Hardware

2014-05-10 Thread compdoc
 You may want to make sure the DHCP server is disabled on the modem
completely.

 

It's a cable modem that I guess is in bridge mode, and they don't let me
mess with settings. Anyway, I think the DHCP server is in their headend
somewhere. 

 

I'm just glad it's not like the old days when Comcast wouldn't let you
switch network cards without contacting them.

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Annoying Comcast Issue When Changing Hardware

2014-05-09 Thread compdoc
 I called Comcast and had them remotely reboot the modem.  

Whenever I connect a different network card to my home Comcast modem, I have
to power cycle the modem for it come up. I think it keys off the MAC address
of the old card, and won't accept the new one until then. I get a new IP
address each time I test firewall builds. Not exactly the same situation,
but something like.







___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Gateway Status Remains Offline

2014-04-29 Thread compdoc
 However, after about 10 minutes the gateway went offline and I lost access to 
 the internet. 

 

 

I recently had much the same thing happen, but with a wired dual-port network 
card. It turned out to the nic. 

 

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] cbeyond troubles

2014-04-22 Thread compdoc
I tried installing a firewall for customer who uses Cbeyond for phones and
internet service. I had Cbeyond set their equipment to bridge mode,
disabling NAT and DHCP. 

Everything seemed to work for a while so I left their office, but I soon got
a call saying they couldn't browse the web.

In the dashboard, I noticed the gateway was showing as down so I tried
various monitoring options, even disabling gateway monitoring. But nothing
changed - after rebooting pfSense browsing works for a short time and then
stops. 

In order to have their network working this morning, I had Cbeyond set it
back to the way it was and removed the firewall.

I was looking for a solution online, and I think I may have to uncheck '
Block private networks' on the WAN. I'm going back out Friday to try this.

Does anyone use Cbeyond who can provide any tips?

Thanks.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Problems with pfsense on ProfitBrick

2014-04-14 Thread compdoc
 I found that I had problems with FreeBSD using pf + virtio under KVM

Virtio in KVM works fine with pfSense, but you have to modify
the/boot/loader.conf.local file to enable the drivers. And if you load the
storage drivers, you have to modify /etc/fstab.

https://doc.pfsense.org/index.php/VirtIO_Driver_Support



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Restoring from XML prevents VM from booting

2014-02-05 Thread compdoc
 I can install pfsense fine, and manually set up a LAN IP address on
 vboxnet0 so that I can get into the web and use Diagnostics  
 Backup/Restore to upload an existing XML config. But then the VM 
 refuses to boot properly...


What if you were to install pfSense in the new environment and save the
backup xml file, then compare the old file with the new? Maybe use the linux
'diff' command?

The idea of using Virtual box in a production environment seems odd to me.
Isn't it more for testing/running an OS on your desktop?  Every time I've
tried VB, I've never found an option to have guests start automatically when
the host boots. Have they added that feature? I've used zen and kvm for this
sort of thing for years...

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] psSense stops working

2014-01-23 Thread compdoc
How would I pull that off?



Computers have several common points of failure. They are  the power supply,
the motherboard, RAM, cooling fans, and the hard drive. 

 

Fans are easy - just make sure they are spinning at the proper speed. This
includes the fan inside the PSU.

 

If the motherboard is a few years old, it can develop bad capacitors. (caps)
They are easy to spot when you open the case. Any caps that are rounded on
top, are bad.  Some even leak. If so, replace the motherboard. Here are some
sample pictures:

 

http://en.wikipedia.org/wiki/Capacitor_plague

 

Cheap power supplies often develop bad caps inside too, but it's dangerous
to open the PSU so just swap it out to test. Sometimes you can see the caps
inside if you just look through the openings.

 

Bad Ram is more rare, but you can test it for free by booting memtest86 or
memtest86+. At least 3 or 4 passes is best. I've had bad ram that didn't
show up until 5 test passes. I like to let the tests run overnight when
possible.

 

The hard drive is easy. There's no need to run any tests - you just read the
drive's SMART info. It records when sectors are failing, and when other bad
things happen. PfSense has a SMART Status menu under Diagnostics.

 

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Motherboard compatibility

2013-11-07 Thread compdoc
 So if I understand you right, even if I use pfSense 2.1 (FreeBSD 8.3) 

on a motherboard with a brand new chipset (Intel C222) and CPU 

(e.g. Core i3 / Haswell) it should work, eventhough FreeBSD 8.3 is 

older than those technologies and might not fully support the chipset 

yet (e.g. due to general compatibility with i386-64 CPUs?!)?

 

 

There is a way to make pfSense run on any kind of new hardware and not have
to worry about problems with new technologies, while also making it somewhat
portable: run pfSense in a virtual machine that runs on the new hardware. 

 

(Portable in the sense that you can move it from one host to another, no
matter what cpu and chipset runs underneath)

 

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] ipsec packets in one direction are too big

2013-10-28 Thread compdoc
 Any thoughts??

 

May not answer your question, but you did ask...

 

I set up my first ipsec tunnel with pfSense and it has been wonderful, but I
had to set System menu  Advanced  Miscellaneous tab  Enable MSS clamping
on VPN traffic, and set it to 1375 before I got a stable connection. Before
that SSH seemed to work, but VNC and RDP connections would just stall until
I changed the setting. 

 

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] 2.1 - strange minor issue with OpenVPN

2013-10-08 Thread compdoc
 All my OpenVPN services report an error contacting the daemon, both on the
status page (as in print-screen) and also on the dashboard page.

 

I'm getting this error as well.

 

 

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] pfSense 2.1-RELEASE and Gold Subscription Now Available!

2013-09-15 Thread compdoc
 I'm happy to announce both 2.1-RELEASE, and our new Gold Subscription, 
 including immediate PDF download to the updated 2.1 book for 
 subscribers!

I assume this is why snapshots.pfsense.org is offline

At least the .iso for the LiveCD is downloading very quickly. Is it possible
to restore a backup from 2.0.3 to a fresh install of 2.1? I have it running
in a virtual machine, so there are 2 or 3 paths I can take. 

I live near Denver, Colorado where everything is washing away, and this
seems a nice project and good reason for staying indoors today.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] NETGATE FW-7535 pfSense 2.0.2-RELEASE OpenVPN Data Corruption

2013-08-20 Thread compdoc
 I switched out the memory and the SSD,

But did you test the ram? Make sure the ram doesn't require a special
voltage - this is usually written on the sticker on the ram. And run
memtest86 on it overnight. And suspect the ssd - try a small hdd. I like to
use laptop drives as boot drives for my servers. Only need the speed of an
ssd for running my VMs.

 That also leaves the nics. Some pci nics will run at 66MHz if they are
placed in a 66MHz pci slot. That causes them to run very hot in some cases.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list