Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 22/09/2011 15:57, Adam Thompson wrote:

Surely the Right Thing for a mailing list is plain text anyway - if
you are going to use HTML, then you might as well join the rest of
the sheeple and top-post.


Agreed.  But then how do you reply-and-quote to an email that someone else
*did* post in HTML format?  Outlook just sucks in this scenario... you
can't even convert to plain-text and quote!  !@#$%^^&* microsoft...



I only joined this mailing list a couple of days ago - is it usual
for threads to wander so off-topic?  (I believe I've got the
answers I needed for my original questions, plus a few answers to
questions I didn't ask.)


Not quite this far OT, usually.  And it appears to be mostly my fault this
time :-(

The list isn't usually this busy, either.

FYI, on the occasion that you post a question and get *no* replies -
that's a solid indicator that no-one here knows the answer.  This list
doesn't generally see any negative responses, and that confuses some
people at first.  Re-post after about a week, and if that goes nowhere ask
on the forum as well.

Sorry for making your introduction to the list a bit hectic,



That's no problem - it's nothing compared to some of the newsgroups I 
visit sometimes (such as sci.electronics.design, which is a political 
discussion group with occasional mentions of electronics).  And as I 
say, I've got the answers I was looking for for now - the next stage is 
up to me and my virtual machines.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Adam Thompson]

> Surely the Right Thing for a mailing list is plain text anyway - if
> you are going to use HTML, then you might as well join the rest of
> the sheeple and top-post.

Agreed.  But then how do you reply-and-quote to an email that someone else 
*did* post in HTML format?  Outlook just sucks in this scenario... you 
can't even convert to plain-text and quote!  !@#$%^^&* microsoft...


> I only joined this mailing list a couple of days ago - is it usual
> for threads to wander so off-topic?  (I believe I've got the
> answers I needed for my original questions, plus a few answers to
> questions I didn't ask.)

Not quite this far OT, usually.  And it appears to be mostly my fault this 
time :-(

The list isn't usually this busy, either.

FYI, on the occasion that you post a question and get *no* replies - 
that's a solid indicator that no-one here knows the answer.  This list 
doesn't generally see any negative responses, and that confuses some 
people at first.  Re-post after about a week, and if that goes nowhere ask 
on the forum as well.

Sorry for making your introduction to the list a bit hectic,

-Adam Thompson
 athom...@athompso.net
 (204) 291-7950 - direct
 (204) 489-6515 - fax



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[RB]

On Thu, Sep 22, 2011 at 07:49, David Brown  wrote:
> I only joined this mailing list a couple of days ago - is it usual for
> threads to wander so off-topic?  (I believe I've got the answers I needed
> for my original questions, plus a few answers to questions I didn't ask.)

Ha, not usually.  I was about to attempt to chase everyone off to a
separate email etiquette thread, since we've obviously threadjacked
yours so thoroughly.  Some threads do go on a ways, but we're normally
pretty good about keeping threads controlled.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 22/09/2011 15:32, Adam Thompson wrote:



David Brown  wrote:

For those who are forced to use Outlook, but want to be part of
the sane world of bottom-posted text-only mailing lists, I have
heard that this
works:.  I
haven't tried it myself, and I don't know anything about version
compatibility or other details, but maybe it will help you.


That add-on only works for Outlook<= 2003, and only handles plaintext
email.  Outlook 2003 and newer can do the Right Thing with plaintext
emails by themselves.  I have not been able to discover any add-on
that works for HTML.



Surely the Right Thing for a mailing list is plain text anyway - if you 
are going to use HTML, then you might as well join the rest of the 
sheeple and top-post.


I only joined this mailing list a couple of days ago - is it usual for 
threads to wander so off-topic?  (I believe I've got the answers I 
needed for my original questions, plus a few answers to questions I 
didn't ask.)



OTOH, someone explained how to do it on Android, by installing the
K-9 email client - it's an extra few UN-obvious steps but at least
it's possible.  Of course, the K-9 client isn't compatible with
Exchange 2010, and it doesn't appear to be available for older
Android phones.

-Adam


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Adam Thompson]

David Brown  wrote:
>For those who are forced to use Outlook, but want to be part of the
>sane 
>world of bottom-posted text-only mailing lists, I have heard that this 
>works: .  I 
>haven't tried it myself, and I don't know anything about version 
>compatibility or other details, but maybe it will help you.

That add-on only works for Outlook <= 2003, and only handles plaintext email.  
Outlook 2003 and newer can do the Right Thing with plaintext emails by 
themselves.  I have not been able to discover any add-on that works for HTML.

OTOH, someone explained how to do it on Android, by installing the K-9 email 
client - it's an extra few UN-obvious steps but at least it's possible.  Of 
course, the K-9 client isn't compatible with Exchange 2010, and it doesn't 
appear to be available for older Android phones.

-Adam
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 22:29, Bart Grefte wrote:

You've got a point with pfSense being ready to use, although I have to
admit, I never expected to be needing a null-modem cable to get the
embedded/nanoBSD version going. But other than that, it's practically ready
to use indeed. Just have to set everything, takes what, 15min tops in my
case and it's very easy. Everything is easy to find.
I have been looking for a Linux equivalent hoping I would not have to brush
up my command line skills (I have nothing against doing that though), but so
far I haven't found anything (incl the ones you mentioned) that come even
close to the look and feel of pfSense.




For small systems (typically for off-the-shelf wireless 
firewall/routers), I find OpenWRT a good solution.  It doesn't have 
anything like the features of pfSense, but it fits fine in a little box. 
 The gui is okay, though I have mostly used the command line.  And it 
lets you do a lot with such a cheap box - I use them for multiple 
independent networks and as OpenVPN clients/servers.


But for a bigger system, such as our company's main firewall/router, 
pfSense is looking like a strong alternative to Linux and command-line 
configuration.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 22:33, Bart Grefte wrote:

-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens Scott Ullrich
Verzonden: woensdag 21 september 2011 22:19
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

On Wed, Sep 21, 2011 at 4:16 PM, Bart Grefte  wrote:

Disable B clients is something I've already tried (I believe), I tried
every setting I could find that could influence performance, no luck.
Also started from scratch couple of times, after resetting all
settings back to standard.


Please bottom post on our lists.  http://www.caliburn.nl/topposting.html

If you do not like this style use the forum.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Ow, sorry, didn't knew that was not allowed. I'll try to keep that in mind.
It does not help though that Outlook keeps putting the cursor on top.



I pity anyone who has to use Outlook.  Fortunately for me, I am the IT 
manager at my company, so /I/ make the rules - and we use Thunderbird as 
the standard email client.


For those who are forced to use Outlook, but want to be part of the sane 
world of bottom-posted text-only mailing lists, I have heard that this 
works: <http://home.in.tum.de/~jain/software/outlook-quotefix/>.  I 
haven't tried it myself, and I don't know anything about version 
compatibility or other details, but maybe it will help you.


mvh.,

David


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Eugen Leitl]

On Thu, Sep 22, 2011 at 08:48:41AM +0700, Pandu Poluan wrote:

> Well, the FACT is with some mobile devices one has NO choice.

Using or not using a particular device is definitely a choice.
 
> For instance, my situation with Gmail that I've alluded to in my previous
> email. The Gmail java mobile client is criminally stupid: Press reply, and
> you're given an EMPTY textbox in which you can type the reply. Which the
> client will happily insert as a top-post not giving the user any choice.
> 
> Using Nokia's built-in email client is only slightly better. One can see the
> email one's replying to, but the '>' quoting marker is not inserted. One is
> forced to insert the marker manually. Very tedious for long emails.

Patient: Doctor, it hurts when I do this...

Doctor: Then stop doing it...

-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Pandu Poluan]

On Sep 22, 2011 4:34 AM, "Cristian Ionescu-Idbohrn" <
cristian.ionescu-idbo...@axis.com> wrote:
>
> On Wed, 21 Sep 2011, Adam Thompson wrote:
> >
> > It would be much easier to accommodate that request if Amy of the email
> > clients I use permitted me to do so.
>
> Right.  Blame someone else for your actions.  It's more convenient.
>
>

Well, the FACT is with some mobile devices one has NO choice.

For instance, my situation with Gmail that I've alluded to in my previous
email. The Gmail java mobile client is criminally stupid: Press reply, and
you're given an EMPTY textbox in which you can type the reply. Which the
client will happily insert as a top-post not giving the user any choice.

Using Nokia's built-in email client is only slightly better. One can see the
email one's replying to, but the '>' quoting marker is not inserted. One is
forced to insert the marker manually. Very tedious for long emails.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Pandu Poluan]

On Sep 22, 2011 3:43 AM, "Adam Thompson"  wrote:
>
> It would be much easier to accommodate that request if Amy of the email
clients I use permitted me to do so.
> My Android phone does not permit doing so in any way whatsoever.

Eh? I'm using Samsung Galaxy Ace, and using the built in Gmail client I can
bottom-/middle-post.

Turn off the onscreen keyboard, and a "Respond inline" button will be
uncovered. Tap that, and Bob's your uncle :-)

A totally different situation though if I use the Gmail Java mobile client
on my Nokia E72-1. That stupid client can only top-post.

> Microsoft Outlook permits bottom-posting only for plain ASCII messages; a
flaw in the HTML editor prevents doing so with HTML messages.
> Both support not quoting the thread at all, but IMHO that's even worse
than top-posting.
>

For this list, can't you convert the email to plaintext and then
bottom-post?

> I agree that top-posting is bad, but short of switching MUA (technically
impossible) and declining to use my smartphone for email (yeah, right), I
fear this is another aspect of social behaviour that is being relegated to
the dustbin of history due to changing (not improving) technology.  As are
mailing lists themselves, albeit at a much slower rate.
> Complaining about top-posting given today's dominant MUAs is about as
useful as complaining that you don't have an automatic fax document
retrieval system... Remember those?  :-)
> (With more and more people using email exclusively on mobile devices, I
foresee this getting worse, not better.)
>

I sympathize with your situation, having experienced using a patently stupid
email client (see my comment about Gmail Java mobile client above).

Rgds,
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Cristian Ionescu-Idbohrn]

On Wed, 21 Sep 2011, Adam Thompson wrote:
>
> It would be much easier to accommodate that request if Amy of the email
> clients I use permitted me to do so.

Right.  Blame someone else for your actions.  It's more convenient.


-- 
Cristian
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Adam Thompson]

Oh, and accidental typos will probably become more and more common, too.  :-(
(Amy = any in my last message)
-Adam
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Adam Thompson]

It would be much easier to accommodate that request if Amy of the email clients 
I use permitted me to do so.
My Android phone does not permit doing so in any way whatsoever.
Microsoft Outlook permits bottom-posting only for plain ASCII messages; a flaw 
in the HTML editor prevents doing so with HTML messages.
Both support not quoting the thread at all, but IMHO that's even worse than 
top-posting.

I agree that top-posting is bad, but short of switching MUA (technically 
impossible) and declining to use my smartphone for email (yeah, right), I fear 
this is another aspect of social behaviour that is being relegated to the 
dustbin of history due to changing (not improving) technology.  As are mailing 
lists themselves, albeit at a much slower rate.
Complaining about top-posting given today's dominant MUAs is about as useful as 
complaining that you don't have an automatic fax document retrieval system... 
Remember those?  :-)
(With more and more people using email exclusively on mobile devices, I foresee 
this getting worse, not better.)

I'd rather hand-code my firewalls in assembler than use a web-based discussion 
forum.

Typed on my Nexus S' touchscreen,
-Adam

Scott Ullrich  wrote:

>On Wed, Sep 21, 2011 at 4:16 PM, Bart Grefte  wrote:
>> Disable B clients is something I've already tried (I believe), I tried every
>> setting I could find that could influence performance, no luck.
>> Also started from scratch couple of times, after resetting all settings back
>> to standard.
>
>Please bottom post on our lists.  http://www.caliburn.nl/topposting.html
>
>If you do not like this style use the forum.
>___
>List mailing list
>List@lists.pfsense.org
>http://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens Scott Ullrich
Verzonden: woensdag 21 september 2011 22:19
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

On Wed, Sep 21, 2011 at 4:16 PM, Bart Grefte  wrote:
> Disable B clients is something I've already tried (I believe), I tried 
> every setting I could find that could influence performance, no luck.
> Also started from scratch couple of times, after resetting all 
> settings back to standard.

Please bottom post on our lists.  http://www.caliburn.nl/topposting.html

If you do not like this style use the forum.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Ow, sorry, didn't knew that was not allowed. I'll try to keep that in mind.
It does not help though that Outlook keeps putting the cursor on top.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

You've got a point with pfSense being ready to use, although I have to
admit, I never expected to be needing a null-modem cable to get the
embedded/nanoBSD version going. But other than that, it's practically ready
to use indeed. Just have to set everything, takes what, 15min tops in my
case and it's very easy. Everything is easy to find.
I have been looking for a Linux equivalent hoping I would not have to brush
up my command line skills (I have nothing against doing that though), but so
far I haven't found anything (incl the ones you mentioned) that come even
close to the look and feel of pfSense. 


-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens David Brown
Verzonden: woensdag 21 september 2011 22:07
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

On 21/09/11 16:34, Bart Grefte wrote:
> Hmm, why switch to pfSense from Linux? I am considering the other way 
> round, from pfSense to Linux.
> Mainly because the lack of wireless drivers with support for N and a 
> buggy Atheros FreeBSD driver.
>

I don't need wireless drivers - this is handled by wireless routers around
the company.  It doesn't surprise me that Linux has better support than
FreeBSD for wireless drivers - they were notoriously poor in Linux until
recently, and wireless card manufacturers who barely acknowledged the
existence of Linux will not have heard of FreeBSD.

> Right know I'm thinking a base install of Debian, followed by only the 
> packages I need and do  the configuring by console. I know about 
> Webmin, but don't know if I can change every setting with that.
>

The router I have at the moment is Debian, and I've configured by hand
(i.e., from the console).  I'm not looking to move away from Linux as such,
but looking towards using pfSense.

I doubt if there is anything significant that can be done with FreeBSD and
pfSense that cannot be done with Linux.  But the point is that with pfSense,
there is so much that comes ready-to-use.  With Linux, I could certainly use
iptraf, rrd, php, etc., and show nice graphs of network traffic.  With
pfSense it is already there as a page on the web interface.  And while /I/
can write the firewalling and routing rules I want in an iptables script,
others at my company cannot - but they could, if necessary, use the web
interface (such as if I'm on holiday).

If you want to use Linux, you might also consider some of the dedicated
distributions such as Smoothwall or OpenWRT (I use OpenWRT on small
routers).  There are also firewall tools such as vuurmuur and shorewall. 
  I found that none of them had all the features I needed, so I worked
manually.  (I also found that pfSense didn't have those features either,
when I first looked at it many years ago.)

In the end it depends on what you need.  Both Linux and FreeBSD are solid
bases for a firewall/router.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Scott Ullrich]

On Wed, Sep 21, 2011 at 4:16 PM, Bart Grefte  wrote:
> Disable B clients is something I've already tried (I believe), I tried every
> setting I could find that could influence performance, no luck.
> Also started from scratch couple of times, after resetting all settings back
> to standard.

Please bottom post on our lists.  http://www.caliburn.nl/topposting.html

If you do not like this style use the forum.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

Disable B clients is something I've already tried (I believe), I tried every
setting I could find that could influence performance, no luck.
Also started from scratch couple of times, after resetting all settings back
to standard.

-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens RB
Verzonden: woensdag 21 september 2011 22:00
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

On Wed, Sep 21, 2011 at 09:58, Bart Grefte  wrote:
> To give an idea about the interference:
> http://www.ravenslair.nl/GoT2/wifi.jpg , there are probably more 
> networks by now.

Nice!  Looks like channels 1-3 are prime territory.  Two tricks I've also
learned are to disable B clients (if your AP supports that) and disabling
lower association speeds, say below 12Mb/s (OFDM rate, fencing out B
altogether).  That doesn't mean you'll magically get at least 12Mb/s, but
can help keep your network from dropping down to a minimal speed to save
power or due to interference.  YMMV.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[RB]

On Wed, Sep 21, 2011 at 14:13, Bart Grefte  wrote:
> It's called wisdom? Hmm...

Just checked the sources for regdb, not seeing a reference to 'wisdom'.  :-D
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

It's called wisdom? Hmm...

-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens Seth Mos
Verzonden: woensdag 21 september 2011 20:50
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

Hi,

Op 21 sep 2011, om 20:45 heeft Bart Grefte het volgende geschreven:

> Already ran inSSIDer few months back: 
> http://www.ravenslair.nl/GoT2/wifi.jpg
> (Probably worse by now.)

A friend of mine also receives 25 something accesspoints in the living room,
and had packet loss to the gateway. I've let him purchase a Linksys wrt320n
router which does b/g or a. He's switched to the A band and has been very
happy ever since.

> Lol, 13 isn't valid from an American point of view. Maybe Apple does 
> not know we use it in Europe? :P

Apple uses the beacon packets from advertising access points to determine
the "region". It's called wisdom.

Which my Apple thinks is the US. Because of a neighbors AP.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

Not all devices have a NIC that can be replaced ;)
So I guess I would have to run both a 2.4 and 5Ghz next to each other to
solve that, 5Ghz is supported by my laptop which I want to get faster wifi
access, but it's not supported by my phone and Noxon 2 Audio which use
wireless as well. Those however do not need fast wireless.

Now to find a PCI wifi N nic that can be set as AP with both 2.4 and 5Ghz.

-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens Seth Mos
Verzonden: woensdag 21 september 2011 20:47
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

Hi,

Op 21 sep 2011, om 19:11 heeft Bart Grefte het volgende geschreven:

> B: I don't think I've got devices supporting that standard. Only b/g.
> C: I already use wires, mostly, but I want to keep my laptop wireless. 
> Just not with 200kBps.

FYI, a Intel wifi 5100 agn mini pci-e card is 7 euro on ebay, the more
expensive faster 6200 agn is 17 euros on ebay, you could go the whammy for
the Intel 6300 which is a 3x3 card. Works well enough for laptops.

I only use the b/g ssid for my android phone, it's not fast, but so is the
phone. All the laptops just are easily upgraded.

I bought the dualband router from linksys because it had a deal at the time.
Might as well buy the cheapest dual band you can get, it doesn't need to
route or firewall anyway.

And don't argue about cost, if you are more happy to inflict pain on
yourself, go right ahead, I don't want to hear it :-)

Regards,

Seth


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Burgess]

On Wed, Sep 21, 2011 at 2:06 PM, David Brown  wrote:

> I doubt if there is anything significant that can be done with FreeBSD and
> pfSense that cannot be done with Linux.  But the point is that with pfSense,
> there is so much that comes ready-to-use

Bingo. I switched from Debian to m0n0wall, then pfsense for exactly
these reasons. Nothing wrong with Linux as a firewall and router, but
the GUI sure is nice, especially when you expect others to be able to
pick up where you left off.

db
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/11 16:34, Bart Grefte wrote:

Hmm, why switch to pfSense from Linux? I am considering the other way round,
from pfSense to Linux.
Mainly because the lack of wireless drivers with support for N and a buggy
Atheros FreeBSD driver.



I don't need wireless drivers - this is handled by wireless routers 
around the company.  It doesn't surprise me that Linux has better 
support than FreeBSD for wireless drivers - they were notoriously poor 
in Linux until recently, and wireless card manufacturers who barely 
acknowledged the existence of Linux will not have heard of FreeBSD.



Right know I'm thinking a base install of Debian, followed by only the
packages I need and do  the configuring by console. I know about Webmin, but
don't know if I can change every setting with that.



The router I have at the moment is Debian, and I've configured by hand 
(i.e., from the console).  I'm not looking to move away from Linux as 
such, but looking towards using pfSense.


I doubt if there is anything significant that can be done with FreeBSD 
and pfSense that cannot be done with Linux.  But the point is that with 
pfSense, there is so much that comes ready-to-use.  With Linux, I could 
certainly use iptraf, rrd, php, etc., and show nice graphs of network 
traffic.  With pfSense it is already there as a page on the web 
interface.  And while /I/ can write the firewalling and routing rules I 
want in an iptables script, others at my company cannot - but they 
could, if necessary, use the web interface (such as if I'm on holiday).


If you want to use Linux, you might also consider some of the dedicated 
distributions such as Smoothwall or OpenWRT (I use OpenWRT on small 
routers).  There are also firewall tools such as vuurmuur and shorewall. 
 I found that none of them had all the features I needed, so I worked 
manually.  (I also found that pfSense didn't have those features either, 
when I first looked at it many years ago.)


In the end it depends on what you need.  Both Linux and FreeBSD are 
solid bases for a firewall/router.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[RB]

On Wed, Sep 21, 2011 at 09:58, Bart Grefte  wrote:
> To give an idea about the interference:
> http://www.ravenslair.nl/GoT2/wifi.jpg , there are probably more networks by
> now.

Nice!  Looks like channels 1-3 are prime territory.  Two tricks I've
also learned are to disable B clients (if your AP supports that) and
disabling lower association speeds, say below 12Mb/s (OFDM rate,
fencing out B altogether).  That doesn't mean you'll magically get at
least 12Mb/s, but can help keep your network from dropping down to a
minimal speed to save power or due to interference.  YMMV.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Seth Mos]

Hi,

Op 21 sep 2011, om 20:45 heeft Bart Grefte het volgende geschreven:

> Already ran inSSIDer few months back: http://www.ravenslair.nl/GoT2/wifi.jpg
> (Probably worse by now.)

A friend of mine also receives 25 something accesspoints in the living room, 
and had packet loss to the gateway. I've let him purchase a Linksys wrt320n 
router which does b/g or a. He's switched to the A band and has been very happy 
ever since.

> Lol, 13 isn't valid from an American point of view. Maybe Apple does not
> know we use it in Europe? :P

Apple uses the beacon packets from advertising access points to determine the 
"region". It's called wisdom.

Which my Apple thinks is the US. Because of a neighbors AP.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Seth Mos]

Hi,

Op 21 sep 2011, om 19:11 heeft Bart Grefte het volgende geschreven:

> B: I don't think I've got devices supporting that standard. Only b/g.
> C: I already use wires, mostly, but I want to keep my laptop wireless. Just
> not with 200kBps.

FYI, a Intel wifi 5100 agn mini pci-e card is 7 euro on ebay, the more 
expensive faster 6200 agn is 17 euros on ebay, you could go the whammy for the 
Intel 6300 which is a 3x3 card. Works well enough for laptops.

I only use the b/g ssid for my android phone, it's not fast, but so is the 
phone. All the laptops just are easily upgraded.

I bought the dualband router from linksys because it had a deal at the time. 
Might as well buy the cheapest dual band you can get, it doesn't need to route 
or firewall anyway.

And don't argue about cost, if you are more happy to inflict pain on yourself, 
go right ahead, I don't want to hear it :-)

Regards,

Seth


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Seth Mos]

Op 21 sep 2011, om 17:25 heeft Bart Grefte het volgende geschreven:

> I use wireless a lot, but G is too slow, barely get 200kBps. I'm hoping
> switching to N will help to increase speed.
> And because my mITX router has an available pci-slot and I've got a
> N-PCI-card lying around, I figured, put the card in my pfSense box and set
> is as an AP.

Start inssider or wifi analyzer on your computer or phone and check the 2.4Ghz 
bands. What you really need is a 5ghz wireless, those just work, but can't get 
through concrete floors.

Hence the AP downstairs in the living room and the other upstairs in one of the 
bedroom.

You might be able to use channel 13, but my mac sees a US ap in the Netherlands 
and decided channel 13 isn't valid. Good job Apple. Argh.

I can do about 12-15MB/s sustained with my time machine backups to the NAS over 
the 5Ghz wireless. Reliably. I have packet loss to the pfSense box from my mac 
to pfSense when I'm trying to use 2.4Ghz. That's how bad it has gotten.

Regards,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/11 16:38, Jim Pingle wrote:

On 9/21/2011 10:06 AM, David Brown wrote:

OK, I'll have a look at that.  If I get a redundant setup with CARP
working then there is not the same need for raid - the whole router can
be switched out.  But it is still nice to have, and makes recovery and
rebuilding much easier.


True on both counts, though if your backup hardware is
comparable/identical it's even more true. If your backup hardware is not
as powerful and you would be putting it under a load it maybe can't
handle for long periods, then raid would still be important, but not
critical.



I think the backup hardware will be fine with the load, though 
potentially a little slower.  One of the reasons I am looking at this is 
that the Linux system died a few weeks ago when the SAS controller card 
failed (ironically, when I bought the system, the only reason I got a 
SAS drive was because the salesman convinced me it was more reliable... 
 now I always insist on ordinary SATA drives using software raid). 
Until I got it back up again, we were running with a small wireless 
router (Linksys WRT54GL) with a modified Linux distribution (OpenWRT). 
It was slow, especially for OpenVPN traffic, but it worked.  But that is 
why I am so keen on a redundant solution this time!



The hardware doesn't have to be the same, but the number of assigned
NICs and the order in which they were assigned must be the same.



OK.  My current hardware has 2 motherboard GBit NICs and a 4x100Mb card
- when I buy a new system, it will probably be a little newer and be all
GBit NICs (and faster processor, etc.).  This would then be the primary
system.  It is absolutely fine that a switchover to the secondary system
means a loss in speed of the links, as long as the links all work!


Yeah that should be fine. There are some people who fail over from large
systems to a little ALIX so they can squeak by until the main unit gets
repaired. Saves on power, but depending on the kind of load involved it
may not be possible/ideal.


I am (as yet) very unfamiliar with FreeBSD.  But as far as I can see,
the names of the interfaces is dependent on the drivers, unlike Linux
(which typically calls them eth0, eth1, etc., regardless of the
drivers).  In Linux, you can use the "udev" rules to set specific names
for the devices based on the MAC address of the port - that keeps them
consistent even if you swap cards around to different ports.  Can I do
something similar with pfSense so that the NIC names are consistent even
though the two routers have different hardware?


There isn't a way to tie it down by MAC address, but the idea has been
tossed around before.

When you assign a card in pfSense it goes with a specific name (em0,
em1, vr0, vr1, etc) but if the cards are swapped around and the ordering
of the drivers changed, the association may not be as expected. If the
type of card changes, it would make you reassign the NICs to accommodate
the change.



I don't expect to swap around cards once they are installed (baring 
failure, of course).  But one the one system the WAN interface could be 
em0, and on the other it could be vr0.  It doesn't matter if I have to 
figure out the names and set up the NICs when I first install them, but 
obviously it's important that when the rules and other configuration are 
synced between the machines, they apply to same logical interfaces.



Incidentally, can I assume that FreeBSD will support the NICs on the
motherboard and add-in cards, without having to be too specific about
the types?  I am not trying to use anything too esoteric, such as 10 GB
cards or tcp offload engines - just a small Dell or IBM rack server with
a four-port Ethernet card.


Best not to assume anything, the FreeBSD hardware list is out there and
easy to compare against. pfSense 2.0 is based on FreeBSD 8.1-RELEASE,
though the em/igb driver is a bit newer than the one shipped with that
so if you have Intel cards it may be supported even if not on the list.
Only real way to know is to try.

If you are using multi-port NICs, especially if you decide to use amd64,
you'll probably want to employ some of the tweaks listed here:

http://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards



Since my current router hardware is Dell, and the motherboard interfaces 
are Broadcom, I'll keep that in mind!


These issues seem to imply that the amd64 version has more potential 
problems than the 386 version.  Would you recommend that I use the 386 
version?  Unless the new hardware I get has more than 4G memory, I don't 
suppose there is much advantage in using the 64-bit version.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/11 16:31, Jim Pingle wrote:

On 9/21/2011 9:55 AM, David Brown wrote:

Just to confirm what I'm looking for here, I would want to switch over
to the secondary if any of the NICs on the main system failed, or if the
main system itself failed.  But it should not switch if interfaces such
as the VPNs fail.

Realistically, it is probably the router computer itself (disk, cpu fan,
power supply) that will fail rather than the NICs.


The only interfaces that can trigger a failover are those with CARP VIPs
configured upon them. If one interface with a CARP VIP goes down, the
backup will take over all of the CARP VIPs.

Relating that behavior to the NIC is not 100% correct really, since it's
actually the CARP VIPs that go up/down and thus triggering the failover
to the other box since all traffic should be flowing through the CARP VIPs.

Anything that is tied specifically to one box or the other would not be
affected by the failover, which is why everything should be using CARP
VIPs for the gateway, outbound NAT, services, etc.



That makes a lot of sense.  Thanks.

David

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

A: Not an option, if I go above 100mW my equipment will be taken away plus
there will be one hell of a fine. (Netherlands, max. allowed is 100mW.)
B: I don't think I've got devices supporting that standard. Only b/g.
C: I already use wires, mostly, but I want to keep my laptop wireless. Just
not with 200kBps.


-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens Adam Thompson
Verzonden: woensdag 21 september 2011 18:41
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

At that point, lining your entire apartment with copper mesh might be your
only option!
You could also
A) switch to a high-power AP, and drown out your neighbours,
B) switch to 802.11a,
C) use wires.
At that level of penetration, it would be good practice for the building to
become it's own ISP... Likely too late for that, though.
-Adam


Bart Grefte  wrote:

>Already tried channel 1, makes no difference.
>
>No WISP, just adsl-modem/router/AP combo's. Wireless AP's have been 
>standard for a while now in the equipment of the ISP's  that are placed 
>at people's homes. There will be a lot more since the local 
>cable-provider is replacing the current modem's with modem's that have a
build-in router and AP.
>
>Changing the antenna's position on my Senao ECB-3220, and even replace 
>it with a 9dbi antenna did not help.
>
>
>-Oorspronkelijk bericht-
>Van: list-boun...@lists.pfsense.org 
>[mailto:list-boun...@lists.pfsense.org]
>Namens Tim Nelson
>Verzonden: woensdag 21 september 2011 18:08
>Aan: pfSense support and discussion
>Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense
>
>Ugh, the last message was sent before I intended...
>
>You should set your wireless equipment on a non-overlapping channel 
>different than those around you. From the screenshot you gave, channel 
>1 looks to be about the best bet.
>
>Also, I'm seeing a lot of 'Sitecom' stuff. Is that a local WISP? It is 
>very likely the amount of traffic on those AP's alone accounts for the 
>interference you're seeing.
>
>You may need to check your antenna orientation also. Typically, on 
>omnidirectional antennas, the signal is radiated at a perpendicular 
>angle to the antenna orientation. So, if your antennas are pointed 
>straight up(vertically), signal should be coming horizontally. This is 
>an oversimplified view, but roughly correct.
>
>I'm not a wireless "expert", but I hope these tips give you a few items 
>to go on for better performance.
>
>Tim Nelson
>Systems/Network Support
>Rockbochs Inc.
>(218)727-4332 x105
>
>- Original Message -
>> You could very well have channel spacing issues. There are only a few 
>> channels that do not overlap. Please see details here for specific 
>> wifi 
>> implementations:http://en.wikipedia.org/wiki/IEEE_802.11#Channels_and
>> _
>> international_compatibility
>> 
>> Tim Nelson
>> Systems/Network Support
>> Rockbochs Inc.
>> (218)727-4332 x105
>> 
>___
>List mailing list
>List@lists.pfsense.org
>http://lists.pfsense.org/mailman/listinfo/list
>
>___
>List mailing list
>List@lists.pfsense.org
>http://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Adam Thompson]

I should have been more specific: the building could blanket all the tenants 
with a mesh multi-tenant wifi system like those from Motorola (née Symbol) or 
Colubris (now HP).  I'm sure there are several dozen vendors making systems 
like that now, those are the two I have used.
-Adam


David Burgess  wrote:

>On Wed, Sep 21, 2011 at 10:41 AM, Adam Thompson  wrote:
>
>> At that level of penetration, it would be good practice for the building to 
>> become it's own ISP... Likely too late for that, though.
>
>I cringe to go yet further on this tangent, but I have to ask, "why?".
>Unless the building managers have some exclusivity contract with some
>other ISP, what would stop them from becoming their own? Even then,
>they might be able to arrange a bulk contract with the ISP and handle
>their own distribution.
>
>Even if retrofitting cat 5/6 isn't an option at this point, on-site
>VDSL is a great alternative in many MDUs.
>
>But, then, you still have the problem of individual tenants plugging
>in their own AP, unless you figure out a way to effectively train them
>to turn the power way down, or do it for them.
>
>db
>___
>List mailing list
>List@lists.pfsense.org
>http://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Burgess]

On Wed, Sep 21, 2011 at 10:41 AM, Adam Thompson  wrote:

> At that level of penetration, it would be good practice for the building to 
> become it's own ISP... Likely too late for that, though.

I cringe to go yet further on this tangent, but I have to ask, "why?".
Unless the building managers have some exclusivity contract with some
other ISP, what would stop them from becoming their own? Even then,
they might be able to arrange a bulk contract with the ISP and handle
their own distribution.

Even if retrofitting cat 5/6 isn't an option at this point, on-site
VDSL is a great alternative in many MDUs.

But, then, you still have the problem of individual tenants plugging
in their own AP, unless you figure out a way to effectively train them
to turn the power way down, or do it for them.

db
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Adam Thompson]

At that point, lining your entire apartment with copper mesh might be your only 
option!
You could also
A) switch to a high-power AP, and drown out your neighbours,
B) switch to 802.11a,
C) use wires.
At that level of penetration, it would be good practice for the building to 
become it's own ISP... Likely too late for that, though.
-Adam


Bart Grefte  wrote:

>Already tried channel 1, makes no difference.
>
>No WISP, just adsl-modem/router/AP combo's. Wireless AP's have been standard
>for a while now in the equipment of the ISP's  that are placed at people's
>homes. There will be a lot more since the local cable-provider is replacing
>the current modem's with modem's that have a build-in router and AP.
>
>Changing the antenna's position on my Senao ECB-3220, and even replace it
>with a 9dbi antenna did not help. 
>
>
>-Oorspronkelijk bericht-
>Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
>Namens Tim Nelson
>Verzonden: woensdag 21 september 2011 18:08
>Aan: pfSense support and discussion
>Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense
>
>Ugh, the last message was sent before I intended...
>
>You should set your wireless equipment on a non-overlapping channel
>different than those around you. From the screenshot you gave, channel 1
>looks to be about the best bet.
>
>Also, I'm seeing a lot of 'Sitecom' stuff. Is that a local WISP? It is very
>likely the amount of traffic on those AP's alone accounts for the
>interference you're seeing.
>
>You may need to check your antenna orientation also. Typically, on
>omnidirectional antennas, the signal is radiated at a perpendicular angle to
>the antenna orientation. So, if your antennas are pointed straight
>up(vertically), signal should be coming horizontally. This is an
>oversimplified view, but roughly correct.
>
>I'm not a wireless "expert", but I hope these tips give you a few items to
>go on for better performance.
>
>Tim Nelson
>Systems/Network Support
>Rockbochs Inc.
>(218)727-4332 x105
>
>- Original Message -
>> You could very well have channel spacing issues. There are only a few 
>> channels that do not overlap. Please see details here for specific 
>> wifi 
>> implementations:http://en.wikipedia.org/wiki/IEEE_802.11#Channels_and_
>> international_compatibility
>> 
>> Tim Nelson
>> Systems/Network Support
>> Rockbochs Inc.
>> (218)727-4332 x105
>> 
>___
>List mailing list
>List@lists.pfsense.org
>http://lists.pfsense.org/mailman/listinfo/list
>
>___
>List mailing list
>List@lists.pfsense.org
>http://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

Already tried channel 1, makes no difference.

No WISP, just adsl-modem/router/AP combo's. Wireless AP's have been standard
for a while now in the equipment of the ISP's  that are placed at people's
homes. There will be a lot more since the local cable-provider is replacing
the current modem's with modem's that have a build-in router and AP.

Changing the antenna's position on my Senao ECB-3220, and even replace it
with a 9dbi antenna did not help. 


-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens Tim Nelson
Verzonden: woensdag 21 september 2011 18:08
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

Ugh, the last message was sent before I intended...

You should set your wireless equipment on a non-overlapping channel
different than those around you. From the screenshot you gave, channel 1
looks to be about the best bet.

Also, I'm seeing a lot of 'Sitecom' stuff. Is that a local WISP? It is very
likely the amount of traffic on those AP's alone accounts for the
interference you're seeing.

You may need to check your antenna orientation also. Typically, on
omnidirectional antennas, the signal is radiated at a perpendicular angle to
the antenna orientation. So, if your antennas are pointed straight
up(vertically), signal should be coming horizontally. This is an
oversimplified view, but roughly correct.

I'm not a wireless "expert", but I hope these tips give you a few items to
go on for better performance.

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

- Original Message -
> You could very well have channel spacing issues. There are only a few 
> channels that do not overlap. Please see details here for specific 
> wifi 
> implementations:http://en.wikipedia.org/wiki/IEEE_802.11#Channels_and_
> international_compatibility
> 
> Tim Nelson
> Systems/Network Support
> Rockbochs Inc.
> (218)727-4332 x105
> 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Tim Nelson]

Ugh, the last message was sent before I intended...

You should set your wireless equipment on a non-overlapping channel different 
than those around you. From the screenshot you gave, channel 1 looks to be 
about the best bet.

Also, I'm seeing a lot of 'Sitecom' stuff. Is that a local WISP? It is very 
likely the amount of traffic on those AP's alone accounts for the interference 
you're seeing.

You may need to check your antenna orientation also. Typically, on 
omnidirectional antennas, the signal is radiated at a perpendicular angle to 
the antenna orientation. So, if your antennas are pointed straight 
up(vertically), signal should be coming horizontally. This is an oversimplified 
view, but roughly correct.

I'm not a wireless "expert", but I hope these tips give you a few items to go 
on for better performance.

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

- Original Message -
> You could very well have channel spacing issues. There are only a few
> channels that do not overlap. Please see details here for specific
> wifi
> implementations:http://en.wikipedia.org/wiki/IEEE_802.11#Channels_and_international_compatibility
> 
> Tim Nelson
> Systems/Network Support
> Rockbochs Inc.
> (218)727-4332 x105
> 
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

I've tried all 13 channels for g, no luck in increasing speed.

-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens Tim Nelson
Verzonden: woensdag 21 september 2011 18:05
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

You could very well have channel spacing issues. There are only a few
channels that do not overlap. Please see details here for specific wifi
implementations:http://en.wikipedia.org/wiki/IEEE_802.11#Channels_and_intern
ational_compatibility

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

- Original Message -
> I know, but I can't do anything about the interference besides moving 
> (which I'm planning to if I can ever get my 1st apartment, I've been 
> waiting for over 4 years now for something cheap to become available 
> that does not have a 55+ age requirement, so far no luck).
> To give an idea about the interference:
> http://www.ravenslair.nl/GoT2/wifi.jpg , there are probably more 
> networks by now. Distance shouldn't be a problem, only a few meters, 
> plus the wooden floors and thin non-concrete walls should not slow the 
> network down this much. Also, speed is slow even if I'm in the same 
> room as the AP.
> 
> 
> -Oorspronkelijk bericht-
> Van: list-boun...@lists.pfsense.org
> [mailto:list-boun...@lists.pfsense.org]
> Namens RB
> Verzonden: woensdag 21 september 2011 17:49
> Aan: pfSense support and discussion
> Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense
> 
> On Wed, Sep 21, 2011 at 09:25, Bart Grefte  wrote:
> > I use wireless a lot, but G is too slow, barely get 200kBps. I'm
> > hoping switching to N will help to increase speed.
> 
> 200KB/s on 802.11g indicates there's more trouble than even MiMO N
> will
> solve. You probably have interference, distance, and antenna problems
> that
> should be solved first. To wit: 200KB/s translates to 1.6Mb/s, barely
> over
> the minimum speed supported by 802.11b.
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
> 
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Tim Nelson]

You could very well have channel spacing issues. There are only a few channels 
that do not overlap. Please see details here for specific wifi 
implementations:http://en.wikipedia.org/wiki/IEEE_802.11#Channels_and_international_compatibility

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

- Original Message -
> I know, but I can't do anything about the interference besides moving
> (which
> I'm planning to if I can ever get my 1st apartment, I've been waiting
> for
> over 4 years now for something cheap to become available that does not
> have
> a 55+ age requirement, so far no luck).
> To give an idea about the interference:
> http://www.ravenslair.nl/GoT2/wifi.jpg , there are probably more
> networks by
> now. Distance shouldn't be a problem, only a few meters, plus the
> wooden
> floors and thin non-concrete walls should not slow the network down
> this
> much. Also, speed is slow even if I'm in the same room as the AP.
> 
> 
> -Oorspronkelijk bericht-
> Van: list-boun...@lists.pfsense.org
> [mailto:list-boun...@lists.pfsense.org]
> Namens RB
> Verzonden: woensdag 21 september 2011 17:49
> Aan: pfSense support and discussion
> Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense
> 
> On Wed, Sep 21, 2011 at 09:25, Bart Grefte  wrote:
> > I use wireless a lot, but G is too slow, barely get 200kBps. I'm
> > hoping switching to N will help to increase speed.
> 
> 200KB/s on 802.11g indicates there's more trouble than even MiMO N
> will
> solve. You probably have interference, distance, and antenna problems
> that
> should be solved first. To wit: 200KB/s translates to 1.6Mb/s, barely
> over
> the minimum speed supported by 802.11b.
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
> 
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

I know, but I can't do anything about the interference besides moving (which
I'm planning to if I can ever get my 1st apartment, I've been waiting for
over 4 years now for something cheap to become available that does not have
a 55+ age requirement, so far no luck).
To give an idea about the interference:
http://www.ravenslair.nl/GoT2/wifi.jpg , there are probably more networks by
now. Distance shouldn't be a problem, only a few meters, plus the wooden
floors and thin non-concrete walls should not slow the network down this
much. Also, speed is slow even if I'm in the same room as the AP.


-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens RB
Verzonden: woensdag 21 september 2011 17:49
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

On Wed, Sep 21, 2011 at 09:25, Bart Grefte  wrote:
> I use wireless a lot, but G is too slow, barely get 200kBps. I'm 
> hoping switching to N will help to increase speed.

200KB/s on 802.11g indicates there's more trouble than even MiMO N will
solve.  You probably have interference, distance, and antenna problems that
should be solved first.  To wit: 200KB/s translates to 1.6Mb/s, barely over
the minimum speed supported by 802.11b.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[RB]

On Wed, Sep 21, 2011 at 09:25, Bart Grefte  wrote:
> I use wireless a lot, but G is too slow, barely get 200kBps. I'm hoping
> switching to N will help to increase speed.

200KB/s on 802.11g indicates there's more trouble than even MiMO N
will solve.  You probably have interference, distance, and antenna
problems that should be solved first.  To wit: 200KB/s translates to
1.6Mb/s, barely over the minimum speed supported by 802.11b.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Miller]

On Wed, Sep 21, 2011 at 11:19 AM, David Burgess  wrote:

> On Wed, Sep 21, 2011 at 8:46 AM, Jim Pingle  wrote:
>
> > Although for my network I use pfSense at the edge and an Asus RT-N16
> > running Tomato for my wireless N needs.
>
> Ditto, except Netgear WNR3500L + Tomato. Also seriously considered
> buying a couple Ubiquiti Unifi for the vlan support, but couldn't
> justify dumping the perfectly functional Netgear. But I digress.
>

I have a UniFi at my house.  It replaced 2 buffalo G routers running dd-wrt
at my house.  I only got it b/c I was in the middle of purchasing and
deploying them for my church and at two businesses that I support.  I also
wanted to upgrade my wireless to N at home.

They are a very nice AP for the money so I highly recommend them.  At one of
the businesses one of the UniFi units replaced a Netgear N router setup as
an AP.  Suddenly a problem that we always wrote off to FlexLM where users
would occasionally loose a license requiring the license service to be
bounced to let the license go and get things working again went away.  So
apparently the problem was the wireless network.
--
David
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

I use wireless a lot, but G is too slow, barely get 200kBps. I'm hoping
switching to N will help to increase speed.
And because my mITX router has an available pci-slot and I've got a
N-PCI-card lying around, I figured, put the card in my pfSense box and set
is as an AP.


-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens Seth Mos
Verzonden: woensdag 21 september 2011 17:00
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

Hi Bart,

On 21-9-2011 16:34, Bart Grefte wrote:
> Hmm, why switch to pfSense from Linux? I am considering the other way 
> round, from pfSense to Linux.
> Mainly because the lack of wireless drivers with support for N and a 
> buggy Atheros FreeBSD driver.

Although I do have some wireless card in my soekris/alix at home I don't
actively use them. I can't do the whole home wirelessly anyway.

I also need a few gigabit switch ports here and there so I ended up with the
following:

1. Soekris in the breakerbox closet with pfSense that does the routing for
my cable internet. It has a 8 port gigabit switch for various cat5 to
upstairs, the living room and my NAS.
2. Linksys wrt 610n in the living room, DHCP server disabled, address
statically assigned, dual band wireless n coverage ++. Xbox and media center
connected to it. Easy switch port for cable if I need it.
3. Linksys e3000 upstairs, same deal, dual band wireless N range ++,
connects my ESX4 server, Cisco 1811

For the sake of my argument, pick up new or old wireless router someone is
throwing away, disable DHCP server and connect the LAN port for a nice
accesspoint with 4 port switch.

Belkin devices come with a "Accesspoint" setting in all their routers!

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

Hmm, okay. Support for master-/AP-mode, for Atheros based PCI-cards, in
combination with N as well?
If yes, that leaves the "stuck beacon"-bug in the Atheros driver that has
been in there for years. And no, changing the channel does not help.


-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens Jim Pingle
Verzonden: woensdag 21 september 2011 16:46
Aan: pfSense support and discussion
Onderwerp: Re: [pfSense] Replacing a Linux router with pfSense

On 9/21/2011 10:34 AM, Bart Grefte wrote:
> Mainly because the lack of wireless drivers with support for N and a 
> buggy Atheros FreeBSD driver.

FYI- pfSense 2.1 will be based on FreeBSD 9.x which has some N support.
Some of it isn't going to make it into 9.0-RELEASE but I imagine we'll
probably pull the changes in where possible. Wireless development in FreeBSD
is still quite active.

Although for my network I use pfSense at the edge and an Asus RT-N16 running
Tomato for my wireless N needs.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Burgess]

On Wed, Sep 21, 2011 at 8:46 AM, Jim Pingle  wrote:

> Although for my network I use pfSense at the edge and an Asus RT-N16
> running Tomato for my wireless N needs.

Ditto, except Netgear WNR3500L + Tomato. Also seriously considered
buying a couple Ubiquiti Unifi for the vlan support, but couldn't
justify dumping the perfectly functional Netgear. But I digress.

db
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Seth Mos]

Hi Bart,

On 21-9-2011 16:34, Bart Grefte wrote:

Hmm, why switch to pfSense from Linux? I am considering the other way round,
from pfSense to Linux.
Mainly because the lack of wireless drivers with support for N and a buggy
Atheros FreeBSD driver.


Although I do have some wireless card in my soekris/alix at home I don't 
actively use them. I can't do the whole home wirelessly anyway.


I also need a few gigabit switch ports here and there so I ended up with 
the following:


1. Soekris in the breakerbox closet with pfSense that does the routing 
for my cable internet. It has a 8 port gigabit switch for various cat5 
to upstairs, the living room and my NAS.
2. Linksys wrt 610n in the living room, DHCP server disabled, address 
statically assigned, dual band wireless n coverage ++. Xbox and media 
center connected to it. Easy switch port for cable if I need it.
3. Linksys e3000 upstairs, same deal, dual band wireless N range ++, 
connects my ESX4 server, Cisco 1811


For the sake of my argument, pick up new or old wireless router someone 
is throwing away, disable DHCP server and connect the LAN port for a 
nice accesspoint with 4 port switch.


Belkin devices come with a "Accesspoint" setting in all their routers!

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Jim Pingle]

On 9/21/2011 10:34 AM, Bart Grefte wrote:
> Mainly because the lack of wireless drivers with support for N and a buggy
> Atheros FreeBSD driver.

FYI- pfSense 2.1 will be based on FreeBSD 9.x which has some N support.
Some of it isn't going to make it into 9.0-RELEASE but I imagine we'll
probably pull the changes in where possible. Wireless development in
FreeBSD is still quite active.

Although for my network I use pfSense at the edge and an Asus RT-N16
running Tomato for my wireless N needs.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Jim Pingle]

On 9/21/2011 10:06 AM, David Brown wrote:
> OK, I'll have a look at that.  If I get a redundant setup with CARP
> working then there is not the same need for raid - the whole router can
> be switched out.  But it is still nice to have, and makes recovery and
> rebuilding much easier.

True on both counts, though if your backup hardware is
comparable/identical it's even more true. If your backup hardware is not
as powerful and you would be putting it under a load it maybe can't
handle for long periods, then raid would still be important, but not
critical.

>> The hardware doesn't have to be the same, but the number of assigned
>> NICs and the order in which they were assigned must be the same.
>>
> 
> OK.  My current hardware has 2 motherboard GBit NICs and a 4x100Mb card
> - when I buy a new system, it will probably be a little newer and be all
> GBit NICs (and faster processor, etc.).  This would then be the primary
> system.  It is absolutely fine that a switchover to the secondary system
> means a loss in speed of the links, as long as the links all work!

Yeah that should be fine. There are some people who fail over from large
systems to a little ALIX so they can squeak by until the main unit gets
repaired. Saves on power, but depending on the kind of load involved it
may not be possible/ideal.

> I am (as yet) very unfamiliar with FreeBSD.  But as far as I can see,
> the names of the interfaces is dependent on the drivers, unlike Linux
> (which typically calls them eth0, eth1, etc., regardless of the
> drivers).  In Linux, you can use the "udev" rules to set specific names
> for the devices based on the MAC address of the port - that keeps them
> consistent even if you swap cards around to different ports.  Can I do
> something similar with pfSense so that the NIC names are consistent even
> though the two routers have different hardware?

There isn't a way to tie it down by MAC address, but the idea has been
tossed around before.

When you assign a card in pfSense it goes with a specific name (em0,
em1, vr0, vr1, etc) but if the cards are swapped around and the ordering
of the drivers changed, the association may not be as expected. If the
type of card changes, it would make you reassign the NICs to accommodate
the change.

> Incidentally, can I assume that FreeBSD will support the NICs on the
> motherboard and add-in cards, without having to be too specific about
> the types?  I am not trying to use anything too esoteric, such as 10 GB
> cards or tcp offload engines - just a small Dell or IBM rack server with
> a four-port Ethernet card.

Best not to assume anything, the FreeBSD hardware list is out there and
easy to compare against. pfSense 2.0 is based on FreeBSD 8.1-RELEASE,
though the em/igb driver is a bit newer than the one shipped with that
so if you have Intel cards it may be supported even if not on the list.
Only real way to know is to try.

If you are using multi-port NICs, especially if you decide to use amd64,
you'll probably want to employ some of the tweaks listed here:

http://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Bart Grefte]

Hmm, why switch to pfSense from Linux? I am considering the other way round,
from pfSense to Linux.
Mainly because the lack of wireless drivers with support for N and a buggy
Atheros FreeBSD driver.

Right know I'm thinking a base install of Debian, followed by only the
packages I need and do  the configuring by console. I know about Webmin, but
don't know if I can change every setting with that.


-Oorspronkelijk bericht-
Van: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org]
Namens David Brown
Verzonden: woensdag 21 september 2011 13:13
Aan: pfSense support and discussion
Onderwerp: [pfSense] Replacing a Linux router with pfSense

I have a Linux machine as our company firewall/router at the moment. 
Since reading the announcement of pfSense 2.0 (on LinuxToday!), I have been
considering replacing it with pfSense.  There are some features that I see
as being big improvements over my existing system, such as the web interface
(which is perhaps slightly more user-friendly than ssh and iptables scripts)
and CARP for failover between two routers.

There are some features of my existing setup that may be difficult to
duplicate with pfSense, and I'm hoping someone can tell me whether these are
easy, hard-but-possible, or impossible - the pfSense wiki has a lot of
information, but it can't cover everything (especially the latest features
of pfSense 2.0).  I've read through a fair amount of it, but by no means
all.


First, on the Linux system I have two hard disks, each with two partitions.
The first partition on each is set as a software RAID1 and contains the OS,
configuration, data, etc.  The second partition on each is separate and
contains a squid cache.  Thus the system will boot and run fine even if one
disk fails (losing half the squid cache will not be harmful).  Can I do
something similar with pfSense?  I know a great deal about Linux software
raid, but nothing about FreeBSD.



I make use of VLANs on switches to control different subnets for parts of
our LAN, server networks, etc.  On some of these, the router has more than
one alias.  This means I have network "interfaces" with names like
"eth0.12:2" in Linux (second alias on VLAN 12 connected to the first
physical ethernet card).  In some cases there is more than one alias on the
same subnet (192.168.0.1 and 192.168.0.2), but mostly they are on different
subnets on the same VLAN.  I know pfSense is flexible about VLANs - but is
it /that/ flexible?


I have two WAN connections.  One is a symmetric link (10/10), the other is
ADSL (8/1).  I would like to set these up so that the symmetric link is the
main link, with the ADSL as backup.  But http traffic can be balanced
between them.  Can I arrange that?



On one of the WAN connections, I have several IP addresses (a /28 subnet).
Several services coming in on these IP addresses need to be NAT'ed to
different internal servers, depending on the port and the IP address
targeted.  It is important that replies from the internal servers get
returned from the same IP as originally targeted.  Will that work with
pfSense?


I have two OpenVPN servers on the current system, running on different
ports.  Clients on these have access to different servers.  Can I have
several OpenVPN servers configured with pfSense?


I would also like to set up an OpenVPN "hub" to handle communication between
external OpenVPN servers and clients.  Some of my company's clients have
OpenVPN servers or clients that some of our employee's need access to.  My
idea is that the employee will connect to the "hub" (the pfSense system)
with OpenVPN, as will the customers' OpenVPN clients. 
The "hub" will also connect to the customers' OpenVPN servers (some have
servers, others have clients).  I would like to be able to set up
firewalling rules allowing the employees access to the customers' 
systems, but customers' systems will not be able to access each other (or
other interfaces on the firewall/router).  Is that going to be possible?
Will it be possible to get alerts (SMTP) or logs when these OpenVPN
connections come and go?


The box is also a DHCP server on various networks, with some static assigned
addresses and some range-based.  I presume that's fine for pfSense?  And
that it integrates with the DNS server on pfSense?


I am seriously considering getting two pfSense boxes with CARP failover. 
  Does this require identical hardware on the two systems (or perhaps just
identical network card setups)?  How much information is passed over the
link between the boxes - does it cover all setup, configuration, rules, dhcp
leases, etc.?  How often does this synchronisation take place?  Am I correct
in thinking that each box needs its own individual IP address on each
network interface (including VLAN interfaces), and they share one or more
CARP aliases?


I plan to set up a few virtual machines to play

Re: [pfSense] Replacing a Linux router with pfSense

[Jim Pingle]

On 9/21/2011 9:55 AM, David Brown wrote:
> Just to confirm what I'm looking for here, I would want to switch over
> to the secondary if any of the NICs on the main system failed, or if the
> main system itself failed.  But it should not switch if interfaces such
> as the VPNs fail.
> 
> Realistically, it is probably the router computer itself (disk, cpu fan,
> power supply) that will fail rather than the NICs.

The only interfaces that can trigger a failover are those with CARP VIPs
configured upon them. If one interface with a CARP VIP goes down, the
backup will take over all of the CARP VIPs.

Relating that behavior to the NIC is not 100% correct really, since it's
actually the CARP VIPs that go up/down and thus triggering the failover
to the other box since all traffic should be flowing through the CARP VIPs.

Anything that is tied specifically to one box or the other would not be
affected by the failover, which is why everything should be using CARP
VIPs for the gateway, outbound NAT, services, etc.

Jim

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 13:26, David Burgess wrote:

On Wed, Sep 21, 2011 at 5:13 AM, David Brown  wrote:


First, on the Linux system I have two hard disks, each with two partitions.
  The first partition on each is set as a software RAID1 and contains the OS,
configuration, data, etc.  The second partition on each is separate and
contains a squid cache.  Thus the system will boot and run fine even if one
disk fails (losing half the squid cache will not be harmful).  Can I do
something similar with pfSense?  I know a great deal about Linux software
raid, but nothing about FreeBSD.


FreeBSD does soft RAID, but I can't tell you the state of it in
pfsense. Somebody here will chime in.



Others have said that gmirror will do the job.  Of course, with a second 
redundant router, there is less need for raid.





I make use of VLANs on switches to control different subnets for parts of
our LAN, server networks, etc.  On some of these, the router has more than
one alias.  This means I have network "interfaces" with names like
"eth0.12:2" in Linux (second alias on VLAN 12 connected to the first
physical ethernet card).  In some cases there is more than one alias on the
same subnet (192.168.0.1 and 192.168.0.2), but mostly they are on different
subnets on the same VLAN.  I know pfSense is flexible about VLANs - but is
it /that/ flexible?


pfsense supports vlans and IP aliases right in the GUI. No problem here.



Great!




I have two WAN connections.  One is a symmetric link (10/10), the other is
ADSL (8/1).  I would like to set these up so that the symmetric link is the
main link, with the ADSL as backup.  But http traffic can be balanced
between them.  Can I arrange that?


Yes.



On one of the WAN connections, I have several IP addresses (a /28 subnet).
  Several services coming in on these IP addresses need to be NAT'ed to
different internal servers, depending on the port and the IP address
targeted.  It is important that replies from the internal servers get
returned from the same IP as originally targeted.  Will that work with
pfSense?


I believe virtual IPs (VIP) would take care of that in pfsense.



I have two OpenVPN servers on the current system, running on different
ports.  Clients on these have access to different servers.  Can I have
several OpenVPN servers configured with pfSense?


Yes.



OK.




I would also like to set up an OpenVPN "hub" to handle communication between
external OpenVPN servers and clients.  Some of my company's clients have
OpenVPN servers or clients that some of our employee's need access to.  My
idea is that the employee will connect to the "hub" (the pfSense system)
with OpenVPN, as will the customers' OpenVPN clients. The "hub" will also
connect to the customers' OpenVPN servers (some have servers, others have
clients).  I would like to be able to set up firewalling rules allowing the
employees access to the customers' systems, but customers' systems will not
be able to access each other (or other interfaces on the firewall/router).
  Is that going to be possible?  Will it be possible to get alerts (SMTP) or
logs when these OpenVPN connections come and go?


I believe the routing and firewalling between VPN networks is
possible. Not sure about notifications from the GUI, although you can
do what you like in the shell.



It would be nice to do it from the GUI - the GUI is one of the benefits 
of pfSense over my existing solution.  But I'm happy working directly 
from the shell - or at least I will be once I get used to the 
differences between Linux and FreeBSD!





The box is also a DHCP server on various networks, with some static assigned
addresses and some range-based.  I presume that's fine for pfSense?  And
that it integrates with the DNS server on pfSense?


Yes.



I am seriously considering getting two pfSense boxes with CARP failover.
  Does this require identical hardware on the two systems (or perhaps just
identical network card setups)?


I don't think this is a requirement for CARP.



How much information is passed over the
link between the boxes - does it cover all setup, configuration, rules, dhcp
leases, etc.?  How often does this synchronisation take place?


Not sure.



Am I correct
in thinking that each box needs its own individual IP address on each
network interface (including VLAN interfaces), and they share one or more
CARP aliases?


I believe that's correct.

Have fun playing. pfsense is a powerful platform and the GUI makes it
very easy to pick up.



I'll be trying it out this evening with VirtualBox machines.

Thanks,

David

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 13:41, Seth Mos wrote:

On 21-9-2011 13:26, David Burgess wrote:

On Wed, Sep 21, 2011 at 5:13 AM, David Brown
wrote:




I have two WAN connections. One is a symmetric link (10/10), the
other is
ADSL (8/1). I would like to set these up so that the symmetric link
is the
main link, with the ADSL as backup. But http traffic can be balanced
between them. Can I arrange that?


Yes.


See Routing, Gateway Groups. You can add multiple groups and different
fallback tiers.



OK.


On one of the WAN connections, I have several IP addresses (a /28
subnet).
Several services coming in on these IP addresses need to be NAT'ed to
different internal servers, depending on the port and the IP address
targeted. It is important that replies from the internal servers get
returned from the same IP as originally targeted. Will that work with
pfSense?


I believe virtual IPs (VIP) would take care of that in pfsense.


Use this together with the 1:1 NAT feature.



The 1:1 NAT is used to pass all ports from one WAN address to a LAN/DMZ 
address, isn't it?  That might be useful for some circumstances.  All I 
really need at the moment is things like FTP or HTTPS on two different 
WAN IP addresses (on the same NIC) being passed on to ports on two 
different internal servers, and it sounds like VIP's can do that.



I am seriously considering getting two pfSense boxes with CARP failover.
Does this require identical hardware on the two systems (or perhaps just
identical network card setups)?


I don't think this is a requirement for CARP.


This is not a requirement, however, if the master is gigabit make sure
the backup has gigabit too.



I hope that isn't essential - my current hardware has a 4-port 100MB 
card and when I buy a new one, I'll probably get a 4-port GB card for it 
and use it as the primary.



How much information is passed over the
link between the boxes - does it cover all setup, configuration,
rules, dhcp
leases, etc.? How often does this synchronisation take place?


Not sure.


It synchronizes state for traffic failover, the rest is toggle boxes on
the virtuall IP settings page. Leases are not transferred, static
mappings are, you can do DHCP on both nodes with failover, see the DHCP
settings page for that.



OK.


Am I correct
in thinking that each box needs its own individual IP address on each
network interface (including VLAN interfaces), and they share one or
more
CARP aliases?


I believe that's correct.


They need their own IP + the redundant carp IP, so atleast 3. You will
need to make manual outbound NAT rules so that all traffic originates
from the external CARP address after NAT. This is required for failover.



That should be fine.

Thanks,

David

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 14:28, Jim Pingle wrote:



On Wed, Sep 21, 2011 at 5:13 AM, David Brown  wrote:


First, on the Linux system I have two hard disks, each with two partitions.
  The first partition on each is set as a software RAID1 and contains the OS,
configuration, data, etc.  The second partition on each is separate and
contains a squid cache.  Thus the system will boot and run fine even if one
disk fails (losing half the squid cache will not be harmful).  Can I do
something similar with pfSense?  I know a great deal about Linux software
raid, but nothing about FreeBSD.

FreeBSD does soft RAID, but I can't tell you the state of it in
pfsense. Somebody here will chime in.



gmirror works great. I've been using it for years on pfSense with much
success. There is even a gmirror monitor widget for the dashboard.



OK, I'll have a look at that.  If I get a redundant setup with CARP 
working then there is not the same need for raid - the whole router can 
be switched out.  But it is still nice to have, and makes recovery and 
rebuilding much easier.




On 9/21/2011 8:10 AM, Seth Mos wrote:

On 21-9-2011 13:26, David Burgess wrote:

I am seriously considering getting two pfSense boxes with CARP failover.
   Does this require identical hardware on the two systems (or perhaps
just
identical network card setups)?


I don't think this is a requirement for CARP.


This is not a requirement, however, if the master is gigabit make sure
the backup has gigabit too.


The hardware doesn't have to be the same, but the number of assigned
NICs and the order in which they were assigned must be the same.



OK.  My current hardware has 2 motherboard GBit NICs and a 4x100Mb card 
- when I buy a new system, it will probably be a little newer and be all 
GBit NICs (and faster processor, etc.).  This would then be the primary 
system.  It is absolutely fine that a switchover to the secondary system 
means a loss in speed of the links, as long as the links all work!


I am (as yet) very unfamiliar with FreeBSD.  But as far as I can see, 
the names of the interfaces is dependent on the drivers, unlike Linux 
(which typically calls them eth0, eth1, etc., regardless of the 
drivers).  In Linux, you can use the "udev" rules to set specific names 
for the devices based on the MAC address of the port - that keeps them 
consistent even if you swap cards around to different ports.  Can I do 
something similar with pfSense so that the NIC names are consistent even 
though the two routers have different hardware?


Incidentally, can I assume that FreeBSD will support the NICs on the 
motherboard and add-in cards, without having to be too specific about 
the types?  I am not trying to use anything too esoteric, such as 10 GB 
cards or tcp offload engines - just a small Dell or IBM rack server with 
a four-port Ethernet card.



How much information is passed over the
link between the boxes - does it cover all setup, configuration,
rules, dhcp
leases, etc.?  How often does this synchronisation take place?


Not sure.


It synchronizes state for traffic failover, the rest is toggle boxes on
the virtuall IP settings page. Leases are not transferred, static
mappings are, you can do DHCP on both nodes with failover, see the DHCP
settings page for that.


If you have DHCP sync checked and failover configured, the lease
databases should be synchronizing IIRC, it's just done by DHCP itself
and not by the XMLRPC sync process.



Marvellous.

Thanks for your help,

David

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Brown]

On 21/09/2011 14:05, Chris Buechler wrote:

On Wed, Sep 21, 2011 at 7:55 AM, Tonix (Antonio Nati)
  wrote:


I think you should examine how CARP works on your routers and how it works
in pfsense.

In pre 2.0 version, PFsense CARP has a (fixed) different zone for each
interface, so if an interface goes down it switches only that interface, and
traffic bind to that interface becomes unreachable.
It is useful only if a machine goes down, not if an interface goes down.

If you actually switch all interfaces when one goes down, you can't do on
pfsense.


That's not true and never been true, the behavior of all versions is
to switch over all CARP IPs if any NIC on the primary can no longer
communicate with the secondary. You have something wrong on your
setup, or have intentionally disabled that via a manual hack, if
that's what yours does.


Just to confirm what I'm looking for here, I would want to switch over 
to the secondary if any of the NICs on the main system failed, or if the 
main system itself failed.  But it should not switch if interfaces such 
as the VPNs fail.


Realistically, it is probably the router computer itself (disk, cpu fan, 
power supply) that will fail rather than the NICs.



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Jim Pingle]

> On Wed, Sep 21, 2011 at 5:13 AM, David Brown  wrote:
> 
>> First, on the Linux system I have two hard disks, each with two partitions.
>>  The first partition on each is set as a software RAID1 and contains the OS,
>> configuration, data, etc.  The second partition on each is separate and
>> contains a squid cache.  Thus the system will boot and run fine even if one
>> disk fails (losing half the squid cache will not be harmful).  Can I do
>> something similar with pfSense?  I know a great deal about Linux software
>> raid, but nothing about FreeBSD.
> FreeBSD does soft RAID, but I can't tell you the state of it in
> pfsense. Somebody here will chime in.
> 

gmirror works great. I've been using it for years on pfSense with much
success. There is even a gmirror monitor widget for the dashboard.


On 9/21/2011 8:10 AM, Seth Mos wrote:
> On 21-9-2011 13:26, David Burgess wrote:
>>> I am seriously considering getting two pfSense boxes with CARP failover.
>>>   Does this require identical hardware on the two systems (or perhaps
>>> just
>>> identical network card setups)?
>>
>> I don't think this is a requirement for CARP.
> 
> This is not a requirement, however, if the master is gigabit make sure
> the backup has gigabit too.

The hardware doesn't have to be the same, but the number of assigned
NICs and the order in which they were assigned must be the same.

>>> How much information is passed over the
>>> link between the boxes - does it cover all setup, configuration,
>>> rules, dhcp
>>> leases, etc.?  How often does this synchronisation take place?
>>
>> Not sure.
> 
> It synchronizes state for traffic failover, the rest is toggle boxes on
> the virtuall IP settings page. Leases are not transferred, static
> mappings are, you can do DHCP on both nodes with failover, see the DHCP
> settings page for that.

If you have DHCP sync checked and failover configured, the lease
databases should be synchronizing IIRC, it's just done by DHCP itself
and not by the XMLRPC sync process.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Tonix (Antonio Nati)]

Il 21/09/2011 14:05, Chris Buechler ha scritto:

On Wed, Sep 21, 2011 at 7:55 AM, Tonix (Antonio Nati)
  wrote:

I think you should examine how CARP works on your routers and how it works
in pfsense.

In pre 2.0 version, PFsense CARP has a (fixed) different zone for each
interface, so if an interface goes down it switches only that interface, and
traffic bind to that interface becomes unreachable.
It is useful only if a machine goes down, not if an interface goes down.

If you actually switch all interfaces when one goes down, you can't do on
pfsense.

That's not true and never been true, the behavior of all versions is
to switch over all CARP IPs if any NIC on the primary can no longer
communicate with the secondary. You have something wrong on your
setup, or have intentionally disabled that via a manual hack, if
that's what yours does.


We did several checks before putting it in production.
PFsense 1.2.3, no hack, ony web setup.
Setup forced to give a different vhid to each VIP, and we saw vhid are 
completely indipendent.


We will check it again as we dismiss it.

Regards,

Tonino


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list




--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Seth Mos]

On 21-9-2011 13:26, David Burgess wrote:

On Wed, Sep 21, 2011 at 5:13 AM, David Brown  wrote:




I have two WAN connections.  One is a symmetric link (10/10), the other is
ADSL (8/1).  I would like to set these up so that the symmetric link is the
main link, with the ADSL as backup.  But http traffic can be balanced
between them.  Can I arrange that?


Yes.


See Routing, Gateway Groups. You can add multiple groups and different 
fallback tiers.



On one of the WAN connections, I have several IP addresses (a /28 subnet).
  Several services coming in on these IP addresses need to be NAT'ed to
different internal servers, depending on the port and the IP address
targeted.  It is important that replies from the internal servers get
returned from the same IP as originally targeted.  Will that work with
pfSense?


I believe virtual IPs (VIP) would take care of that in pfsense.


Use this together with the 1:1 NAT feature.


I am seriously considering getting two pfSense boxes with CARP failover.
  Does this require identical hardware on the two systems (or perhaps just
identical network card setups)?


I don't think this is a requirement for CARP.


This is not a requirement, however, if the master is gigabit make sure 
the backup has gigabit too.



How much information is passed over the
link between the boxes - does it cover all setup, configuration, rules, dhcp
leases, etc.?  How often does this synchronisation take place?


Not sure.


It synchronizes state for traffic failover, the rest is toggle boxes on 
the virtuall IP settings page. Leases are not transferred, static 
mappings are, you can do DHCP on both nodes with failover, see the DHCP 
settings page for that.



Am I correct
in thinking that each box needs its own individual IP address on each
network interface (including VLAN interfaces), and they share one or more
CARP aliases?


I believe that's correct.


They need their own IP + the redundant carp IP, so atleast 3. You will 
need to make manual outbound NAT rules so that all traffic originates 
from the external CARP address after NAT. This is required for failover.


Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Chris Buechler]

On Wed, Sep 21, 2011 at 7:55 AM, Tonix (Antonio Nati)
 wrote:
>
> I think you should examine how CARP works on your routers and how it works
> in pfsense.
>
> In pre 2.0 version, PFsense CARP has a (fixed) different zone for each
> interface, so if an interface goes down it switches only that interface, and
> traffic bind to that interface becomes unreachable.
> It is useful only if a machine goes down, not if an interface goes down.
>
> If you actually switch all interfaces when one goes down, you can't do on
> pfsense.

That's not true and never been true, the behavior of all versions is
to switch over all CARP IPs if any NIC on the primary can no longer
communicate with the secondary. You have something wrong on your
setup, or have intentionally disabled that via a manual hack, if
that's what yours does.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Tonix (Antonio Nati)]

Il 21/09/2011 13:41, Seth Mos ha scritto:


I am seriously considering getting two pfSense boxes with CARP 
failover.
  Does this require identical hardware on the two systems (or 
perhaps just

identical network card setups)?


I don't think this is a requirement for CARP.


This is not a requirement, however, if the master is gigabit make sure 
the backup has gigabit too.




I think you should examine how CARP works on your routers and how it 
works in pfsense.


In pre 2.0 version, PFsense CARP has a (fixed) different zone for each 
interface, so if an interface goes down it switches only that interface, 
and traffic bind to that interface becomes unreachable.

It is useful only if a machine goes down, not if an interface goes down.

If you actually switch all interfaces when one goes down, you can't do 
on pfsense.

Don't know about 2.0 (but I suppose to be the same).

I feel this to be a great limitation of pfcarp implementation in pfsense.

Regards,

Tonino

--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[Seth Mos]

On 21-9-2011 13:26, David Burgess wrote:

On Wed, Sep 21, 2011 at 5:13 AM, David Brown  wrote:




I have two WAN connections.  One is a symmetric link (10/10), the other is
ADSL (8/1).  I would like to set these up so that the symmetric link is the
main link, with the ADSL as backup.  But http traffic can be balanced
between them.  Can I arrange that?


Yes.


See Routing, Gateway Groups. You can add multiple groups and different 
fallback tiers.



On one of the WAN connections, I have several IP addresses (a /28 subnet).
  Several services coming in on these IP addresses need to be NAT'ed to
different internal servers, depending on the port and the IP address
targeted.  It is important that replies from the internal servers get
returned from the same IP as originally targeted.  Will that work with
pfSense?


I believe virtual IPs (VIP) would take care of that in pfsense.


Use this together with the 1:1 NAT feature.


I am seriously considering getting two pfSense boxes with CARP failover.
  Does this require identical hardware on the two systems (or perhaps just
identical network card setups)?


I don't think this is a requirement for CARP.


This is not a requirement, however, if the master is gigabit make sure 
the backup has gigabit too.



How much information is passed over the
link between the boxes - does it cover all setup, configuration, rules, dhcp
leases, etc.?  How often does this synchronisation take place?


Not sure.


It synchronizes state for traffic failover, the rest is toggle boxes on 
the virtuall IP settings page. Leases are not transferred, static 
mappings are, you can do DHCP on both nodes with failover, see the DHCP 
settings page for that.



Am I correct
in thinking that each box needs its own individual IP address on each
network interface (including VLAN interfaces), and they share one or more
CARP aliases?


I believe that's correct.


They need their own IP + the redundant carp IP, so atleast 3. You will 
need to make manual outbound NAT rules so that all traffic originates 
from the external CARP address after NAT. This is required for failover.


Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Replacing a Linux router with pfSense

[David Burgess]

On Wed, Sep 21, 2011 at 5:13 AM, David Brown  wrote:

> First, on the Linux system I have two hard disks, each with two partitions.
>  The first partition on each is set as a software RAID1 and contains the OS,
> configuration, data, etc.  The second partition on each is separate and
> contains a squid cache.  Thus the system will boot and run fine even if one
> disk fails (losing half the squid cache will not be harmful).  Can I do
> something similar with pfSense?  I know a great deal about Linux software
> raid, but nothing about FreeBSD.

FreeBSD does soft RAID, but I can't tell you the state of it in
pfsense. Somebody here will chime in.


> I make use of VLANs on switches to control different subnets for parts of
> our LAN, server networks, etc.  On some of these, the router has more than
> one alias.  This means I have network "interfaces" with names like
> "eth0.12:2" in Linux (second alias on VLAN 12 connected to the first
> physical ethernet card).  In some cases there is more than one alias on the
> same subnet (192.168.0.1 and 192.168.0.2), but mostly they are on different
> subnets on the same VLAN.  I know pfSense is flexible about VLANs - but is
> it /that/ flexible?

pfsense supports vlans and IP aliases right in the GUI. No problem here.


> I have two WAN connections.  One is a symmetric link (10/10), the other is
> ADSL (8/1).  I would like to set these up so that the symmetric link is the
> main link, with the ADSL as backup.  But http traffic can be balanced
> between them.  Can I arrange that?

Yes.


> On one of the WAN connections, I have several IP addresses (a /28 subnet).
>  Several services coming in on these IP addresses need to be NAT'ed to
> different internal servers, depending on the port and the IP address
> targeted.  It is important that replies from the internal servers get
> returned from the same IP as originally targeted.  Will that work with
> pfSense?

I believe virtual IPs (VIP) would take care of that in pfsense.


> I have two OpenVPN servers on the current system, running on different
> ports.  Clients on these have access to different servers.  Can I have
> several OpenVPN servers configured with pfSense?

Yes.


> I would also like to set up an OpenVPN "hub" to handle communication between
> external OpenVPN servers and clients.  Some of my company's clients have
> OpenVPN servers or clients that some of our employee's need access to.  My
> idea is that the employee will connect to the "hub" (the pfSense system)
> with OpenVPN, as will the customers' OpenVPN clients. The "hub" will also
> connect to the customers' OpenVPN servers (some have servers, others have
> clients).  I would like to be able to set up firewalling rules allowing the
> employees access to the customers' systems, but customers' systems will not
> be able to access each other (or other interfaces on the firewall/router).
>  Is that going to be possible?  Will it be possible to get alerts (SMTP) or
> logs when these OpenVPN connections come and go?

I believe the routing and firewalling between VPN networks is
possible. Not sure about notifications from the GUI, although you can
do what you like in the shell.


> The box is also a DHCP server on various networks, with some static assigned
> addresses and some range-based.  I presume that's fine for pfSense?  And
> that it integrates with the DNS server on pfSense?

Yes.


> I am seriously considering getting two pfSense boxes with CARP failover.
>  Does this require identical hardware on the two systems (or perhaps just
> identical network card setups)?

I don't think this is a requirement for CARP.


> How much information is passed over the
> link between the boxes - does it cover all setup, configuration, rules, dhcp
> leases, etc.?  How often does this synchronisation take place?

Not sure.


> Am I correct
> in thinking that each box needs its own individual IP address on each
> network interface (including VLAN interfaces), and they share one or more
> CARP aliases?

I believe that's correct.

Have fun playing. pfsense is a powerful platform and the GUI makes it
very easy to pick up.

db
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Replacing a Linux router with pfSense

[David Brown]

I have a Linux machine as our company firewall/router at the moment. 
Since reading the announcement of pfSense 2.0 (on LinuxToday!), I have 
been considering replacing it with pfSense.  There are some features 
that I see as being big improvements over my existing system, such as 
the web interface (which is perhaps slightly more user-friendly than ssh 
and iptables scripts) and CARP for failover between two routers.


There are some features of my existing setup that may be difficult to 
duplicate with pfSense, and I'm hoping someone can tell me whether these 
are easy, hard-but-possible, or impossible - the pfSense wiki has a lot 
of information, but it can't cover everything (especially the latest 
features of pfSense 2.0).  I've read through a fair amount of it, but by 
no means all.



First, on the Linux system I have two hard disks, each with two 
partitions.  The first partition on each is set as a software RAID1 and 
contains the OS, configuration, data, etc.  The second partition on each 
is separate and contains a squid cache.  Thus the system will boot and 
run fine even if one disk fails (losing half the squid cache will not be 
harmful).  Can I do something similar with pfSense?  I know a great deal 
about Linux software raid, but nothing about FreeBSD.




I make use of VLANs on switches to control different subnets for parts 
of our LAN, server networks, etc.  On some of these, the router has more 
than one alias.  This means I have network "interfaces" with names like 
"eth0.12:2" in Linux (second alias on VLAN 12 connected to the first 
physical ethernet card).  In some cases there is more than one alias on 
the same subnet (192.168.0.1 and 192.168.0.2), but mostly they are on 
different subnets on the same VLAN.  I know pfSense is flexible about 
VLANs - but is it /that/ flexible?



I have two WAN connections.  One is a symmetric link (10/10), the other 
is ADSL (8/1).  I would like to set these up so that the symmetric link 
is the main link, with the ADSL as backup.  But http traffic can be 
balanced between them.  Can I arrange that?



On one of the WAN connections, I have several IP addresses (a /28 
subnet).  Several services coming in on these IP addresses need to be 
NAT'ed to different internal servers, depending on the port and the IP 
address targeted.  It is important that replies from the internal 
servers get returned from the same IP as originally targeted.  Will that 
work with pfSense?



I have two OpenVPN servers on the current system, running on different 
ports.  Clients on these have access to different servers.  Can I have 
several OpenVPN servers configured with pfSense?



I would also like to set up an OpenVPN "hub" to handle communication 
between external OpenVPN servers and clients.  Some of my company's 
clients have OpenVPN servers or clients that some of our employee's need 
access to.  My idea is that the employee will connect to the "hub" (the 
pfSense system) with OpenVPN, as will the customers' OpenVPN clients. 
The "hub" will also connect to the customers' OpenVPN servers (some have 
servers, others have clients).  I would like to be able to set up 
firewalling rules allowing the employees access to the customers' 
systems, but customers' systems will not be able to access each other 
(or other interfaces on the firewall/router).  Is that going to be 
possible?  Will it be possible to get alerts (SMTP) or logs when these 
OpenVPN connections come and go?



The box is also a DHCP server on various networks, with some static 
assigned addresses and some range-based.  I presume that's fine for 
pfSense?  And that it integrates with the DNS server on pfSense?



I am seriously considering getting two pfSense boxes with CARP failover. 
 Does this require identical hardware on the two systems (or perhaps 
just identical network card setups)?  How much information is passed 
over the link between the boxes - does it cover all setup, 
configuration, rules, dhcp leases, etc.?  How often does this 
synchronisation take place?  Am I correct in thinking that each box 
needs its own individual IP address on each network interface (including 
VLAN interfaces), and they share one or more CARP aliases?



I plan to set up a few virtual machines to play around with this before 
trying it out on a real system, but it would be nice to get an idea of 
what is possible or not!


Thanks,

David Brown
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list