Re: [pfSense] Configs or hardware?

2018-02-15 Thread Walter Parker
On Thu, Feb 15, 2018 at 6:11 PM, Jim Thompson wrote: > > > > On Feb 15, 2018, at 6:47 PM, Kyle Marek wrote: > > > > On 02/15/2018 05:33 PM, Jim Thompson wrote: > >> Mr. Marek, > >> > >> I think you may be missing the point that this is about 2.5 and the >

Re: [pfSense] 1:1 NAT - Packets not leaving WAN interface

2018-02-15 Thread Chris L
> On Feb 15, 2018, at 7:29 AM, ad^2 wrote: > > Hello all, > > Objective - Connect to services from the Internet hosted on an internal > server assigned an RFC1918 address. > > pfSense version 2.4.2-RELEASE-p1 > > I have followed the instructions listed here -

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Walter Parker
I didn't say it was in everything since 2008. I said that both companies widely released it by 2010 and that most of the x64 (64 Bit) processors released in the past few years years do support them (except for some of the low end systems, usually used in price constrained embedded style

Re: [pfSense] Maximum CARP Addresses?

2018-02-15 Thread Chris L
On Feb 15, 2018, at 11:35 AM, ad^2 wrote: > > Hello all, > > I read in the forum (h_t_t_p_s://forum.pfsense.org/index.php?topic=109346.0) > the 255 VHID limitation in CARP is no longer an issue in recent versions. I > cannot find any documentation to support it. > > I

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Joe Landman
On 02/15/2018 09:14 AM, Michael Munger wrote: TL; DR. On 1Gbps downloads, our pfSense firewalls are performing poorly with speed tests of ~400Mbps. It's either pfSense configs (not likely) or the hardware (more likely). I do not want to buy a commercial box. For our corporate network, we use

[pfSense] 1:1 NAT - Packets not leaving WAN interface

2018-02-15 Thread ad^2
Hello all, Objective - Connect to services from the Internet hosted on an internal server assigned an RFC1918 address. pfSense version 2.4.2-RELEASE-p1 I have followed the instructions listed here - h_t_t_p_s:// doc.pfsense.org/index.php/1:1_NAT [Setup] Firewall > Rules > WAN protocol,

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen
Hi, This hardware can do gigabit (wirespeed) NAT/FW https://www.amazon.com/gp/product/B016VHBA7C (tested on my home, using symmetric gigabit line...) but, I we use NetGate SG-8860 on our main offices:

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eric W
I have an optiplex 970 (possibly 980, don’t recall) with 16GB RAM and a quad port Intel NIC that handles gigabit fiber with no issues at all. I managed to order a knockoff NIC (half the thing’s from eBay), so I’m surprised it’s performing this well, but it’s been rock solid. Granted it’s for

[pfSense] Configs or hardware?

2018-02-15 Thread Michael Munger
TL; DR. On 1Gbps downloads, our pfSense firewalls are performing poorly with speed tests of ~400Mbps. It's either pfSense configs (not likely) or the hardware (more likely). I do not want to buy a commercial box. For our corporate network, we use HP DL360s, so zero problem there.I need something

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eric W
Also, this is an incredibly common question on the pfSense forums. (Not trying to be condescending, just stating.) I racked my mind trying to figure something out when, like you said, it’s a solved problem. Basically, get a reasonably powered computer and put some real Intel NICs in it and

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Ivo Tonev
Try increasing network buffers via "system tunables". Em 15 de fev de 2018 12:14, "Michael Munger" escreveu: > TL; DR. > > On 1Gbps downloads, our pfSense firewalls are performing poorly with > speed tests of ~400Mbps. It's either pfSense configs (not likely) or the

[pfSense] Limiters

2018-02-15 Thread user49b
Hi I currently have some limiters setup on my WiFi interface. I limit some IP's (192.168.2.105, 192.168.1.109,...) to only have 700 Kbit/s. So every IP (device) has 700 Kbit/s. I want to add a "global" limit on Wifi interface so the total subnet/network can only have 3000 Kbit/s. Each IP

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Kyle Marek
I have not had such an issue. Using 2.4.2 with System Information widget saying "AES-NI CPU Crypto: No". On 02/15/2018 11:55 AM, Eero Volotinen wrote: > Please note that next pfsense will not install hardware that is not > supporting aes-ni? > > Eero > > On Thu, Feb 15, 2018 at 6:37 PM, Kyle

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen
Well: https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are talking about 2.5 not 3.x ? "While we’re not revealing the extent of our plans, we do want to give early notice that, in order to support the increased cryptographic loads that we see as part of pfSense verison 2.5, pfSense

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Kyle Marek
This is silly. I shouldn't have to replace my hardware to support a feature I will not use... I shame Netgate for such an artificial limitation... Thank you for the information. On 02/15/2018 12:20 PM, Eero Volotinen wrote: > Well: > > https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen
Please note that next pfsense will not install hardware that is not supporting aes-ni? Eero On Thu, Feb 15, 2018 at 6:37 PM, Kyle Marek wrote: > This board does round-up gigabit (something like 976 Mb/s) in both > directions on all 4 interfaces:

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen
Well. Next version of pfsense (2.5) will not install into hardware that does not support AES-NI, so buying such hardware is not wise ? Eero On Thu, Feb 15, 2018 at 7:01 PM, Kyle Marek wrote: > I have not had such an issue. Using 2.4.2 with System Information widget > saying

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Kyle Marek
This board does round-up gigabit (something like 976 Mb/s) in both directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/ The key for me here was the interrupt coalescence of these particular Intel NICs. A very similar board with Broadcom NICs that lacked this feature maxed out the

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Edwin Pers
I believe I read somewhere that the new version that requires aes-ni will be 3.x, and they plan to continue the 2.x line alongside it, as 3.x will be a major rewrite -Ed -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen Sent: Thursday,

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Kyle Marek
I think you're missing the point that software support exists; pfSense supports software AES *now*, and this is being removed. New technology is cool; things not working anymore is not. Anyway, what are are other projects such as the TLS libraries doing about this? Is hardware acceleration really

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Walter Parker
Well, both Intel and AMD starting shipping the AES-NI instructions 8 years ago... How long does a project need to wait before it can require a feature found on all major x64 processors? Waiting 8-9 years seems reasonable to me. Given the fact that the project is only supporting 64-bit and

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Eero Volotinen
something like that. (very cheap) Celeron J1900 firewall devices are not supporting aes-ni. Eero 15.2.2018 20.40 "Walter Parker" kirjoitti: > Well, both Intel and AMD starting shipping the AES-NI instructions 8 years > ago... > > How long does a project need to wait before

[pfSense] Maximum CARP Addresses?

2018-02-15 Thread ad^2
Hello all, I read in the forum (h_t_t_p_s://forum.pfsense.org/index.php?topic=109346.0) the 255 VHID limitation in CARP is no longer an issue in recent versions. I cannot find any documentation to support it. I have a need to host a lot more than 255 virtual IP addresses. Can someone confirm or

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Joseph L. Casale
-Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Kyle Marek Sent: Thursday, February 15, 2018 10:38 AM To: pfSense Support and Discussion Mailing List ; Eero Volotinen Subject: Re: [pfSense] Configs or

Re: [pfSense] Maximum CARP Addresses?

2018-02-15 Thread PiBa
Hi JD, Op 15-2-2018 om 20:35 schreef ad^2: Hello all, I read in the forum (h_t_t_p_s://forum.pfsense.org/index.php?topic=109346.0) the 255 VHID limitation in CARP is no longer an issue in recent versions. I cannot find any documentation to support it. I have a need to host a lot more than 255

Re: [pfSense] Configs or hardware?

2018-02-15 Thread Kyle Marek
On 02/15/2018 05:33 PM, Jim Thompson wrote: > Mr. Marek, > > I think you may be missing the point that this is about 2.5 and the RESTCONF > interface, not any kind of VPN. I became aware of this after reading the follow up post. > Yes, there are constant time implementations of AES, they’re