Re: [pfSense] Giant lock is still there?
I -Original Message- From: Jim Thompson j...@smallworks.com Sender: List list-boun...@lists.pfsense.orgDate: Sat, 17 May 2014 18:21:27 To: pfSense Support and Discussion Mailing Listlist@lists.pfsense.org Reply-To: pfSense Support and Discussion Mailing List list@lists.pfsense.org Subject: Re: [pfSense] Giant lock is still there? On May 17, 2014, at 5:16 PM, Leon Volfson l...@one.co.il wrote: Hi guys, I had lots of issues in the past with the performance and as I understood then - one of the biggest problems was the Giant lock in pf. Since the 2.2 version is going to be FreeBSD 10 based I looked it up and saw that there was some work done on this by Gleb Smirnoff a couple of years ago. I was wondering whether it's actually been implemented and whether the 2.2 is going to be Giant lock-free. Also - performance-wise, how much will I gain upgrading from 1.2.2? (old, I know, but worked better than 1.2.3 in my case and was left like this since). What kind of CPU are you running? What type of Ethernet parts? What does your load look like? Even after answering these, it’s going to be a guess as to how your performance will change. Yes, Gleb’s changes to pf (which are in FreeBSD 10) are in pfSense 2.2. You could always try a snapshot. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense Routing - VPN's
Interesting, we're not using OpenVPN at present, just the built in IPSEC stuff in pfSense, what benefits are there in switching to OpenVPN? So our main branch is say 10.0.4.0, and the other branches are 10.0.5.0, 10.0.7.0, 10.0.2.0 and 10.0.3.0, all /24's - would using this methodology require me to re-ip the main branch? -- Alex Threlfall Cyberprog New Media www.cyberprog.net -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife Sent: 16 May 2014 07:55 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] pfSense Routing - VPN's This is exactly what we do. We make the hub the OpenVPN server, and the spokes the clients because the hub IP is static, and we can manage all of the OpenVPN listeners on one instance. If your whole network is a /16, and each spoke is a /24, all you need is a route directive on each of the spokes for the entire /16. In OpenVPN Advanced route 192.168.0.0 255.255.0.0; You don't need any routing directives on the 'hub' because the addition of each connection will take care of that. With respect to rules: We find it best to make the first rule on the hub's OpenVPN interface this: Any source/port NOT destined for THIS hub subnet is allowed to pass. That way each branch can manage their ingress policy privately because the hub will just route anything not destined for its subnet. We also find it best to set up DNS forwarders to the spoke networks, i.e. Hub: mybranch.mycompany.com dns dips are at 192.168.11.1. Spokes can dip the hub if so configured which can in turn dip OTHER spokes if so configured. Inverse lookups work too. For example, add a dns forwarder of 10.168.192.in-addr.arpa to allow inverse lookups in the spoke in the subnet 192.168.10.0/24 It's been rock-solid for many years now! Good luck. On 5/16/2014 1:16 AM, A Mohan Rao wrote: its very simple...! first u have to configure a main vpn site to site vpn server at your main branch then u can easily configure a b c etc. with share key and tunnel network. On Fri, May 16, 2014 at 2:53 AM, Alex Threlfall a...@cyberprog.net wrote: Hi All, I currently have a number of sites which have VPN's between them, with each site having a VPN to one another. This is becoming harder to manage, we currently have 5 sites, (6 if you include my home) and it would make sense to me to adopt more of a star architecture with a central site. However, I can't work out how to configure this! Each site has it's own /24 of private address, and I have a central branch. How can I configure things so that the if branch B needs to get to branch C, it knows that it must go via branch A? Branch A has the best connectivity - bonded FTTC's, so would make sense as well as it being our hub branch for the stock control system also. Any advice would be appreciated! -- Alex Threlfall Cyberprog New Media www.cyberprog.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Version 2.1.2 - Thanks for the UNPRECEDENTED Levelof Support
No one has answered but I found that shutting of unbind and using the stock dnsforward fixed it. On 4/14/2014 5:17 PM, Brian Caouette wrote: I'm still not able to surf the net even with the 2.1.2 update if Captive Portal is active. The minute I disable it everything works fine. Not sure what is going on. Can anyone else confirm? On 4/12/2014 11:04 PM, Roberto Tufik wrote: +1 here Ryan Coleman ryanjc...@me.com escreveu na mensagem news:33110045-3714-4e0c-af18-8c24cbba8...@me.com... +1 -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Apr 10, 2014, at 20:18, Mehma Sarja mehmasa...@gmail.com wrote: Thanks go out to Chris, Jim and the whole pfSense team for what must be back breaking work coming on the heels of the 2.1.1 release! This kind of commitment speaks volumes for the quality of products coming out of Netgate. Yudhvir ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list --- Este email está limpo de vírus e malwares porque a proteção do avast! Antivírus está ativa. http://www.avast.com ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Version 2.1.2 - Thanks for the UNPRECEDENTED Levelof Support
Someone posted yesterday that they were not having issues with 2.1.3 - I think that’s answering, although you have to be looking for it. On May 18, 2014, at 9:24, Brian Caouette bri...@dlois.com wrote: No one has answered but I found that shutting of unbind and using the stock dnsforward fixed it. On 4/14/2014 5:17 PM, Brian Caouette wrote: I'm still not able to surf the net even with the 2.1.2 update if Captive Portal is active. The minute I disable it everything works fine. Not sure what is going on. Can anyone else confirm? On 4/12/2014 11:04 PM, Roberto Tufik wrote: +1 here Ryan Coleman ryanjc...@me.com escreveu na mensagem news:33110045-3714-4e0c-af18-8c24cbba8...@me.com... +1 -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Apr 10, 2014, at 20:18, Mehma Sarja mehmasa...@gmail.com wrote: Thanks go out to Chris, Jim and the whole pfSense team for what must be back breaking work coming on the heels of the 2.1.1 release! This kind of commitment speaks volumes for the quality of products coming out of Netgate. Yudhvir ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list --- Este email está limpo de vírus e malwares porque a proteção do avast! Antivírus está ativa. http://www.avast.com ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Captive Portal Logout
I've spent most of the weekend trying to locate a variables resource that can be used for captive portal custom screens. What i'm looking for is a way to display time remaining for the session on the logout. Can this be done? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense Routing - VPN's
OpenVPN vs IPsec: I find IPsec to be a bit more 'fussy' than OpenVPN, mainly because an IPsec setup with multiple tunnels to a single instance will share a single logical interface, making policy/rule management a bit more prone to human error, in contrast to OpenVPN where each site-to-site tunnel can appear as a discrete interface. Still, OpenVPN CAN manage multiple OpenVPN rules on a single interface for common rules if desired. (i.e. Allow any DNS). I also find IPsec can be a bit fussy with regard to ESP and its MTU issues, though pfSense makes it much easier with MSS clamping ONLY on IPsec tunnels, which eliminates the need to reduce the MTU on the WAN interface (and all interfaces bridged to WAN). Benefits of IPsec? Some day I'll meet someone who can tell me whether IPsec has any increased cryptographic strength for a given cipher/key/RNG combination due of the fact that the phase 2 re-keying is done in a quasi-out-of-band fashinon (i.e. using phase 1 IKE). In other words, I assume that cracking a phase-2 key would only benefit an attacker until the next phase-2 re-key, unless they have also cracked the phase-1 IKE. Cracking a phase-1 key exchange seems like it could be extremely difficult if (for example) a properly decrypted phase 1 IKE looks like entropy. Renumeration (re-IP'ing) No need to renumerate the main branch in your example as long as the main branch isn't assigned a subnet mask of less than 24 bits (/23 , /16, /8, etc). pfSense at the main branch will have interfaces (ergo routes) for each of the discrete 10.0.(4,5,6..n).0/24 tunnels, making routing to them implicit. In your example, the 'spokes' off the main branch would need to be told to find your other LAN subnets via this tunnel. In OpenVPN it's done right in the tunnel configuraiton: (OpenVPN Advanced route 10.0.0.0 255.255.0.0;. Good luck. On 5/18/2014 7:12 AM, Alex Threlfall wrote: Interesting, we're not using OpenVPN at present, just the built in IPSEC stuff in pfSense, what benefits are there in switching to OpenVPN? So our main branch is say 10.0.4.0, and the other branches are 10.0.5.0, 10.0.7.0, 10.0.2.0 and 10.0.3.0, all /24's - would using this methodology require me to re-ip the main branch? -- Alex Threlfall Cyberprog New Media www.cyberprog.net -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Karl Fife Sent: 16 May 2014 07:55 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] pfSense Routing - VPN's This is exactly what we do. We make the hub the OpenVPN server, and the spokes the clients because the hub IP is static, and we can manage all of the OpenVPN listeners on one instance. If your whole network is a /16, and each spoke is a /24, all you need is a route directive on each of the spokes for the entire /16. In OpenVPN Advanced route 192.168.0.0 255.255.0.0; You don't need any routing directives on the 'hub' because the addition of each connection will take care of that. With respect to rules: We find it best to make the first rule on the hub's OpenVPN interface this: Any source/port NOT destined for THIS hub subnet is allowed to pass. That way each branch can manage their ingress policy privately because the hub will just route anything not destined for its subnet. We also find it best to set up DNS forwarders to the spoke networks, i.e. Hub: mybranch.mycompany.com dns dips are at 192.168.11.1. Spokes can dip the hub if so configured which can in turn dip OTHER spokes if so configured. Inverse lookups work too. For example, add a dns forwarder of 10.168.192.in-addr.arpa to allow inverse lookups in the spoke in the subnet 192.168.10.0/24 It's been rock-solid for many years now! Good luck. On 5/16/2014 1:16 AM, A Mohan Rao wrote: its very simple...! first u have to configure a main vpn site to site vpn server at your main branch then u can easily configure a b c etc. with share key and tunnel network. On Fri, May 16, 2014 at 2:53 AM, Alex Threlfall a...@cyberprog.net wrote: Hi All, I currently have a number of sites which have VPN's between them, with each site having a VPN to one another. This is becoming harder to manage, we currently have 5 sites, (6 if you include my home) and it would make sense to me to adopt more of a star architecture with a central site. However, I can't work out how to configure this! Each site has it's own /24 of private address, and I have a central branch. How can I configure things so that the if branch B needs to get to branch C, it knows that it must go via branch A? Branch A has the best connectivity - bonded FTTC's, so would make sense as well as it being our hub branch for the stock control system also. Any advice would be appreciated!
