Re: [pfSense] squidGuard Stopped

[Aaron C. de Bruyn]

What do the logs say?
On Jan 27, 2015 10:16 PM, "A Mohan Rao"  wrote:

> Hello,
>
> After i upgrade pfsense from 2.1.5 to 2.2-i386 squidGuard service is
> stopped i already uninstall then install with 5 times still its not started
> please give any idea.
>
>
> Also i m not get package squid3-dev on 2.2
>
>
> Thanks
> mohan
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] polling pfsense status for a combined dashboard

[Aaron C. de Bruyn]

Forget a dashboard for the moment.  A decent API would go a long ways
for writing automation tools.

I've already recommended to the opnsense guys that they add on an API.

If I only knew a bit more about packaging, I'd make my own fork with
the tools.  ;)

-A

On Tue, Jan 27, 2015 at 11:15 AM, Moshe Katz  wrote:
> On Tue, Jan 27, 2015 at 12:29 PM, Adam Thompson 
> wrote:
>>
>> On 2015-01-27 11:22 AM, Wolf Noble wrote:
>>
>> Hi Adam,
>>
>> Thanks for the response.  Yeah, I know about SNMP. it's a route I might
>> go, but wanted to see what else was available.
>>
>> Strangely enough, I did actually look on the docs site before posting. but
>> I didn't find the page you referenced. That's why I posted here. Would you
>> mind terribly posting a link to the page you mention?
>>
>> When I searched the docs site, I looked for 'api', then  'curl', and then
>> 'header'; but didn't find any relevant results. The closest I found was
>> https://doc.pfsense.org/index.php/Limiting_access_to_web_interface ; but
>> that's not really relevant.
>>
>>
>> My apologies, I can't find it now, either.  WTF... I *know* that page used
>> to exist.  Looks like jimp is doing most of the wiki updates, perhaps he'll
>> remember what happened to it.
>>
>> The only thing I can find that covers is it this:
>> https://doc.pfsense.org/index.php/Remote_Config_Backup
>>
>> --
>> -Adam Thompson
>>  athom...@athompso.net
>
>
> As Adam said, I'm pretty sure that there used to be something in the Wiki.
> However, I'm also pretty sure that it was targeted at pfSense 1.x and that
> it was removed from there because something in the 2.x changes broke it.
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] secure management access on transparent bridge firewall

[Aaron C. de Bruyn]

I think what he means is to set up an isolated management VLAN, then
you VPN into your pfSense box and get access to the management VLAN.

-A

On Mon, Dec 8, 2014 at 11:10 AM, Richard Lussier
 wrote:
> Hi Chris,
>
> Do you mean to redirect the vpn to the management vlan ?
>
> Thank you
>
> Richard
>
> On 2014-12-08 13:12, Chris L wrote:
>
> Management VLAN.
>
> On Dec 8, 2014, at 9:08 AM, Richard Lussier 
> wrote:
>
> Hi,
>
> We are providing Internet access to coop housing (50 units)
> We have a transit access to the exchange via Fiber and a /26 public IPV4
> addresses.
>
> I purchased a Netgate C2758 router to be able to do limiter and traffic
> shaping at rush hour.
> I did set-up a transparent bridge and everything works fine so far.
> This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600
> wireless router with static address.
>
> I need to secure the management interface to the pfSense and to the
> switches.
> I could make a rule to let access only to a fixed IP source, but I travel a
> lot and need flexibility.
> The best for me would be on openvpn.
> Is this possible without a lan ? , or ?
>
> Thank you,
>
> Richard
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
>
> --
>
> Richard Lussier
> inter-node.com
> réseaux numériques évolutifs
> cuivre – sans-fil – fibre optique
> t. 514.316.1623
> c. 514.574.5111
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense crash dump

[Aaron C. de Bruyn]

To me, it looks like a disk issue:

mfi0: 35354 (465709273s/0x0002/info) - Patrol Read corrected medium
error on PD 02(e0x20/s2) at 1692f3e4
mfi0: 35355 (465709275s/0x0002/info) - Unexpected sense: PD
02(e0x20/s2) Path 539358c92146, CDB: 2f 00 16 92 f3 e5 00 10 00
00, Sense: 1/00/00


You might want to download something like "The Ultimate Boot CD" and
use the manufacturers test tools on your drive.


-A


On Sun, Oct 12, 2014 at 11:43 PM, Mark Loza  wrote:

> Hi,
>
> Can anyone happen to know what's of this crash dump in pfsense
> http://sprunge.us/CGDH ? Actually, this already happened twice, the first
> crash happened approximately 30 days ago and second occurred yesterday. I
> suspect this might be a disk issue. Thanks in advance to those who would me
> determine the real cause.
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Issue with SMTP - Spam behind NAT

[Aaron C. de Bruyn]

In most of my client networks, there is an internal exchange server and an
external spam filter / mail gateway.

I use floating rules to allow all SMTP traffic to the spam filter, and all
SMTP traffic to the Exchange servers, then I block all other SMTP.

Viruses trying to send mail out to various SMTP servers on the net get
blocked (because it's not going through the spam gateway) and the Exchange
server requires authenticated SMTP.

This makes it easy to set things like copiers (which usually have horridly
complex SMTP support with little or no logging other than "something went
wrong) and various linux/unix boxes to use our spam filter as an
unauthenticated relay, and viruses using SMTP can only talk to Exchange or
the spam filter.  Either way, it's fairly easy to figure out which host is
spewing mail by looking at the Exchange or Postfix logs.  It's also fairly
easy to rate-limit or block hosts that send more than 100 messages in an
hour.

Use floating rules to accomplish the task.  For example:
* Apply immediately on match, accept tcp/25 from any to exchange ip
* Apply immediately on match, accept tcp/25 from any to spam filter ip
* Apply immediately on match, reject tcp/25 from any to any

-A


On Thu, Oct 9, 2014 at 4:05 AM, Mikey van der Worp 
wrote:

> To whom it may concern,
>
>
>
> Today I have come to you with the question on how to block users from
> spamming with smtp/25, behind *NAT* and the IP of PfSense (< NAT). We do
> not wish/want to block the entire SMTP traffic in the private range to the
> world, because there are important clients behind the pfSense, who actually
> behave normally, we thought about forcing all the SMTP traffic to be
> redirected trough the pfsense machine, so it can be scanned/blocked. (even
> when the user decides not to do this and want to use their own SMTP
> server). Is there some documentation for this or rate-limiting available?
> Do you might have any solutions for the problem described above?
>
>
>
> The current situation causes our server to be blocked at blacklists.
>
>
>
> Hopefully somebody can help me out!
>
>
>
> Thanks in advance,
>
> Mikey van der Worp
>
>
>
> -
>
> *Mikey van der Worp *
>
> System Administrator
>
>
>
> Utelisys Communications B.V.
>
> Trinity Buildings
>
> Tower A, 7th floor
>
> Pietersbergweg 15
>
> 1105 BM Amsterdam
>
>
>
> Tel  +31 - 20 - 561 8010
>
> Fax +31 - 20 - 561 8021
>
>
>
> *"Like us" on facebook*
>
> https://www.facebook.com/utelisyscommunications
>
>
>
> *"Follow us" on Linkedin*
>
> https://www.linkedin.com/company/utelisys-communications-b.v./
>
>
>
> www.utelisys.com – https://www.utelisys.com/
>
>
>
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense Routing - VPN's

[Aaron C. de Bruyn]

I have the same issue.  We manage firewalls for a growing business, and
currently everything links to their 'corp' office.  But their corp office
connection is overloaded with all the traffic going between offices.

When I ran plain Linux boxes with Shorewall installed, I wrote a tool
called 'openmesher' that would automatically generate all the link
combinations and create DEB packages to install the SITE-to-SITE.conf file
in /etc/openvpn/ along with shared keys.

Then my boss decided he wanted a GUI to manage the firewalls, so we
switched to pfSense.  Unfortunately there is no API or easy way to automate
the configuration (XML, ugh!)

...but I'm working on modifying openmesher to generate the XML snippet for
OpenVPN configs.  You still have to copy/paste in to your config file, but
it'll still save a bunch of clinking.

I love pfSense, but I *hate* XML and the lack of an API.  The power of *nix
comes from the tools to rapidly edit simple text files and interop through
simple APIs.

*wonders about funding the next pfSense hackathon with an eye towards an
API*

-A



On Thu, May 15, 2014 at 11:55 PM, Karl Fife  wrote:

>  This is exactly what we do.
>
> We make the hub the OpenVPN server, and the spokes the clients because the
> hub IP is static, and we can manage all of the OpenVPN listeners on one
> instance.
>
> If your whole network is a /16, and each spoke is a /24, all you need is a
> route directive on each of the spokes for the entire /16.  In OpenVPN
> Advanced "route 192.168.0.0 255.255.0.0;"
>
> You don't need any routing directives on the 'hub' because the addition of
> each connection will take care of that.
>
> With respect to rules:
> We find it best to make the first rule on the hub's OpenVPN interface this:
> "Any source/port NOT destined for THIS hub subnet is allowed to pass".
> That way each branch can manage their ingress policy privately because the
> hub will just route anything not destined for its subnet.
>
> We also find it best to set up DNS forwarders to the spoke networks, i.e.
> Hub: mybranch.mycompany.com dns dips are at 192.168.11.1.  Spokes can dip
> the hub if so configured which can in turn dip OTHER spokes if so
> configured.  Inverse lookups work too.  For example, add a dns forwarder
> of 10.168.192.in-addr.arpa to allow inverse lookups in the spoke in the
> subnet 192.168.10.0/24
>
> It's been rock-solid for many years now!
>
> Good luck.
>
>
>
>
>
>
> On 5/16/2014 1:16 AM, A Mohan Rao wrote:
>
> its very simple...!
> first u have to configure a main vpn site to site vpn server at your main
> branch then u can easily configure a b c etc.
> with share key and tunnel network.
>
>
> On Fri, May 16, 2014 at 2:53 AM, Alex Threlfall wrote:
>
>>  Hi All,
>>
>>
>>
>> I currently have a number of sites which have VPN’s
>> between them, with each site having a VPN to one another. This is becoming
>> harder to manage, we currently have 5 sites, (6 if you include my home) and
>> it would make sense to me to adopt more of a star architecture with a
>> central site.
>>
>>
>>
>> However, I can’t work out how to configure this! Each
>> site has it’s own /24 of private address, and I have a central branch. How
>> can I configure things so that the if branch B needs to get to branch C, it
>> knows that it must go via branch A?
>>
>>
>>
>> Branch A has the best connectivity – bonded FTTC’s, so
>> would make sense as well as it being our “hub” branch for the stock control
>> system also.
>>
>>
>>
>> Any advice would be appreciated!
>>
>>
>>
>> --
>>
>> Alex Threlfall
>>
>> Cyberprog New Media
>>
>> www.cyberprog.net
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Annoying Comcast Issue When Changing Hardware

[Aaron C. de Bruyn]

Interesting.  Thanks Chris.

-A


On Tue, May 13, 2014 at 6:19 AM, Chris Buechler  wrote:

> On Sat, May 10, 2014 at 9:58 PM, Aaron C. de Bruyn 
> wrote:
> >
> > Slightly OT, but why would they have ARP cache timeouts of four hours?
>  What
> > benefit do you get with such high cache times as opposed to the obvious
> > support calls you will get when equipment is swapped around?
> >
>
> That's Cisco's default and others aren't too far from that generally.
> I believe that's something that hasn't changed since originally
> implemented decades ago. Originally, it was likely because networks
> were slow and not switched, so you didn't want to chew up a lot of
> bandwidth just handling ARP. As with many cases along those lines, it
> got entrenched and once a vendor sets a specific default, they tend to
> not want to change it. That's largely educated guessing, as I'm not
> completely sure the reasoning, just that it's been like that more or
> less forever.
>
> Yes, with modern networks, in a lot of cases it's really not sensible
> to hang onto your ARP cache for hours.
>
> A number of cable modems are worse than 4 hours. I can think of a
> handful of times over the last 7 years or so, with the most recent
> being a couple months ago, where a support customer got in touch with
> us after trying to move some IPs and messing with it for multiple days
> and couldn't make it work. Packet capture on WAN for the affected IPs,
> check the destination MAC, see something other than the firewall. Ask
> "What's this X MAC?" "The old box we unplugged last week." Power cycle
> cable modem, all is well.
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Annoying Comcast Issue When Changing Hardware

[Aaron C. de Bruyn]

Good to know.

Slightly OT, but why would they have ARP cache timeouts of four hours?
 What benefit do you get with such high cache times as opposed to the
obvious support calls you will get when equipment is swapped around?

-A


On Sat, May 10, 2014 at 7:55 PM, Moshe Katz  wrote:

> On Fri, May 9, 2014 at 10:56 PM, Aaron C. de Bruyn wrote:
>
>> Spent about an hour beating my head against the wall with this issue,
>> hopefully this will save others some time.
>>
>> We had a stand-alone pfSense router.
>> We just purchased two machines from ixsystems and were preparing them to
>> be a failover pair of pfSense routers and then decommission the smaller
>> older box.
>>
>> While we were installing the new servers, the HDD in the old firewall
>> died.
>>
>> We figured we would just get the two new boxes up.
>>
>> Plugged them into the Comcast modem and configured everything.
>>
>> Comcast assigned us a /28 a while back and we were using a handful of IPs
>> to access various internal services over HTTPS.
>>
>> The /28 looked roughly like:
>> .1 - router1
>> .2 - router2
>> .3 - exchange (CARP)
>> .4 - remote (CARP)
>> .5 - VPN (CARP)
>> .6 - spamfilter (physical machine)
>> ...etc
>>
>> After everything was configured, I had someone test remotely that they
>> could access the interface for router1 and router2 remotely.
>>
>> I then went home to finish up a few config details remotely.
>>
>> When I got home, I found I could access router1 and router2 as well as
>> the physical spam filter, but I couldn't access any of the HTTPS services
>> on the CARP IPs.
>>
>> I checked my NAT rules about 100 times, looked through firewall logs, and
>> found nothing.
>>
>> Finally I connected in to the spam filter (linux box) and ran 'openssl
>> s_client -connect exchange.example.tld:4433' and noticed it worked
>> perfectly from a machine on the same WAN segment.   ...but not remotely.
>>
>> I called Comcast and had them remotely reboot the modem.  Everything
>> immediately came up and started working perfectly.
>>
>> Hopefully this will save someone time.  Reboot the brain-damaged Netgear
>> CPE after swapping hardware around.
>>
>> -A
>>
>
> Hi Aaron,
>
> Most cable modems I have worked with in the US (on Comcast, Optimum, and
> RCN) all do ARP caching, so you need to reboot them when you change the
> connected device (or you need to clone the old device's MAC address).
>
> Actually though, working with DSL is worse.  Verizon DSL does ARP caching
> in the Central Office for up to four hours.  I have found that replacing
> equipment hooked up to Verison DSL, it is best to already be on the phone
> with Verizon support to have them manually clear the cache.  At least
> rebooting the cable modem is something you can do yourself.
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Annoying Comcast Issue When Changing Hardware

[Aaron C. de Bruyn]

Yeah--I had gone over all the 'usual' stuff.  DHCP disabled, firewall
settings disabled, Smart Packet Detection disabled.

-A


On Sat, May 10, 2014 at 4:28 AM, Ryan Coleman  wrote:

> You may want to make sure the DHCP server is disabled on the modem
> completely. I’ve noticed that caused issues in the past for me.
> The default user/pass is cusadmin/highspeed on those modems.
>
>
> On May 10, 2014, at 2:19, Aaron C. de Bruyn  wrote:
>
> Yeah--I figured it was related to the MAC address.
>
> It'd be nice to know why the Comcast equipment does that--I've never run
> in to it with other providers.
>
> -A
>
>
> On Fri, May 9, 2014 at 9:01 PM, compdoc  wrote:
>
>> > I called Comcast and had them remotely reboot the modem.
>>
>> Whenever I connect a different network card to my home Comcast modem, I
>> have
>> to power cycle the modem for it come up. I think it keys off the MAC
>> address
>> of the old card, and won't accept the new one until then. I get a new IP
>> address each time I test firewall builds. Not exactly the same situation,
>> but something like.
>>
>>
>>
>>
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Annoying Comcast Issue When Changing Hardware

[Aaron C. de Bruyn]

Yeah--I figured it was related to the MAC address.

It'd be nice to know why the Comcast equipment does that--I've never run in
to it with other providers.

-A


On Fri, May 9, 2014 at 9:01 PM, compdoc  wrote:

> > I called Comcast and had them remotely reboot the modem.
>
> Whenever I connect a different network card to my home Comcast modem, I
> have
> to power cycle the modem for it come up. I think it keys off the MAC
> address
> of the old card, and won't accept the new one until then. I get a new IP
> address each time I test firewall builds. Not exactly the same situation,
> but something like.
>
>
>
>
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Annoying Comcast Issue When Changing Hardware

[Aaron C. de Bruyn]

It happens occasionally with their older SMC modems, but it seems to happen
frequently with the Netgear modems.

If you don't reboot the modem, it usually picks up on the changes within
5-15 minutes.  Sometimes longer.

-A


On Fri, May 9, 2014 at 8:30 PM, Ryan Coleman  wrote:

> I’m not running CARP but I am doing many things like yours on my Comcast
> Business account…
>
> I’ve never had that happen - and I think my modem only reboots when I lose
> power (it’s on the UPS but not on battery - by design).
>
> Which modem did they install? I suspect it’s a firmware “feature” of that
> modem.
>
>
>
>
> On May 9, 2014, at 21:56, Aaron C. de Bruyn  wrote:
>
> > Spent about an hour beating my head against the wall with this issue,
> hopefully this will save others some time.
> >
> > We had a stand-alone pfSense router.
> > We just purchased two machines from ixsystems and were preparing them to
> be a failover pair of pfSense routers and then decommission the smaller
> older box.
> >
> > While we were installing the new servers, the HDD in the old firewall
> died.
> >
> > We figured we would just get the two new boxes up.
> >
> > Plugged them into the Comcast modem and configured everything.
> >
> > Comcast assigned us a /28 a while back and we were using a handful of
> IPs to access various internal services over HTTPS.
> >
> > The /28 looked roughly like:
> > .1 - router1
> > .2 - router2
> > .3 - exchange (CARP)
> > .4 - remote (CARP)
> > .5 - VPN (CARP)
> > .6 - spamfilter (physical machine)
> > ...etc
> >
> > After everything was configured, I had someone test remotely that they
> could access the interface for router1 and router2 remotely.
> >
> > I then went home to finish up a few config details remotely.
> >
> > When I got home, I found I could access router1 and router2 as well as
> the physical spam filter, but I couldn't access any of the HTTPS services
> on the CARP IPs.
> >
> > I checked my NAT rules about 100 times, looked through firewall logs,
> and found nothing.
> >
> > Finally I connected in to the spam filter (linux box) and ran 'openssl
> s_client -connect exchange.example.tld:4433' and noticed it worked
> perfectly from a machine on the same WAN segment.   ...but not remotely.
> >
> > I called Comcast and had them remotely reboot the modem.  Everything
> immediately came up and started working perfectly.
> >
> > Hopefully this will save someone time.  Reboot the brain-damaged Netgear
> CPE after swapping hardware around.
> >
> > -A
> >
> >
> >
> > ___
> > List mailing list
> > List@lists.pfsense.org
> > https://lists.pfsense.org/mailman/listinfo/list
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Annoying Comcast Issue When Changing Hardware

[Aaron C. de Bruyn]

Spent about an hour beating my head against the wall with this issue,
hopefully this will save others some time.

We had a stand-alone pfSense router.
We just purchased two machines from ixsystems and were preparing them to be
a failover pair of pfSense routers and then decommission the smaller older
box.

While we were installing the new servers, the HDD in the old firewall died.

We figured we would just get the two new boxes up.

Plugged them into the Comcast modem and configured everything.

Comcast assigned us a /28 a while back and we were using a handful of IPs
to access various internal services over HTTPS.

The /28 looked roughly like:
.1 - router1
.2 - router2
.3 - exchange (CARP)
.4 - remote (CARP)
.5 - VPN (CARP)
.6 - spamfilter (physical machine)
...etc

After everything was configured, I had someone test remotely that they
could access the interface for router1 and router2 remotely.

I then went home to finish up a few config details remotely.

When I got home, I found I could access router1 and router2 as well as the
physical spam filter, but I couldn't access any of the HTTPS services on
the CARP IPs.

I checked my NAT rules about 100 times, looked through firewall logs, and
found nothing.

Finally I connected in to the spam filter (linux box) and ran 'openssl
s_client -connect exchange.example.tld:4433' and noticed it worked
perfectly from a machine on the same WAN segment.   ...but not remotely.

I called Comcast and had them remotely reboot the modem.  Everything
immediately came up and started working perfectly.

Hopefully this will save someone time.  Reboot the brain-damaged Netgear
CPE after swapping hardware around.

-A
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Packet loss with pfsense but not with linux or windows.

[Aaron C. de Bruyn]

Have you tried changing the "Enable device polling" option under
System->Advanced->Networking?

-A


On Tue, Aug 13, 2013 at 7:56 PM, Sandeep A.S  wrote:

> Hi All
>
> I have pfsense box deployed for 3-4 customers, where with one particular
> ISP:- Airtel, I face high latency and  packet loss with pfsense
> systems.With either linux or windows systems I am getting 7ms and 0 %
> packet loss to the gateway.
> But with pfsense  It goes between 80ms to 700ms and  packet loss of
> nearly 20-40%.
> Initially I was thinking this is because of CARP setups I have. But
> even without any CARP
> setup the packet loss is same.
>
> I have tried  with  D-Link 520TX card and  Intel Pro 1000mbps dual
> port card. Both the cards are giving similar issue. This is not only
> in one place but most
> of the customers who use Airtel  Leased line or DSL line. This issue
> is there in all my setups. One more information is that  Airtel
> provides  leased line or DSL over the
> copper line in India. I am not facing this issue with other providers.
> As it works fine with both Linux and windows systems I am not able to
> ask them to make any changes at their side.
>
> So far I have made the following changes.
>
> 1. Tried with both Intel and D-link cards . Also tried with different
> cables.
> 2. Tried with all duplexing option. I had to come back to 100mbps UTP
> full Duplex to at-least work.
> 3. From the command line tried with 1420 MTU.
> 4. Tried disabling/enabling hardware checksum offload
> 5. Tried disabling/enabling TCP segmentation offload
> 6. Tried upgrading the pfsense from 2.0.2 to  2.1.RC1 snapshot.
>
> All these trials were failure.  Please let me know whether I can try
> any other options ?. Or what other parameter I have to check. ?
>
> Thanks for the support.
> Sandeep
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Best practice for SSD installs

[Aaron C. de Bruyn]

Verbatim "Tough-'n'-Tiny" flash drives.  2 GB and 4 GB.

http://www.newegg.com/Product/Product.aspx?Item=9SIA0SF0BP6305
http://www.newegg.com/Product/Product.aspx?Item=9SIA0SF0BP6306

Most of the ones we have in production are under 1 year old, but we had a
lot of SSDs fail before the 1-year mark.

I didn't really pay attention to the speed, but I write an image to the 2
GB drive in about 8 minutes.  (Not a scientific number!)

-A


On Sun, Jun 9, 2013 at 11:40 AM, Odhiambo Washington wrote:

> @Aaron,
>
> Which brand of USB sticks are these you use? I've tried working with
> Transcend and found the performance awful. I'll appreciate your
> recommendation on USB sticks.
>
>
> On 8 June 2013 21:17, Aaron C. de Bruyn  wrote:
>
>> Just a note of personal experience.  I've deployed ~20 pfSense firewalls
>> that had SSDs (both cheap and rated 'good' from Newegg) over the past 2
>> years.  I am not convinced SSDs are more reliable.  Nearly every one has
>> had an SSD die or become corrupt.  We switched them all to USB sticks and
>> haven't had any more issues.  Plus it's easier for us to ship a replacement
>> USB stick to the client and have them plug it in than to have them pop open
>> the case and replace the drive.
>>
>> Maybe we've just had bad luck with SSDs, but I'm not convinced they are
>> ready.
>>
>> -A
>>
>>
>> On Sat, Jun 8, 2013 at 12:20 AM, Eugen Leitl  wrote:
>>
>>> On Sat, Jun 08, 2013 at 12:40:34AM +0100, Chris Bagnall wrote:
>>>
>>> > Which brings me to the question: the last time I performed a pfSense
>>> > 'full' install (i.e. not embedded) was several years, and many
>>> > versions ago. What's the best practice when using an SSD? Use the
>>> > CD-based installer to do a 'full' install, or continue to use the
>>> > embedded NanoBSD image?
>>>
>>> Modern SSDs are at least as reliable as HDs. I've used SSDs
>>> with pfSense for years (including IDE DoMs) with full install
>>> and never had a failure yet.
>>>
>>> > As an aside, there are several options on the "Advanced" tab
>>> > relating to NIC performance options:
>>> > - Disable hardware checksum offload
>>> > - Disable hardware TCP segmentation offload
>>> > - Disable hardware large receive offload
>>> > Has anyone done any tests / is there a list maintained anywhere with
>>>
>>> > details of which NICs are "problematic" with these, and hence should
>>> > be disabled? The motherboard I'm using is a mix of Intel and Realtek
>>> > gigabit NICs (em and re respectively).
>>>
>>> I've used Supermicro Atoms with 2 Intel NICs onboard and
>>> with a dual-port Intel NIC added. I would be also interested in
>>> suggested list of settings for Intel NICs.
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> http://lists.pfsense.org/mailman/listinfo/list
>>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> http://lists.pfsense.org/mailman/listinfo/list
>>
>>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254733744121/+254722743223
> "I can't hear you -- I'm using the scrambler."
>
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Best practice for SSD installs

[Aaron C. de Bruyn]

Just a note of personal experience.  I've deployed ~20 pfSense firewalls
that had SSDs (both cheap and rated 'good' from Newegg) over the past 2
years.  I am not convinced SSDs are more reliable.  Nearly every one has
had an SSD die or become corrupt.  We switched them all to USB sticks and
haven't had any more issues.  Plus it's easier for us to ship a replacement
USB stick to the client and have them plug it in than to have them pop open
the case and replace the drive.

Maybe we've just had bad luck with SSDs, but I'm not convinced they are
ready.

-A


On Sat, Jun 8, 2013 at 12:20 AM, Eugen Leitl  wrote:

> On Sat, Jun 08, 2013 at 12:40:34AM +0100, Chris Bagnall wrote:
>
> > Which brings me to the question: the last time I performed a pfSense
> > 'full' install (i.e. not embedded) was several years, and many
> > versions ago. What's the best practice when using an SSD? Use the
> > CD-based installer to do a 'full' install, or continue to use the
> > embedded NanoBSD image?
>
> Modern SSDs are at least as reliable as HDs. I've used SSDs
> with pfSense for years (including IDE DoMs) with full install
> and never had a failure yet.
>
> > As an aside, there are several options on the "Advanced" tab
> > relating to NIC performance options:
> > - Disable hardware checksum offload
> > - Disable hardware TCP segmentation offload
> > - Disable hardware large receive offload
> > Has anyone done any tests / is there a list maintained anywhere with
>
> > details of which NICs are "problematic" with these, and hence should
> > be disabled? The motherboard I'm using is a mix of Intel and Realtek
> > gigabit NICs (em and re respectively).
>
> I've used Supermicro Atoms with 2 Intel NICs onboard and
> with a dual-port Intel NIC added. I would be also interested in
> suggested list of settings for Intel NICs.
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list