Re: [pfSense Support] 0.71.x WARP Version
On 7/25/05, Chris Buechler <[EMAIL PROTECTED]> wrote: > upnp is junk anyway. Whoever decided it was a good idea to let some > application on your network dynamically open ports on your firewall > needs to share some of what they were smoking. > > Ok, if it's not abused, it's better than having necessary ports open > all the time... but the possibilities for abuse are just endless. Heh...well worse, the original requirement (not ours) for upnp was for applications that open dynamic ports. You can then tell the firewall what port you need open. Of course, upnp is a huge security risk in a corporate environment, but then you'd never have your firewall on the same network segment as the clients right? :) --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] RE: [pfSense-discussion] Interface help
On 7/25/05, Kim C. Callis <[EMAIL PROTECTED]> wrote: > There is nothing in the manual about setting up CARP so I have did a Yeah, there's a lot that isn't in the manual...kinda pointless to document something that keeps changing :) > VIP using proxy ARP. I don't care which way it has to be setup, I just > need for it to forward to a host in my internal LAN. So can I achieve > this with proxy ARP, and what else do I need to add? Rules and NAT entries to get the traffic to the server. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 0.71.x WARP Version
On 7/25/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > This package is no longer available via freebsd's ftp servers and > we've never had a confirmation that it works so I am deactivating this > package. > upnp is junk anyway. Whoever decided it was a good idea to let some application on your network dynamically open ports on your firewall needs to share some of what they were smoking. Ok, if it's not abused, it's better than having necessary ports open all the time... but the possibilities for abuse are just endless. -cmb - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 0.71.x WARP Version
Yeah, I played around with this package for a few hours and couldn't convince myself that it actually did anything. Maybe someone else can make sing and dance (well, at least make it sing so we can teach it how to dance). Until then, it's gone. --Bill On 7/25/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > This package is no longer available via freebsd's ftp servers and > we've never had a confirmation that it works so I am deactivating this > package. > > Scott > > > On 7/25/05, Giorgio Ducci <[EMAIL PROTECTED]> wrote: > > Thanks for the new WRAP version! I'm following your work very closely > > and it is great. I'm testing all the feature (step by step) and I > > found that 'upnp' does not install==>Downloading package configuration > > file... done. > > Saving updated package information... done. > > Downloading upnp and its dependencies... done. > > Checking for successful package installation... failed! > > > > Installation aborted. > > That's what I get. I'm tryng with other packages as well. Keep you > > informed. Has anyone the same problem with a WRAP board? > > Cheers > > > > On 7/26/05, Rodolfo Vardelli <[EMAIL PROTECTED]> wrote: > > > David Strout ha scritto: > > > > > > yes, It works :-) > > > but... > > > ssh doesn't work > > > with 0.70.x I wasn't able to restore a saved configuration > > > nat: outbound load balance, does it work? > > > > > > regards > > > > > > > > > >Everyone, > > > > > > > >Has anyone tried the new 0.71.x WARP version on a > > > >Soekris 4801 yet? > > > > > > > >If so could you provide any findings / gotchas? > > > > > > > >Regards, > > > >-- > > > >David L. Strout > > > >Engineering Systems Plus, LLC > > > > > > > > > > > > > > > > > > > >- > > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 0.71.x WARP Version
This package is no longer available via freebsd's ftp servers and we've never had a confirmation that it works so I am deactivating this package. Scott On 7/25/05, Giorgio Ducci <[EMAIL PROTECTED]> wrote: > Thanks for the new WRAP version! I'm following your work very closely > and it is great. I'm testing all the feature (step by step) and I > found that 'upnp' does not install==>Downloading package configuration > file... done. > Saving updated package information... done. > Downloading upnp and its dependencies... done. > Checking for successful package installation... failed! > > Installation aborted. > That's what I get. I'm tryng with other packages as well. Keep you > informed. Has anyone the same problem with a WRAP board? > Cheers > > On 7/26/05, Rodolfo Vardelli <[EMAIL PROTECTED]> wrote: > > David Strout ha scritto: > > > > yes, It works :-) > > but... > > ssh doesn't work > > with 0.70.x I wasn't able to restore a saved configuration > > nat: outbound load balance, does it work? > > > > regards > > > > > > >Everyone, > > > > > >Has anyone tried the new 0.71.x WARP version on a > > >Soekris 4801 yet? > > > > > >If so could you provide any findings / gotchas? > > > > > >Regards, > > >-- > > >David L. Strout > > >Engineering Systems Plus, LLC > > > > > > > > > > > > > > >- > > >To unsubscribe, e-mail: [EMAIL PROTECTED] > > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] traffic shaper queues scheduler options
On 7/25/05, Xtian <[EMAIL PROTECTED]> wrote: > > Bill and Scott: > > Many thanks for the info and the field descriptions. Right, I was doing about > 105KBps down (on my 1Mbps down, 384Kbps up DSL) which is everything, and then > initiated an SSH session and latency was as high as ever. Then I looked in > the rules and saw nothing for SSH. So I assumed it didn't know about SSH. That > ACKs in general are prioritized makes sense. I tried to make a queue > specifically for port 22 traffic, and wanted to elevate that above the > default queue, and thats where I was at a loss as to what I should put in > those schedule fields. I assumed that what Monowall handles with pipes is > what got put into scheduler options, but I was just not groking the logic > behind it. You might try creating an SSH rule and put it in a higher priority queue if you're facing ACK starvation. The only queue with higher priority than ACKs is the VOIP queues though so be warned. Also matching on port for ssh will mean that SSH bulk traffic (scp/sftp) will match and get put in the higher priority queue. You would need to do port 22 and tos lowdelay (although I'm not sure the SYN packet will set that). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] 0.71.x WARP Version
Thanks for the new WRAP version! I'm following your work very closely and it is great. I'm testing all the feature (step by step) and I found that 'upnp' does not install==>Downloading package configuration file... done. Saving updated package information... done. Downloading upnp and its dependencies... done. Checking for successful package installation... failed! Installation aborted. That's what I get. I'm tryng with other packages as well. Keep you informed. Has anyone the same problem with a WRAP board? Cheers On 7/26/05, Rodolfo Vardelli <[EMAIL PROTECTED]> wrote: > David Strout ha scritto: > > yes, It works :-) > but... > ssh doesn't work > with 0.70.x I wasn't able to restore a saved configuration > nat: outbound load balance, does it work? > > regards > > > >Everyone, > > > >Has anyone tried the new 0.71.x WARP version on a > >Soekris 4801 yet? > > > >If so could you provide any findings / gotchas? > > > >Regards, > >-- > >David L. Strout > >Engineering Systems Plus, LLC > > > > > > > > > >- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] snmp and mib support
Have been looking for a replacement to monitor our hosts bandwidth behind our pfsense firewalls. I was wondering if the pf filter mib with snmp would be caperable of doing this from within the state table. Does anyone have some good ideas for this. All the information needs to come back to a central host to admin free monitoring would be great Regards alan -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.9.4/57 - Release Date: 22/07/2005
Re: [pfSense Support] traffic shaper queues scheduler options
Try the ez shaper wizard and do not over commit your real bandwidth available. Over commiting the bandwidth values will have huge consequences. Scott On 7/25/05, Xtian <[EMAIL PROTECTED]> wrote: > > Bill and Scott: > > Many thanks for the info and the field descriptions. Right, I was doing about > 105KBps down (on my 1Mbps down, 384Kbps up DSL) which is everything, and then > initiated an SSH session and latency was as high as ever. Then I looked in > the rules and saw nothing for SSH. So I assumed it didn't know about SSH. That > ACKs in general are prioritized makes sense. I tried to make a queue > specifically for port 22 traffic, and wanted to elevate that above the > default queue, and thats where I was at a loss as to what I should put in > those schedule fields. I assumed that what Monowall handles with pipes is > what got put into scheduler options, but I was just not groking the logic > behind it. > > I'm a sysadmin by trade, not a netadmin, but I try to learn, you know? ;) > > -Christian > > > On Mon, 25 Jul 2005, Bill Marquette wrote: > > > On 7/25/05, Christian Rohrmeier <[EMAIL PROTECTED]> wrote: > >> I haven't found that to be true. It doesn't create any rules for SSH. > >> pfSense has a wide selection of games and P2P software that it will make > >> rules and queues for, but not SSH, unless I overlooked something. > >> Certainly trying to SSH whilst FTPing a large suffered from the same > >> massive lag as always. > > > > SSH sets the TOS lowdelay bit on all it's ACKs, so non-bulk SSH should > > by default go into the ACK queue. Any chance you were saturating your > > downstream with ACKs, which would force SSH and FTP to then compete > > within the same queue? > > > >> I would still like to know what the 6 fields in the traffic shaper > >> scheduler are for though! > > > > I'll update the code with comments, in the meantime, from the pf.conf man > > page: > > The hfsc scheduler supports some additional options: > > > > realtime _sc_ > > The minimum required bandwidth for the queue. > > > > upperlimit _sc_ > > The maximum allowed bandwidth for the queue. > > > > linkshare _sc_ > > The bandwidth share of a backlogged queue. > > > > is an acronym for service curve. > > > > The format for service curve specifications is (m1, d, m2). m2 controls > > the bandwidth assigned to the queue. m1 and d are optional and can be > > used to control the initial bandwidth assignment. For the first d mil- > > liseconds the queue gets the bandwidth given as m1, afterwards the value > > given in m2. > > > > The boxes correspond to m1, d, m2 in that order (except m1 and d are > > not optional with pfsense). > > --Bill > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > -- > devo dot com - "Where the future is only a memory." > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] traffic shaper queues scheduler options
Bill and Scott: Many thanks for the info and the field descriptions. Right, I was doing about 105KBps down (on my 1Mbps down, 384Kbps up DSL) which is everything, and then initiated an SSH session and latency was as high as ever. Then I looked in the rules and saw nothing for SSH. So I assumed it didn't know about SSH. That ACKs in general are prioritized makes sense. I tried to make a queue specifically for port 22 traffic, and wanted to elevate that above the default queue, and thats where I was at a loss as to what I should put in those schedule fields. I assumed that what Monowall handles with pipes is what got put into scheduler options, but I was just not groking the logic behind it. I'm a sysadmin by trade, not a netadmin, but I try to learn, you know? ;) -Christian On Mon, 25 Jul 2005, Bill Marquette wrote: On 7/25/05, Christian Rohrmeier <[EMAIL PROTECTED]> wrote: I haven't found that to be true. It doesn't create any rules for SSH. pfSense has a wide selection of games and P2P software that it will make rules and queues for, but not SSH, unless I overlooked something. Certainly trying to SSH whilst FTPing a large suffered from the same massive lag as always. SSH sets the TOS lowdelay bit on all it's ACKs, so non-bulk SSH should by default go into the ACK queue. Any chance you were saturating your downstream with ACKs, which would force SSH and FTP to then compete within the same queue? I would still like to know what the 6 fields in the traffic shaper scheduler are for though! I'll update the code with comments, in the meantime, from the pf.conf man page: The hfsc scheduler supports some additional options: realtime _sc_ The minimum required bandwidth for the queue. upperlimit _sc_ The maximum allowed bandwidth for the queue. linkshare _sc_ The bandwidth share of a backlogged queue. is an acronym for service curve. The format for service curve specifications is (m1, d, m2). m2 controls the bandwidth assigned to the queue. m1 and d are optional and can be used to control the initial bandwidth assignment. For the first d mil- liseconds the queue gets the bandwidth given as m1, afterwards the value given in m2. The boxes correspond to m1, d, m2 in that order (except m1 and d are not optional with pfsense). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- devo dot com - "Where the future is only a memory." - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] squid diskd 70.10
I will look into using the sysctl.conf infrastructure that we have. I have a feeling that some of these values need to be passed from the boot loader, however. We'll see. Scott On 7/25/05, Bill Marquette <[EMAIL PROTECTED]> wrote: > Uhhh, what's that gonna do to the rest of us that don't use squid? Is > this going to make the kernel use more memory? > > --Bill > > On 7/24/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > > Alright, I'll recompile the kernel with: > > > > options MSGMNB=8192 # max # of bytes in a queue > > options MSGMNI=40 # number of message queue > > identifiers > > options MSGSEG=512 # number of message segments per > > queue > > options MSGSSZ=64 # size of a message segment > > options MSGTQL=2048 # max messages in system > > > > Any objections? Speak now or forever have a modified kernel pfSense users! > > > > Scott > > > > > > On 7/24/05, Bachman Kharazmi <[EMAIL PROTECTED]> wrote: > > > from what I can read in the squid faq your kernel need to get rebuilt. > > > > > > http://www.squid-cache.org/Doc/FAQ/FAQ-22.html#ss22.6 > > > "The messages between Squid and diskd are 32 bytes for 32-bit CPUs and > > > 40 bytes for 64-bit CPUs. Thus, MSGSSZ should be 32 or greater. You > > > may want to set it to a larger value, just to be safe." > > > > > > your vaule is set to kern.ipc.msgssz: 8 which is whey too low. > > > > > > please read http://ezine.daemonnews.org/200209/squid.html that also > > > gives good suggestions > > > > > > gl > > > /bk > > > > > > On 7/24/05, William David Armstrong <[EMAIL PROTECTED]> wrote: > > > > I have upgrade 70.8 to 70.10 and I get this error try usind a diskd in > > > > squid > > > > a squid try restart but continues not work. > > > > > > > > I version 70.8 diskd work ok. not get any this errors, I try in a > > > > another machine. > > > > > > > > I belive is a diskd options is not include or not correct configured in > > > > kernel. > > > > > > > > > > > > option MSGMNI=41 > > > > option MSGMNB=16384 > > > > option MSGSEG=2049 > > > > option MSGSSZ=64 > > > > option MSGTQL=512 > > > > option MHMSEG=16 > > > > option MHMMNI=32 > > > > option MHMMAX=2097152 > > > > option SHMALL=4096 > > > > option MAXFILES=8192 > > > > option NMBCLUSTERS=32768 > > > > > > > > > > > > I found this in a 70.10 > > > > > > > > $ sysctl -a > > > > > > > > kern.ipc.msgmni: 40 > > > > kern.ipc.msgmnb: 2048 > > > > kern.ipc.msgseg: 2048 > > > > kern.ipc.msgssz: 8 > > > > kern.ipc.msgtql: 40 > > > > MHMSEG not found > > > > MHMMNI not found > > > > MHMMAX not found > > > > kern.ipc.shmall: 8192 > > > > kern.maxfiles: 16384 > > > > kern.maxfilesperproc: 16384 > > > > kern.ipc.nmbclusters: 4800 > > > > > > > > it´s confirm ??? > > > > > > > > > > > > I send a log off errors > > > > > > > > $cat /usr/loca/suiqd/log/cache.log > > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:07| storeDiskdSend: msgsnd: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:07| storeDiskdSend OPEN: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:07| storeDiskdSend: msgsnd: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:07| storeDiskdSend OPEN: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:07| storeDiskdSend: msgsnd: (35) Resource temporarily > > > > unavailable > > > > 2005/07/24 03:54:07| assertion failed: diskd/store_io_diskd.c:494: > > > > "++send_errors < 100" > > > > 2005/07/24 03:54:10| Starting Squid Cache version 2.5.STABLE10 for > > > > i386-portbld-freebsd6.0... > > > > 2005/07/24 03:54:10| Process ID 2670 > > > > 2005/07/24 03:54:10| With 1735 file descriptors available > > > > 2005/07/24 03:54:10| DNS Socket created at 0.0.0.0, port 60294, FD 7 > > > > 2005/07/24 03:54:10| Adding nameserver
Re: [pfSense Support] 0.71.x WARP Version
David Strout ha scritto: yes, It works :-) but... ssh doesn't work with 0.70.x I wasn't able to restore a saved configuration nat: outbound load balance, does it work? regards Everyone, Has anyone tried the new 0.71.x WARP version on a Soekris 4801 yet? If so could you provide any findings / gotchas? Regards, -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] 0.71.x WARP Version
Everyone, Has anyone tried the new 0.71.x WARP version on a Soekris 4801 yet? If so could you provide any findings / gotchas? Regards, -- David L. Strout Engineering Systems Plus, LLC - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridge filtering
I believe 5.4 requires the if_bridge patch. Scott On 7/25/05, Tommaso Di Donato <[EMAIL PROTECTED]> wrote: > ...Thank you very much! > And just for curiosity.. does FreeBSD 5.4 need it? > > > On 7/25/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > > On 7/25/05, Tommaso Di Donato <[EMAIL PROTECTED] > wrote: > > > Hi to all. > > > I am working on a solution to change the bridge part of pfSense, to add > the > > > ability of bridge together LAN and WAN interface. > > > To better understand the process, and also because I am very curious, I > am > > > trying to build "from scratch": not all the pfSense system, but at least > the > > > bridging part... > > > Have I to apply a patch to the kernel source, in order to be able to do > > > packet filtering with PF? I googled a bit, and I fond old posts (2004) > about > > > a patch to be applied to FreeBSD 5.3, in order to do that.. > > > Someone out there could give me more infos? Links? > > > > No, its built into FreeBSD 6. There are no patches to apply. > > > > Scott > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bridge filtering
...Thank you very much! And just for curiosity.. does FreeBSD 5.4 need it?On 7/25/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: On 7/25/05, Tommaso Di Donato <[EMAIL PROTECTED] > wrote:> Hi to all.> I am working on a solution to change the bridge part of pfSense, to add the> ability of bridge together LAN and WAN interface.> To better understand the process, and also because I am very curious, I am > trying to build "from scratch": not all the pfSense system, but at least the> bridging part...> Have I to apply a patch to the kernel source, in order to be able to do> packet filtering with PF? I googled a bit, and I fond old posts (2004) about > a patch to be applied to FreeBSD 5.3, in order to do that..> Someone out there could give me more infos? Links?No, its built into FreeBSD 6. There are no patches to apply.Scott
Re: [pfSense Support] Bridge filtering
On 7/25/05, Tommaso Di Donato <[EMAIL PROTECTED]> wrote: > Hi to all. > I am working on a solution to change the bridge part of pfSense, to add the > ability of bridge together LAN and WAN interface. > To better understand the process, and also because I am very curious, I am > trying to build "from scratch": not all the pfSense system, but at least the > bridging part... > Have I to apply a patch to the kernel source, in order to be able to do > packet filtering with PF? I googled a bit, and I fond old posts (2004) about > a patch to be applied to FreeBSD 5.3, in order to do that.. > Someone out there could give me more infos? Links? No, its built into FreeBSD 6. There are no patches to apply. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Bridge filtering
Hi to all. I am working on a solution to change the bridge part of pfSense, to add the ability of bridge together LAN and WAN interface. To better understand the process, and also because I am very curious, I am trying to build "from scratch": not all the pfSense system, but at least the bridging part... Have I to apply a patch to the kernel source, in order to be able to do packet filtering with PF? I googled a bit, and I fond old posts (2004) about a patch to be applied to FreeBSD 5.3, in order to do that.. Someone out there could give me more infos? Links? TIA Tom
Re: [pfSense Support] traffic shaper queues scheduler options
On 7/25/05, Christian Rohrmeier <[EMAIL PROTECTED]> wrote: > I haven't found that to be true. It doesn't create any rules for SSH. > pfSense has a wide selection of games and P2P software that it will make > rules and queues for, but not SSH, unless I overlooked something. > Certainly trying to SSH whilst FTPing a large suffered from the same > massive lag as always. SSH sets the TOS lowdelay bit on all it's ACKs, so non-bulk SSH should by default go into the ACK queue. Any chance you were saturating your downstream with ACKs, which would force SSH and FTP to then compete within the same queue? > I would still like to know what the 6 fields in the traffic shaper > scheduler are for though! I'll update the code with comments, in the meantime, from the pf.conf man page: The hfsc scheduler supports some additional options: realtime _sc_ The minimum required bandwidth for the queue. upperlimit _sc_ The maximum allowed bandwidth for the queue. linkshare _sc_ The bandwidth share of a backlogged queue. is an acronym for service curve. The format for service curve specifications is (m1, d, m2). m2 controls the bandwidth assigned to the queue. m1 and d are optional and can be used to control the initial bandwidth assignment. For the first d mil- liseconds the queue gets the bandwidth given as m1, afterwards the value given in m2. The boxes correspond to m1, d, m2 in that order (except m1 and d are not optional with pfsense). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] round robin on inbound nat
On 7/25/05, alan walters <[EMAIL PROTECTED]> wrote: > I know this discussion is going on a bit. But I was wondering > If we really think it is practical using the method we are trying. > > With a basic round robin configured on the firewall. The web servers can > be configured to use there own software to manage there own Virtual > ipaddresses. This complicates matters. I dont like. > That will allow anyone to use simple or complicated setups and be os > independent. > > The example would be where we use ucarp on our web servers to manage > there Virtual IP's then if one goes down the other IP just gets migrated > to another server. > > We manage this ucarp on an management network so there is no traffic on > our dmz zone other than the required traffic. > > If pfsense can round robin to this vip pool then all is fine in a > failure. > Unless there is some flashy cunning thing that bsd can do that I am > missing. We will have a monitoring daemon that checks a servers heartbeat. If the server goes down for some reason its taken out of the pf rules table that controls load balancing. Its quite simple, elegant and doesnt require more stuff running on the server that we are redirecting to. Requring a operator to manage another setup of virtual ip's is not necessary for this task. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] CARP and backup firewall
I have 2 boxes at home, both on carp. Works fine. You sure your outbound rules are setup correctly? Scott On 7/25/05, alan walters <[EMAIL PROTECTED]> wrote: > > > > On version 0.70.8 I had sync working and backup lan operational when the > master was down. > > On veriosn 0.71 the sync works great all the rules are being syncronised and > the backup becomes master in the status of carp but?? > > It does not seem to have a route to the internet any more. > > > > A traceroute shows it going to the backup and timing out. When the master > comes back up the traceroute changes to the master and all is fine. > > > > Regards alan > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] traffic shaper queues scheduler options
On 7/25/05, Christian Rohrmeier <[EMAIL PROTECTED]> wrote: > I haven't found that to be true. It doesn't create any rules for SSH. > pfSense has a wide selection of games and P2P software that it will make > rules and queues for, but not SSH, unless I overlooked something. > Certainly trying to SSH whilst FTPing a large suffered from the same > massive lag as always. SSH is handled by the ACK queue. Give it a try, fill up your outbound traffic by ftping a file up and try to ssh into a host. Your interactivity traffic should be snappy. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] traffic shaper queues scheduler options
Hi Bill, I haven't found that to be true. It doesn't create any rules for SSH. pfSense has a wide selection of games and P2P software that it will make rules and queues for, but not SSH, unless I overlooked something. Certainly trying to SSH whilst FTPing a large suffered from the same massive lag as always. I would still like to know what the 6 fields in the traffic shaper scheduler are for though! Thanks, -Christian > Use the EZ-Shaper wizard. It will do exactly what you want. > > --Bill > > On 7/24/05, Xtian <[EMAIL PROTECTED]> wrote: >> >> Hi, >> >> I have done my best to read the FAQs, documentation, and mailing list >> archives for both pfSense and Monowall, and have not found any >> information on >> this, hence I am asking here. If I overlooked something, please point me >> to the information. Thanks! >> >> pfSense has no documentation for the traffic shaper. Since the traffic >> shaper >> is significantly different than that of Monowall's, the Monowall >> documentation (which is also non-existent, but there is one example in >> their >> mailing list archives on how to prioritize ACKs) doesn't directlu apply. >> >> Specifically, in Firewall: Shaper: Queues: Edit, what do the following >> fields >> or check boxes in the Scheduler options section mean: >> >> This is a parent queue of HFSC/CBQ >> Upperlimit: [field] [field] [field] >> Real time: [field] [field] [field] >> Link share: [field] [field] [field] >> >> How are they to be set? >> >> If I were to be more specific: I wish to prioritize interactive SSH >> traffic >> above all else (such that FTP, bittorrent, etc., do not create such >> massive >> lag in my SSH sessions.) >> >> If you tell me about the Scheduler options I am sure I can figure it out >> on >> my own, but if you want I would also be glad for information specific to >> the >> SSH question. >> >> Perhaps this could be added to the pfSense documentation? Or tutorials? >> I >> think that besides firewalling and routing, traffic shaping must be the >> most >> used feature in pfSense. Documentation would be highly welcome. >> >> Thanks, >> >> -Christian >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] RE: [pfSense-discussion] Interface help
On 7/25/05, alan walters <[EMAIL PROTECTED]> wrote: > The virtual interface does not show up with statnad ifconfig on bsd?? > Sure someone else can tell you why. Cause it's not an IP alias on an existing interface. Virtual IPs are either just a proxy ARP or a CARP address. In the case of proxy ARP, there is a daemon running that answers the ARP requests - the OS knows nothing about the address, however all that matters is that it gets to the firewall for NAT to do it's magic. In the case of CARP you could potentially get replies depending on rules (of course with a binat, those rules have to match the internal hosts IP, not the external). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] squid diskd 70.10
Uhhh, what's that gonna do to the rest of us that don't use squid? Is this going to make the kernel use more memory? --Bill On 7/24/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > Alright, I'll recompile the kernel with: > > options MSGMNB=8192 # max # of bytes in a queue > options MSGMNI=40 # number of message queue identifiers > options MSGSEG=512 # number of message segments per queue > options MSGSSZ=64 # size of a message segment > options MSGTQL=2048 # max messages in system > > Any objections? Speak now or forever have a modified kernel pfSense users! > > Scott > > > On 7/24/05, Bachman Kharazmi <[EMAIL PROTECTED]> wrote: > > from what I can read in the squid faq your kernel need to get rebuilt. > > > > http://www.squid-cache.org/Doc/FAQ/FAQ-22.html#ss22.6 > > "The messages between Squid and diskd are 32 bytes for 32-bit CPUs and > > 40 bytes for 64-bit CPUs. Thus, MSGSSZ should be 32 or greater. You > > may want to set it to a larger value, just to be safe." > > > > your vaule is set to kern.ipc.msgssz: 8 which is whey too low. > > > > please read http://ezine.daemonnews.org/200209/squid.html that also > > gives good suggestions > > > > gl > > /bk > > > > On 7/24/05, William David Armstrong <[EMAIL PROTECTED]> wrote: > > > I have upgrade 70.8 to 70.10 and I get this error try usind a diskd in > > > squid > > > a squid try restart but continues not work. > > > > > > I version 70.8 diskd work ok. not get any this errors, I try in a another > > > machine. > > > > > > I belive is a diskd options is not include or not correct configured in > > > kernel. > > > > > > > > > option MSGMNI=41 > > > option MSGMNB=16384 > > > option MSGSEG=2049 > > > option MSGSSZ=64 > > > option MSGTQL=512 > > > option MHMSEG=16 > > > option MHMMNI=32 > > > option MHMMAX=2097152 > > > option SHMALL=4096 > > > option MAXFILES=8192 > > > option NMBCLUSTERS=32768 > > > > > > > > > I found this in a 70.10 > > > > > > $ sysctl -a > > > > > > kern.ipc.msgmni: 40 > > > kern.ipc.msgmnb: 2048 > > > kern.ipc.msgseg: 2048 > > > kern.ipc.msgssz: 8 > > > kern.ipc.msgtql: 40 > > > MHMSEG not found > > > MHMMNI not found > > > MHMMAX not found > > > kern.ipc.shmall: 8192 > > > kern.maxfiles: 16384 > > > kern.maxfilesperproc: 16384 > > > kern.ipc.nmbclusters: 4800 > > > > > > it´s confirm ??? > > > > > > > > > I send a log off errors > > > > > > $cat /usr/loca/suiqd/log/cache.log > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:06| storeDiskdSend: msgsnd: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:06| storeDiskdSend OPEN: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:07| storeDiskdSend: msgsnd: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:07| storeDiskdSend OPEN: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:07| storeDiskdSend: msgsnd: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:07| storeDiskdSend OPEN: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:07| storeDiskdSend: msgsnd: (35) Resource temporarily > > > unavailable > > > 2005/07/24 03:54:07| assertion failed: diskd/store_io_diskd.c:494: > > > "++send_errors < 100" > > > 2005/07/24 03:54:10| Starting Squid Cache version 2.5.STABLE10 for > > > i386-portbld-freebsd6.0... > > > 2005/07/24 03:54:10| Process ID 2670 > > > 2005/07/24 03:54:10| With 1735 file descriptors available > > > 2005/07/24 03:54:10| DNS Socket created at 0.0.0.0, port 60294, FD 7 > > > 2005/07/24 03:54:10| Adding nameserver 201.10.120.2 from /etc/resolv.conf > > > 2005/07/24 03:54:10| Adding nameserver 201.10.128.3 from /etc/resolv.conf > > > 2005/07/24 03:54:10| Unlinkd pipe opened on FD 12 > > > 2005/07/24 03:54:10| Swap maxSize 307200 KB, estimated 23630 objects > > > 2005/07/24 03:54:10| Target number of buckets: 1181 > > > 2005/07/24 03:54:10| Using 8192 Store buckets > > > 2005/07/24 03:54:10| Max Mem size: 8192 KB > > > 2005/07/24 03:54:10| Max Swap size: 307200 KB > > > 2005/07/24 03:54:10| Reb
Re: [pfSense Support] traffic shaper queues scheduler options
Use the EZ-Shaper wizard. It will do exactly what you want. --Bill On 7/24/05, Xtian <[EMAIL PROTECTED]> wrote: > > Hi, > > I have done my best to read the FAQs, documentation, and mailing list > archives for both pfSense and Monowall, and have not found any information on > this, hence I am asking here. If I overlooked something, please point me > to the information. Thanks! > > pfSense has no documentation for the traffic shaper. Since the traffic shaper > is significantly different than that of Monowall's, the Monowall > documentation (which is also non-existent, but there is one example in their > mailing list archives on how to prioritize ACKs) doesn't directlu apply. > > Specifically, in Firewall: Shaper: Queues: Edit, what do the following fields > or check boxes in the Scheduler options section mean: > > This is a parent queue of HFSC/CBQ > Upperlimit: [field] [field] [field] > Real time: [field] [field] [field] > Link share: [field] [field] [field] > > How are they to be set? > > If I were to be more specific: I wish to prioritize interactive SSH traffic > above all else (such that FTP, bittorrent, etc., do not create such massive > lag in my SSH sessions.) > > If you tell me about the Scheduler options I am sure I can figure it out on > my own, but if you want I would also be glad for information specific to the > SSH question. > > Perhaps this could be added to the pfSense documentation? Or tutorials? I > think that besides firewalling and routing, traffic shaping must be the most > used feature in pfSense. Documentation would be highly welcome. > > Thanks, > > -Christian > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] CARP and backup firewall
On version 0.70.8 I had sync working and backup lan operational when the master was down. On veriosn 0.71 the sync works great all the rules are being syncronised and the backup becomes master in the status of carp but?? It does not seem to have a route to the internet any more. A traceroute shows it going to the backup and timing out. When the master comes back up the traceroute changes to the master and all is fine. Regards alan
[pfSense Support] RE: [pfSense-discussion] Interface help
Yep it does normally. After doing what you have done. Ie VIP proxy ARP 1 to 1 NAT Have you made a rule to allow access to the host inside the 1 to 1 nat Ie Allow all source to destination 'local IP address' 'the port of your choice' This is different from linux in that you need to add the allow to the host that is inside the nat. Ie Allow all source to 192.168.1.2 port 80 Where your 1 to 1 nat is External ip NAT to 192.168.1.2 alan -Original Message- From: Kim C. Callis [mailto:[EMAIL PROTECTED] Sent: 25 July 2005 10:17 To: alan walters Cc: discussion@pfsense.com Subject: Re: [pfSense-discussion] Interface help The only thing that I would like is that I can allocate one of our public IP address for use in a 1:1 NAT between the public IP and one of our hosts on the LAN... I thought by setting up a VIP and then doing a 1:1 this would work correctly.. On 7/25/05, alan walters <[EMAIL PROTECTED]> wrote: > The virtual interface does not show up with statnad ifconfig on bsd?? > Sure someone else can tell you why. > > If you have a rule to allow to the virtual interface on imcp and you get > a reply then where is the problem.??? > > I was under the understanding that when you use 1 to 1 nat you don't > need all the VIP stuff. But anyway?? > > Where are you at now trying to get port forwarding working? > For example to a http service or something?? > > -Original Message- > From: Kim C. Callis [mailto:[EMAIL PROTECTED] > Sent: 25 July 2005 09:53 > To: alan walters; discussion@pfsense.com > Subject: Re: [pfSense-discussion] Interface help > > I have added the virtual interface, I used proxy arp on the it. IMCP > is working, or at the very least I can ping the router externally. But > I don't see any virtual interface when I do an ifconfig, nor can I > ping the virtual interface... > > On 7/25/05, alan walters <[EMAIL PROTECTED]> wrote: > > When you set up the virtual IP use the proxy arp setting it is easier > > > > -Original Message- > > From: Kim C. Callis [mailto:[EMAIL PROTECTED] > > Sent: 25 July 2005 08:57 > > To: analyzerx > > Cc: discussion@pfsense.com > > Subject: Re: [pfSense-discussion] Interface help > > > > Also, wouldn't I be able to see the virtual interface when I do a > > ifconfig? > > > > On 7/25/05, Kim C. Callis <[EMAIL PROTECTED]> wrote: > > > That is what I did.. I added the virtual interface... Then I went to > > > go ping it and was unable to get any response... > > > > > > On 7/25/05, analyzerx <[EMAIL PROTECTED]> wrote: > > > > Create a virtual IP on your wan and the set a 1:1 NAT for your > LAN? > > > > > > > > :/ seems pretty straight forward unless I'm still dreaming! :P > > (just woke > > > > up) - hehe! > > > > > > > > > > > > On 7/25/05, Kim C. Callis < [EMAIL PROTECTED]> wrote: > > > > > To have a public IP address that is 200.xx.xx.xx/28 which > provides > > me > > > > > with 14 public address. Prior to the switch I was using IPCop > and > > > > > assigning public address on a virtual interface on the WAN > > interface. > > > > > > > > > > Is there some way that I can do the same on pfsense? For > instance, > > my > > > > > WAN interface is 200.xx.xx.66. I need to add a public address of > > > > > 200.xx.xx.68 and also allow for a full NAT forwarding to a host > on > > my > > > > > LAN 192.168.xx.xx. > > > > > > > > > > So how would I go about doing that? I would rather be able to > add > > a > > > > > virtual inferface on the router. I can also add a physical > > interface > > > > > if that will work better. Any pointers would be greatly > > appreciated! > > > > > > > > > > -- > > > > > When It Absolutely, Positively has to be Destroyed Overnight!!! > > > > > > > > > > 1-(800) MARINES > > > > > ___ > > > > > Kim C. Callis > > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > -- > > > When It Absolutely, Positively has to be Destroyed Overnight!!! > > > > > > 1-(800) MARINES > > > ___ > > > Kim C. Callis > > > [EMAIL PROTECTED] > > > > > > > > > -- > > When It Absolutely, Positively has to be Destroyed Overnight!!! > > > > 1-(800) MARINES > > ___ > > Kim C. Callis > > [EMAIL PROTECTED] > > > > > > > > > -- > When It Absolutely, Positively has to be Destroyed Overnight!!! > > 1-(800) MARINES > ___ > Kim C. Callis > [EMAIL PROTECTED] > > > -- When It Absolutely, Positively has to be Destroyed Overnight!!! 1-(800) MARINES ___ Kim C. Callis [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] RE: [pfSense-discussion] Interface help
The virtual interface does not show up with statnad ifconfig on bsd?? Sure someone else can tell you why. If you have a rule to allow to the virtual interface on imcp and you get a reply then where is the problem.??? I was under the understanding that when you use 1 to 1 nat you don't need all the VIP stuff. But anyway?? Where are you at now trying to get port forwarding working? For example to a http service or something?? -Original Message- From: Kim C. Callis [mailto:[EMAIL PROTECTED] Sent: 25 July 2005 09:53 To: alan walters; discussion@pfsense.com Subject: Re: [pfSense-discussion] Interface help I have added the virtual interface, I used proxy arp on the it. IMCP is working, or at the very least I can ping the router externally. But I don't see any virtual interface when I do an ifconfig, nor can I ping the virtual interface... On 7/25/05, alan walters <[EMAIL PROTECTED]> wrote: > When you set up the virtual IP use the proxy arp setting it is easier > > -Original Message- > From: Kim C. Callis [mailto:[EMAIL PROTECTED] > Sent: 25 July 2005 08:57 > To: analyzerx > Cc: discussion@pfsense.com > Subject: Re: [pfSense-discussion] Interface help > > Also, wouldn't I be able to see the virtual interface when I do a > ifconfig? > > On 7/25/05, Kim C. Callis <[EMAIL PROTECTED]> wrote: > > That is what I did.. I added the virtual interface... Then I went to > > go ping it and was unable to get any response... > > > > On 7/25/05, analyzerx <[EMAIL PROTECTED]> wrote: > > > Create a virtual IP on your wan and the set a 1:1 NAT for your LAN? > > > > > > :/ seems pretty straight forward unless I'm still dreaming! :P > (just woke > > > up) - hehe! > > > > > > > > > On 7/25/05, Kim C. Callis < [EMAIL PROTECTED]> wrote: > > > > To have a public IP address that is 200.xx.xx.xx/28 which provides > me > > > > with 14 public address. Prior to the switch I was using IPCop and > > > > assigning public address on a virtual interface on the WAN > interface. > > > > > > > > Is there some way that I can do the same on pfsense? For instance, > my > > > > WAN interface is 200.xx.xx.66. I need to add a public address of > > > > 200.xx.xx.68 and also allow for a full NAT forwarding to a host on > my > > > > LAN 192.168.xx.xx. > > > > > > > > So how would I go about doing that? I would rather be able to add > a > > > > virtual inferface on the router. I can also add a physical > interface > > > > if that will work better. Any pointers would be greatly > appreciated! > > > > > > > > -- > > > > When It Absolutely, Positively has to be Destroyed Overnight!!! > > > > > > > > 1-(800) MARINES > > > > ___ > > > > Kim C. Callis > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > -- > > When It Absolutely, Positively has to be Destroyed Overnight!!! > > > > 1-(800) MARINES > > ___ > > Kim C. Callis > > [EMAIL PROTECTED] > > > > > -- > When It Absolutely, Positively has to be Destroyed Overnight!!! > > 1-(800) MARINES > ___ > Kim C. Callis > [EMAIL PROTECTED] > > > -- When It Absolutely, Positively has to be Destroyed Overnight!!! 1-(800) MARINES ___ Kim C. Callis [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] round robin on inbound nat
I know this discussion is going on a bit. But I was wondering If we really think it is practical using the method we are trying. With a basic round robin configured on the firewall. The web servers can be configured to use there own software to manage there own Virtual ipaddresses. That will allow anyone to use simple or complicated setups and be os independent. The example would be where we use ucarp on our web servers to manage there Virtual IP's then if one goes down the other IP just gets migrated to another server. We manage this ucarp on an management network so there is no traffic on our dmz zone other than the required traffic. If pfsense can round robin to this vip pool then all is fine in a failure. Unless there is some flashy cunning thing that bsd can do that I am missing. ??? -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: 22 July 2005 17:03 To: alan walters Cc: Bill Marquette; support@pfsense.com Subject: Re: FW: [pfSense Support] round robin on inbound nat Thats fine and all but what if you loose a web server? We're currently working on what you have here in addition to a monitoring daemon which will remove servers from a pool if it stops answering requests. Scott On 7/22/05, alan walters <[EMAIL PROTECTED]> wrote: > Sorry that was an accident. Did not mean to send it > > -Original Message- > From: alan walters > Sent: 22 July 2005 15:11 > To: 'Bill Marquette'; Scott Ullrich > Cc: support@pfsense.com > Subject: RE: [pfSense Support] round robin on inbound nat > > I have done some testing today with inbound NAT and carp > And round robin load balancing to test web servers. > > I added the following and it seems to work fine on bsd. > > > Following presumptions > # > rl1= wan > 192.168.2.2 = carp virtual ip > > Below was the test. > ## > > ## Added a alias of two ip addresses > > webservers = "{ 192.168.1.2/32 192.168.1.3/32 }" > > # added to following rdr rule > > rdr on rl1 proto tcp from any to 192.168.2.2 port 80 -> $webservers port > 80 round-robin sticky-address > > # added also the following pass rule > > pass in quick on $wan proto tcp from any to { 192.168.1.2/32 > 192.168.1.3/32 } port = 80 flags S/SA keep state queue (qWANdef, > qWANacks) label "USER_RULE: NAT http test" > > > > > -Original Message- > From: Bill Marquette [mailto:[EMAIL PROTECTED] > Sent: 22 July 2005 06:16 > To: Scott Ullrich > Cc: alan walters; support@pfsense.com > Subject: Re: [pfSense Support] round robin on inbound nat > > On 7/21/05, Scott Ullrich <[EMAIL PROTECTED]> wrote: > > Use carp with the arp load balancing feature. Technically it should > > sync across there but there is a outstanding bug with XMLRPC that > > we're looking at. > > > > Scott > > Wrong feature :) CARPs arp load balancing will only load balance > inbound to the firewall (if setup correctly) from a directly connected > network. What alan wants (if I understand correctly) is the ability > to put two (or more) servers on a port forward rule. That's part of > the load balancing code I'm working on - not ready yet :) Try again > after Aug 7th. > > --Bill > > > > > > > On 7/21/05, alan walters <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > I would like to try and test an inbound round robin to our test web > servers. > > > > > > Would it be possible to put a shell command In to do this. > > > > > > > > > > > > If so would this sync across a carp array. > > > > > > > > > > > > Look forward to your replies > > > > > > > > > > > > > > > -- > > > No virus found in this outgoing message. > > > Checked by AVG Anti-Virus. > > > Version: 7.0.323 / Virus Database: 267.9.2/53 - Release Date: > 20/07/2005 > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.2/53 - Release Date: 20/07/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]