Re: [pfSense Support] Suggested mini-itx solutions?
Hi All, On 5/10/06, I wrote: Again my assumption is that increasing the number of connections is going to increase the CPU usage which will in turn decrease the max throughput. Is this incorrect? Just as an update. I tried out a WRAP box (1C-2) with my connection (15/2 PPPoE). Running 2 fast torrents (Centos 4.3 DVD and CD sets) I was able to max out at around 1.6MB/s which I think is about as fast as I can hope with my connection. Unfortunately this only lasted for under 5 minutes at which point the router rebooted itself. The CPU utilization was pegged at 99% interrupt handling and the load was somewhere in the 1X range. Switching over to polling mode caused the throughput to drop to the 500KB/s range, which I thought was kind of odd. This is all with Beta 4. So it looks like the WRAP box isn't quite fast enough to be able handle high throughputs with multiple connections (in this case it was 100 connections, so not a huge number). I think I'm going to bite the bullet and grab a mini-itx setup. I've been doing some research and it looks like the just released C7 based Phylon series from logicsupply.com seems to be a good deal. Looks like $340 for a case, motherboard and 3 port gigabit. The mini-box.com M200 is a bit cheaper but comes with an older, slower CPU and doesn't have gigabit ports (though I think that Phylon board would work on it). -- Paul Haddad ([EMAIL PROTECTED] [EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Suggested mini-itx solutions?
On 5/14/06, Holger Bauer [EMAIL PROTECTED] wrote: Sounds like a heat issue to me. What happens if you remove the topcase so the heat can go away? I didn't have the top case on at all. Is there some way to tell exactly why it crashed? -- Paul Haddad ([EMAIL PROTECTED] [EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Suggested mini-itx solutions?
The CPU of the wrap has a thermal sensor integrated that can shut it down. I guess that this triggered the reboot. Maybe it needs an active cooling or at least a passive cooler to get rid of the heat. Try to measure the temperature when doing the test again. -Original Message- From: Paul Haddad [mailto:[EMAIL PROTECTED] Sent: Sunday, May 14, 2006 9:07 PM To: support@pfsense.com Subject: Re: [pfSense Support] Suggested mini-itx solutions? On 5/14/06, Holger Bauer [EMAIL PROTECTED] wrote: Sounds like a heat issue to me. What happens if you remove the topcase so the heat can go away? I didn't have the top case on at all. Is there some way to tell exactly why it crashed? -- Paul Haddad ([EMAIL PROTECTED] [EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Beta 4 boot fails with quad ethernet
I have a theory. I was able to install this card on a different system and it worked. It could be related to BIOS settings. Unfortunately, I have to install a video card to check the bios. Park On May 13, 2006, at 12:55 AM, [EMAIL PROTECTED] wrote: I installed Beta4 - Embedded and booted. System comes up with the 2 interfaces on the motherboard (fxp). When I add a PCI quad ethernet card, it fails. Tried 2-models: Model 1: 64bit PCI Intel chipset with DEC 21154-AB chip. Model 2: 32bit PCI (Adaptec) with dec 21140-AF chip Single 32bit PCI linksys card (LNE100TX ver 4.1 chipset) works fine. Boot text of failure is as follows: --- Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.1-RELEASE #0: Tue May 9 21:00:55 UTC 2006 [EMAIL PROTECTED]:/usr/obj.pfSense/usr/src/sys/ pfSense_wrap.6 Timecounter i8254 frequency 1193182 Hz quality 0 CPU: Intel Pentium III (1000.40-MHz 686-class CPU) Origin = GenuineIntel Id = 0x68a Stepping = 10 Features=0x387fbffFPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PG E,MCA,CMOV,PAT,PSE36,PN,MMX,FXSR,SSE real memory = 671088640 (640 MB) avail memory = 647553024 (617 MB) wlan: mac acl policy registered ath_hal: 0.9.16.16 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) cpu0 on motherboard pcib0: Host to PCI bridge pcibus 0 on motherboard pir0: PCI Interrupt Routing Table: 8 Entries on motherboard pci0: PCI bus on pcib0 pcib1: PCI-PCI bridge at device 1.0 on pci0 pci1: PCI bus on pcib1 pci1: base peripheral, interrupt controller at device 0.0 (no driver attached) pcib2: PCIBIOS PCI-PCI bridge at device 1.0 on pci1 pci2: PCI bus on pcib2 pcib3: PCI-PCI bridge at device 8.0 on pci2 pci3: PCI bus on pcib3 fxp0: Intel 82558 Pro/100 Ethernet port 0xcc00-0xcc1f mem 0xde0ff000-0xde0f,0xdf40-0xdf4f irq 14 at device 0.0 on pci3 miibus0: MII bus on fxp0 inphy0: i82555 10/100 media interface on miibus0 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp0: Ethernet address: 00:e0:b6:00:33:18 fxp1: Intel 82558 Pro/100 Ethernet port 0xc800-0xc81f mem 0xde0fe000-0xde0fefff,0xdf20-0xdf2f irq 14 at device 1.0 on pci3 miibus1: MII bus on fxp1 inphy1: i82555 10/100 media interface on miibus1 inphy1: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp1: Ethernet address: 00:e0:b6:00:33:19 fxp2: Intel 82558 Pro/100 Ethernet port 0xc400-0xc41f mem 0xde0fd000-0xde0fdfff,0xdf00-0xdf0f irq 14 at device 2.0 on pci3 miibus2: MII bus on fxp2 inphy2: i82555 10/100 media interface on miibus2 inphy2: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp2: Ethernet address: 00:e0:b6:00:33:1a fxp3: Intel 82558 Pro/100 Ethernet port 0xc000-0xc01f mem 0xde0fc000-0xde0fcfff,0xdee0-0xdeef irq 14 at device 3.0 on pci3 miibus3: MII bus on fxp3 inphy3: i82555 10/100 media interface on miibus3 inphy3: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp3: Ethernet address: 00:e0:b6:00:33:1b fxp4: Intel 82559 Pro/100 Ethernet port 0xec00-0xec3f mem 0xd000-0xdfff,0xdfe0-0xdfef irq 10 at device 10.0 on pci0 miibus4: MII bus on fxp4 inphy4: i82555 10/100 media interface on miibus4 inphy4: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp4: Ethernet address: 00:a0:f8:54:01:ef fxp5: Intel 82559 Pro/100 Ethernet port 0xe800-0xe83f mem 0xdfffe000-0xdfffefff,0xdfc0-0xdfcf irq 11 at device 11.0 on pci0 miibus5: MII bus on fxp5 inphy5: i82555 10/100 media interface on miibus5 inphy5: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp5: Ethernet address: 00:a0:f8:54:01:f0 isab0: PCI-ISA bridge at device 17.0 on pci0 isa0: ISA bus on isab0 atapci0: VIA 8233 UDMA100 controller port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfc00-0xfc0f at device 17.1 on pci0 ata0: ATA channel 0 on atapci0 ata1: ATA channel 1 on atapci0 uhci0: VIA 83C572 USB controller port 0xe400-0xe41f irq 11 at device 17.2 on pci0 uhci0: [GIANT-LOCKED] usb0: VIA 83C572 USB controller on uhci0 usb0: USB revision 1.0 uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered pmtimer0 on isa0 orm0: ISA Option ROMs at iomem 0xc8000-0xc97ff,0xc9800-0xcafff, 0xcb000-0xcc7ff,0xcc800-0xcdfff,0xce000-0xcf7ff,0xcf800-0xd0fff on isa0 ppc0: parallel port not found. sio0 at port 0x3f8-0x3ff irq 4 flags 0x30 on isa0 sio0: type 16550A, console sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled unknown: PNP0c01 can't assign resources (memory) speaker0: PC speaker at port 0x61 on isa0 unknown: PNP0501 can't assign resources (port) RTC BIOS diagnostic error 40ROM_cksum Timecounter TSC frequency 1000395084 Hz quality 800 Timecounters tick every 10.000 msec Fast IPsec: Initialized Security Association Processing. Trying to mount root from ufs:/dev/ufs/pfSense Manual root filesystem
Re: [pfSense Support] Justficiations for going with pfsense over Cisco Router or PIX, Sonicwall etc?
Well for me...I have commit access to pfSense, I don't for Sonic or Cisco ;-P For everyone else... 1. Good luck getting a quick patch for a small bug from Cisco - personal experience tells me that unless it's a sev 1 (network down) AND you have a good support contract with them, you won't get anyone that cares. And when you do, they'll insist on having you log in to equipment that won't power up, to run show tech, when the problem is that it's dead. *sigh*. 2. Runs on common hardware which I can get MUCH less expensive support contracts on (a gigabit capable cluster for $10K, try that with Cisco) 3. Great mailing list support from the developers themselves - it'll take you weeks to talk to a Cisco developer and even then, they don't know what they're doing half the time (maintenance coder vs. developer) 4. I don't like the color blue, red is much more appealing (ever wonder why I work on pfSense, not m0n0? ;-P) Now...why would I not choose pfSense? Where's the expensive support contract that will make my boss happy that I can theoretically get someone anytime of day (that I may or may not be able to understand) and ask them a question that they may or may not be able to answer? Yeah, we don't have one of those, we suck. I can't hire anyone that's spent gobs of money on a certification (that means they know what color the firewall is) to give me warm fuzzies, I actually have to hire people with a brain that I'll have to pay more for and actually get something for my money. --Bill --- With Open Source, the developer, the help desk, and the salesman is you. On 5/14/06, Wesley K. Joyce [EMAIL PROTECTED] wrote: What are the general business and technical cases to go with pfsense over turn key appliances like Cisco or Sonicwall etc? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Justficiations for going with pfsense over Cisco Router or PIX, Sonicwall etc?
Not to seem repetitive, but if you are making a real business case to your management (which I have been called upon to do several times as a network security consultant):1. The initial capital cost of pfSense of off-the-shelf hardware is far lower for pfSense than commercial products.2. Operational costs are lower due to reduced commplexity.3. Minimal specialize training is required. If the support staff that managed the firewalls is the same as those who manage UNIX-based servers, there will be no cost of training.4. I have found that it is most palatable to management and corporate culture when pfSense is recommended in support of a heterogeneous security platform environment generally at the perimeter. More complex business rules are applied using other firewall products/technologies internally.Myths:- Support is better if you are paying for it. If you articulate your problem with an open-source product in the right forums, the community with experience with the product including most developers will make a serious effort to help you. They are significantly invested in the products, as I am.- Threatening vendors like Cisco or Checkpoint to dump their product will make them come-around to giving you the level of support you require. I watched one of my clients spend $80K to install competitor products in view of Nokia Checkpoint to get them to resolve a VRRP problem. Needless to say, the vendors were unimpressed.Suggestions:Make a business case using the above information and any other you can come up with. Then, propose a trial on a limited portion of the network with minimal risk to deploy pfSense on appropriate hardware. Be sure the be prepared for operations, monitoring, incident response and maintenance. Provide weekly reports on performance for the trial period. Your management may prefer that you conduct some testing in a lab environment for interoperability and performance before deploying. This is something that I have recently started doing for my clients.Interesting:I have been able to pass 400Mb (TCP @ 16KB packets) on a GigE interface on a 2.4Ghz P4 with 1GB RAM. I believe that with a $6000 Dual Xeon, I will achieve 2 Gb/s but have not had time to get back in the lab. IPSEC tunnels from pfSense box to Nokia/Checkpoint NG work fine. Required 3 minutes on pfSense side and nearly 10 min in CheckPoint.Good Luck.ParkOn May 14, 2006, at 4:17 PM, Wesley K. Joyce wrote:What are the general business and technical cases to go with pfsense over turn key appliances like Cisco or Sonicwall etc? Thanks
RE: [pfSense Support] Justficiations for going with pfsense over Cisco Router or PIX, Sonicwall etc?
There is something else to think about: In case you are missing a feature you can offer a donation to get it in where vendors just laugh at you or ignore your request or even do it yourself as the source is all at your fingertips. Holger -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, May 14, 2006 11:21 PM To: support@pfsense.com Subject: Re: [pfSense Support] Justficiations for going with pfsense over Cisco Router or PIX, Sonicwall etc? Not to seem repetitive, but if you are making a real business case to your management (which I have been called upon to do several times as a network security consultant): 1. The initial capital cost of pfSense of off-the-shelf hardware is far lower for pfSense than commercial products. 2. Operational costs are lower due to reduced commplexity. 3. Minimal specialize training is required. If the support staff that managed the firewalls is the same as those who manage UNIX-based servers, there will be no cost of training. 4. I have found that it is most palatable to management and corporate culture when pfSense is recommended in support of a heterogeneous security platform environment generally at the perimeter. More complex business rules are applied using other firewall products/technologies internally. Myths: - Support is better if you are paying for it. If you articulate your problem with an open-source product in the right forums, the community with experience with the product including most developers will make a serious effort to help you. They are significantly invested in the products, as I am. - Threatening vendors like Cisco or Checkpoint to dump their product will make them come-around to giving you the level of support you require. I watched one of my clients spend $80K to install competitor products in view of Nokia Checkpoint to get them to resolve a VRRP problem. Needless to say, the vendors were unimpressed. Suggestions: Make a business case using the above information and any other you can come up with. Then, propose a trial on a limited portion of the network with minimal risk to deploy pfSense on appropriate hardware. Be sure the be prepared for operations, monitoring, incident response and maintenance. Provide weekly reports on performance for the trial period. Your management may prefer that you conduct some testing in a lab environment for interoperability and performance before deploying. This is something that I have recently started doing for my clients. Interesting: I have been able to pass 400Mb (TCP @ 16KB packets) on a GigE interface on a 2.4Ghz P4 with 1GB RAM. I believe that with a $6000 Dual Xeon, I will achieve 2 Gb/s but have not had time to get back in the lab. IPSEC tunnels from pfSense box to Nokia/Checkpoint NG work fine. Required 3 minutes on pfSense side and nearly 10 min in CheckPoint. Good Luck. Park On May 14, 2006, at 4:17 PM, Wesley K. Joyce wrote: What are the general business and technical cases to go with pfsense over turn key appliances like Cisco or Sonicwall etc? Thanks Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Suggested mini-itx solutions?
On 5/14/06, Holger Bauer [EMAIL PROTECTED] wrote: The CPU of the wrap has a thermal sensor integrated that can shut it down. I guess that this triggered the reboot. Maybe it needs an active cooling or at least a passive cooler to get rid of the heat. Try to measure the temperature when doing the test again. Is the LM77 accessible under freebsd? Looks like at least openbsd supports it but I don't see any way to get at it under pfSense/freebsd. -- Paul Haddad ([EMAIL PROTECTED] [EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] pfsense on router with single nic and wan/lan on vlan interfaces
Hi, I would like to setup a firewall + NAT box which contains a single physical NIC and the WAN and LAN interfaces configured as vlan devices. Some ascii art: LAN -- vlan0 \ + fxp0 == pfSense WAN -- vlan1 / Is pfSense capable of running in this config? Note that, my hardware is vlan friendly -- fxp card with 802.1q switch. I've successfully tested the vlan functionality on the same hardware using OpenBSD 3.9. - Raja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]