Re: [pfSense Support] DNS cache poisoning (solved)
A bit Off-Topic... You can find no Information about DNS-Cache Poisoning at ZyXEL's Website. As manufacturer of NAT-Serializers this is poor behavior. Not for old and probably not patchable Routers nor the Information that maybe newer Products can solve this issue. Does somebody know a consumer grade DSL-Router who does NAT with port randomization out of the box? regards, Beat - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
It's not clear exactly what the cisco 2801 is doing... does it have access control lists which can make a big difference in speed... AIUI access lists can have two different execution paths and if you write them wrongly they're much more CPU intensive. Sorry, I am not a cisco expert in this instance. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
I don't see any errors on any of the Interfaces. There actually *was* a duplex mismatch on the provider's network upstream from my box, but that was resolved before I traced things back to the pfSense box. The duplex error limited us far more severely, but this problem appears to be in the pfSense box itself. My previous box, last year, running 1.0.1, push the data at wire speed with no trouble. But you are right about the hardware being new, this is all circa 2008 hardware - I'll give 1.2.1 a whirl and check back in. Ted Crow Information Technology Manager Tuttle Services, Inc. TEL: (419) 228-6262 DID: (419) 998-4874 FAX: (419) 228-1400 -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 9:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? On Wed, Jul 30, 2008 at 7:30 PM, Ted Crow [EMAIL PROTECTED] wrote: As an additional note, I've already tried the following to no avail: - tcp/udp tweaking (no change) Shouldn't be necessary anyway. Most of those settings are only relevant when the firewall is the endpoint of the connection. - duplex mismatch testing (no problems) No errors on Status - Interfaces? What speed and duplex is the WAN port showing as? In my experience with metro Ethernet, the endpoints are set inconsistently by providers (at least by ATT). Some are forced speed/duplex and some are set to auto. In the former case you'll need to force your end, in the latter, leave it to auto. what I can see. - the DMZ speed is 40-60Mbps to the Internet and 50-60Mbps to the LAN. How are you testing? I've pushed more than that through a 500 MHz box, something of the spec you're running with Intel NICs is capable of multi-Gbps. Since it's slow from DMZ to LAN it's likely not WAN port related. Since you're running relatively new hardware, the first thing I'd recommend is trying 1.2.1. The NICs you have in a box that new probably didn't exist at the time the em driver in FreeBSD 6.2 was written, so you may be hitting some glitch there. Ditto for any number of other components in that box. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
I don't consider myself a Cisco expert either, I've just been using their hardware for the better part of 15 years. I have access to a fair number of good Cisco resources to aid me in selecting and configuring the hardware. I've never liked Cisco firewalls though, go figure. I actually sized the router based on an estimated max traffic flow of 25Mbps. It does have a very small ACL set running on it, mainly to keep weird stuff from molesting my DMZ hosts (spoofing, etc.) From the DMZ, the speeds are pretty respectable considering the router was only designed to handle a max of 46Mbps. This one is the baby of the 2800 series and will probably be fine when the speed is dropped back down below 25Mbps. Ted Crow Information Technology Manager Tuttle Services, Inc. -Original Message- From: Paul Mansfield [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2008 5:56 AM To: support@pfsense.com Subject: Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? It's not clear exactly what the cisco 2801 is doing... does it have access control lists which can make a big difference in speed... AIUI access lists can have two different execution paths and if you write them wrongly they're much more CPU intensive. Sorry, I am not a cisco expert in this instance. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] cannot update firmware
I have a 1.2-RELEASE setup that runs perfectly fine. I wanted to install 1.2.1 on it to try it out but I cannot get the system to upgrade the firmware at all. Thru the web interface i get the usual hoops about the file not being digitally signed but it takes it and goes on its merry way of processing it. I even get the pages all saying An upgrade is currently in progress. The firewall will reboot when the operation is complete. It will just sit there and never do anything more. I have also tried using the upgrade thru the console which gets me the following before dumping back to the main menu screen Broadcast Message from [EMAIL PROTECTED] (/dev/ttyp0) at 6:01 EDT... Beginning pfSense upgrade. /etc/rc.firmware: Cannot fork: Resource temporarily unavailable /etc/rc.firmware: Cannot fork: Resource temporarily unavailable /etc/rc.firmware: Cannot fork: Resource temporarily unavailable further testing shows that this happens no matter what firmware i give it, even tried 1.2-RELEASE again so far it looks like i will have to do a full reinstall to get it to 1.2.1. any insights? -Sean
Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
Here's a suggestion somewhat out of left field. What about MTU? Any chance the provider changed it on you? A machine right on the edge would handle fragmentation somewhat more gracefully than a firewall that might decide to drop certain inappropriately fragmented frames. This would also cause potential slowdown in general. One thing I didn't see (although I'm likely just missing it), is what your transfer speeds between DMZ and LAN are. Also, any chance for a test, you can remove the router? And again test LAN to DMZ and LAN to Internet. Based on your equipment specs I'm highly skeptical of this being a hardware capacity issue (a number of us have outperformed your numbers on _much_ lower end hardware - consider that a Soekris 4801 @266Mhz can easily hit 16Mbit of normal traffic, and iperf tests can get it upwards of 35Mbit). It might however be a hardware issue. Also, there are some sysctl's available for troubleshooting the Intel driver. Substitute '0' for whichever interface you are trying to debug sysctl -w dev.em.0.debug=1 sysctl -w dev.em.0.stats=1 The Intel driver will reset these sysctl to their default value on it's own, it's a one time use type thing. The results will be available in dmesg and look like: em0: Adapter hardware address = 0xc21e9a24 em0: CTRL = 0x40c00249 RCTL = 0x801a em0: Packet buffer = Tx=16k Rx=48k em0: Flow control watermarks high = 47104 low = 45604 em0: tx_int_delay = 66, tx_abs_int_delay = 66 em0: rx_int_delay = 0, rx_abs_int_delay = 66 em0: fifo workaround = 0, fifo_reset_count = 0 em0: hw tdh = 41, hw tdt = 41 em0: hw rdh = 102, hw rdt = 101 em0: Num Tx descriptors avail = 256 em0: Tx Descriptors not avail1 = 0 em0: Tx Descriptors not avail2 = 0 em0: Std mbuf failed = 0 em0: Std mbuf cluster failed = 0 em0: Driver dropped packets = 0 em0: Driver tx dma failure in encap = 0 em0: Excessive collisions = 0 em0: Sequence errors = 0 em0: Defer count = 0 em0: Missed Packets = 0 em0: Receive No Buffers = 0 em0: Receive Length Errors = 0 em0: Receive errors = 0 em0: Crc errors = 0 em0: Alignment errors = 0 em0: Collision/Carrier extension errors = 0 em0: RX overruns = 251 em0: watchdog timeouts = 0 em0: XON Rcvd = 0 em0: XON Xmtd = 0 em0: XOFF Rcvd = 0 em0: XOFF Xmtd = 0 em0: Good Packets Rcvd = 3269510 em0: Good Packets Xmtd = 647392 em0: TSO Contexts Xmtd = 0 em0: TSO Contexts Failed = 0 Lastly...if in interrupt mode still (I recommend it vs polling mode, I don't think we've done the appropriate tuning for polling to give a benefit), check net.inet.ip.intr_queue_drops --- that should be 0, if it's not, something really wierd is happening on your box. --Bill On Thu, Jul 31, 2008 at 8:06 AM, Ted Crow [EMAIL PROTECTED] wrote: I don't consider myself a Cisco expert either, I've just been using their hardware for the better part of 15 years. I have access to a fair number of good Cisco resources to aid me in selecting and configuring the hardware. I've never liked Cisco firewalls though, go figure. I actually sized the router based on an estimated max traffic flow of 25Mbps. It does have a very small ACL set running on it, mainly to keep weird stuff from molesting my DMZ hosts (spoofing, etc.) From the DMZ, the speeds are pretty respectable considering the router was only designed to handle a max of 46Mbps. This one is the baby of the 2800 series and will probably be fine when the speed is dropped back down below 25Mbps. Ted Crow Information Technology Manager Tuttle Services, Inc. -Original Message- From: Paul Mansfield [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2008 5:56 AM To: support@pfsense.com Subject: Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? It's not clear exactly what the cisco 2801 is doing... does it have access control lists which can make a big difference in speed... AIUI access lists can have two different execution paths and if you write them wrongly they're much more CPU intensive. Sorry, I am not a cisco expert in this instance. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
Good thought, but I did check my MTU - it appears to be solid at 1500 all the way to several test sites. LAN to DMZ gets 55-60Mbps (Would expect ~100Mbps) DMZ to DMZ is wire speed (100Mbps) DMZ to Internet is 45-60Mbps The DMZ is a basically the switch connecting the router and firewall. Everything off WAN interface is running 100MBps FDX, connected to the 1G Intel card which appears to be happily running at 100Mbps. WAN - em5: Adapter hardware address = 0xc4ffe948 em5: CTRL = 0x8140248 RCTL = 0x8002 em5: Packet buffer = Tx=20k Rx=12k em5: Flow control watermarks high = 10240 low = 8740 em5: tx_int_delay = 66, tx_abs_int_delay = 66 em5: rx_int_delay = 0, rx_abs_int_delay = 66 em5: fifo workaround = 0, fifo_reset_count = 0 em5: hw tdh = 174, hw tdt = 174 em5: Num Tx descriptors avail = 256 em5: Tx Descriptors not avail1 = 0 em5: Tx Descriptors not avail2 = 0 em5: Std mbuf failed = 0 em5: Std mbuf cluster failed = 0 em5: Driver dropped packets = 0 em5: Driver tx dma failure in encap = 0 em5: Excessive collisions = 0 em5: Sequence errors = 0 em5: Defer count = 0 em5: Missed Packets = 0 em5: Receive No Buffers = 0 em5: Receive Length Errors = 0 em5: Receive errors = 0 em5: Crc errors = 0 em5: Alignment errors = 0 em5: Carrier extension errors = 0 em5: RX overruns = 0 em5: watchdog timeouts = 0 em5: XON Rcvd = 0 em5: XON Xmtd = 0 em5: XOFF Rcvd = 0 em5: XOFF Xmtd = 0 em5: Good Packets Rcvd = 3240309 em5: Good Packets Xmtd = 5577784 LAN - em4: Adapter hardware address = 0xc4ffa148 em4: CTRL = 0x8140248 RCTL = 0x801a em4: Packet buffer = Tx=20k Rx=12k em4: Flow control watermarks high = 10240 low = 8740 em4: tx_int_delay = 66, tx_abs_int_delay = 66 em4: rx_int_delay = 0, rx_abs_int_delay = 66 em4: fifo workaround = 0, fifo_reset_count = 0 em4: hw tdh = 158, hw tdt = 158 em4: Num Tx descriptors avail = 256 em4: Tx Descriptors not avail1 = 0 em4: Tx Descriptors not avail2 = 0 em4: Std mbuf failed = 0 em4: Std mbuf cluster failed = 0 em4: Driver dropped packets = 0 em4: Driver tx dma failure in encap = 0 em4: Excessive collisions = 0 em4: Sequence errors = 0 em4: Defer count = 0 em4: Missed Packets = 0 em4: Receive No Buffers = 0 em4: Receive Length Errors = 0 em4: Receive errors = 0 em4: Crc errors = 0 em4: Alignment errors = 0 em4: Carrier extension errors = 0 em4: RX overruns = 0 em4: watchdog timeouts = 0 em4: XON Rcvd = 0 em4: XON Xmtd = 0 em4: XOFF Rcvd = 0 em4: XOFF Xmtd = 0 em4: Good Packets Rcvd = 4071915 em4: Good Packets Xmtd = 3425928 Ted Crow Information Technology Manager Tuttle Services, Inc. -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2008 10:00 AM To: support@pfsense.com Subject: Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? Here's a suggestion somewhat out of left field. What about MTU? Any chance the provider changed it on you? A machine right on the edge would handle fragmentation somewhat more gracefully than a firewall that might decide to drop certain inappropriately fragmented frames. This would also cause potential slowdown in general. One thing I didn't see (although I'm likely just missing it), is what your transfer speeds between DMZ and LAN are. Also, any chance for a test, you can remove the router? And again test LAN to DMZ and LAN to Internet. Based on your equipment specs I'm highly skeptical of this being a hardware capacity issue (a number of us have outperformed your numbers on _much_ lower end hardware - consider that a Soekris 4801 @266Mhz can easily hit 16Mbit of normal traffic, and iperf tests can get it upwards of 35Mbit). It might however be a hardware issue. Also, there are some sysctl's available for troubleshooting the Intel driver. Substitute '0' for whichever interface you are trying to debug sysctl -w dev.em.0.debug=1 sysctl -w dev.em.0.stats=1 The Intel driver will reset these sysctl to their default value on it's own, it's a one time use type thing. The results will be available in dmesg and look like: SNIP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Snort Install Missing
DLStrout wrote: I was just wondering if there was something drastically broke in the past latest release? Why the removal (just to far out of date?) I uninstalled on a test box and I can't even get it back in its old version/state ... is there a reason that the older version wasn't left available? Seem that older is better than nothing (unless of course drastically broken/flawed). Just wondering. -- David L. Strout Engineering Systems Plus, LLC No, the snort package no longer had an active maintainer, was out of date, broken and a source of much angst in the support forum. The policy of the pfSense developers has been to remove un-maintained, broken packages. Since there are a lot of people who want to see this package fixed and maintained, it has been suggested that a bounty be put together to get the snort package fixed and updated. Something similar happened with the squid package, very successfully. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] cannot update firmware
On Thu, Jul 31, 2008 at 9:38 AM, Sean Cavanaugh [EMAIL PROTECTED] wrote: I have a 1.2-RELEASE setup that runs perfectly fine. I wanted to install 1.2.1 on it to try it out but I cannot get the system to upgrade the firmware at all. Thru the web interface i get the usual hoops about the file not being digitally signed but it takes it and goes on its merry way of processing it. I even get the pages all saying An upgrade is currently in progress. The firewall will reboot when the operation is complete. It will just sit there and never do anything more. I have also tried using the upgrade thru the console which gets me the following before dumping back to the main menu screen Broadcast Message from [EMAIL PROTECTED] (/dev/ttyp0) at 6:01 EDT... Beginning pfSense upgrade. /etc/rc.firmware: Cannot fork: Resource temporarily unavailable /etc/rc.firmware: Cannot fork: Resource temporarily unavailable /etc/rc.firmware: Cannot fork: Resource temporarily unavailable further testing shows that this happens no matter what firmware i give it, even tried 1.2-RELEASE again A Google of that site:pfsense.org brings back nothing so it's apparently something no one has seen before. That makes it sound like too many processes are running which is a bit strange. Try rebooting it then upgrading. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS cache poisoning (solved)
On Thu, Jul 31, 2008 at 3:01 AM, Beat Siegenthaler [EMAIL PROTECTED] wrote: A bit Off-Topic... You can find no Information about DNS-Cache Poisoning at ZyXEL's Website. As manufacturer of NAT-Serializers this is poor behavior. Wow, indeed it is. I would suggest contacting them, I'm sure you won't be the first. Maybe they'll get the point eventually... Not for old and probably not patchable Routers nor the Information that maybe newer Products can solve this issue. Does somebody know a consumer grade DSL-Router who does NAT with port randomization out of the box? Not sure if my Westell does or not, I use the IP passthrough so my firewall gets the public IP and would suggest you do the same if possible. I do use its NAT for my dual WAN test network, but don't really care what it does for that usage. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] cannot update firmware
-- From: Chris Buechler [EMAIL PROTECTED] Sent: Thursday, July 31, 2008 6:12 PM To: support@pfsense.com Subject: Re: [pfSense Support] cannot update firmware On Thu, Jul 31, 2008 at 9:38 AM, Sean Cavanaugh [EMAIL PROTECTED] wrote: I have a 1.2-RELEASE setup that runs perfectly fine. I wanted to install 1.2.1 on it to try it out but I cannot get the system to upgrade the firmware at all. Thru the web interface i get the usual hoops about the file not being digitally signed but it takes it and goes on its merry way of processing it. I even get the pages all saying An upgrade is currently in progress. The firewall will reboot when the operation is complete. It will just sit there and never do anything more. I have also tried using the upgrade thru the console which gets me the following before dumping back to the main menu screen Broadcast Message from [EMAIL PROTECTED] (/dev/ttyp0) at 6:01 EDT... Beginning pfSense upgrade. /etc/rc.firmware: Cannot fork: Resource temporarily unavailable /etc/rc.firmware: Cannot fork: Resource temporarily unavailable /etc/rc.firmware: Cannot fork: Resource temporarily unavailable further testing shows that this happens no matter what firmware i give it, even tried 1.2-RELEASE again A Google of that site:pfsense.org brings back nothing so it's apparently something no one has seen before. That makes it sound like too many processes are running which is a bit strange. Try rebooting it then upgrading. it looks like I just had a random group of addons that together caused that problem. I ended up having to reinstall 1.2-RELEASE and now the firmware upgrades work perfectly fine. For future reference, just uninstalling all the addons and rebooting didn't clear out the glitch that was causing it. now I'm off to try/abuse 1.2.1. -Sean - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
