[pfSense Support] pfsense bridging
Hi all, we are trying to use pfsense in bridging mode in a local network and experienced that with its use the bandwidth speed does not go beyond 25Mb/s. Even disabling shaping rules. Without pfsense we can go up to 40Mb/s. Do you think it might be anything with configuration in bridging mode ? Or it should be a design feature or a limitation somehow? Best Regards Nuno
Re: [pfSense Support] pfsense bridging
We've got bridging setups that run well over 20mbit. What kind of NICs are you using? System specs/hardware? Firewall rules? Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Nuno Gonçalves wrote: Hi all, we are trying to use pfsense in bridging mode in a local network and experienced that with its use the bandwidth speed does not go beyond 25Mb/s. Even disabling shaping rules. Without pfsense we can go up to 40Mb/s. Do you think it might be anything with configuration in bridging mode ? Or it should be a design feature or a limitation somehow? Best Regards Nuno
Re: [pfSense Support] pfsense bridging
Hi, thanks on responding. The hardware is a DELL PowerEdge R200 - Quad Core Intel® Xeon® X3220 - 2.4GHz The NICs are Dual embedded Broadcom Gigabit NICs. Runing pfsense 1.2 thanks once again Nuno these are the pfsense rules (just in case): TRANSLATION RULES: nat-anchor pftpx/* all nat-anchor natearly/* all nat-anchor natrules/* all rdr-anchor pftpx/* all rdr-anchor slb all rdr-anchor imspector all rdr-anchor miniupnpd all FILTER RULES: scrub all random-id fragment reassemble anchor ftpsesame/* all anchor firewallrules all block drop quick proto tcp from any port = 0 to any block drop quick proto udp from any port = 0 to any block drop quick proto tcp from any to any port = 0 block drop quick proto udp from any to any port = 0 block drop quick from snort2c to any label Block snort2c hosts block drop quick from any to snort2c label Block snort2c hosts anchor loopback all pass in quick on lo0 all flags S/SA keep state label pass loopback pass out quick on lo0 all flags S/SA keep state label pass loopback anchor packageearly all anchor carp all pass quick inet proto icmp from 193.137.219.13 to any keep state anchor dhcpserverlan all pass in quick on bge1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label allow access to DHCP server on LAN pass in quick on bridge0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label allow access to DHCP server on LAN pass in quick on bge1 inet proto udp from any port = bootpc to 193.137.219.14 port = bootps keep state label allow access to DHCP server on LAN pass in quick on bridge0 inet proto udp from any port = bootpc to 193.137.219.14 port = bootps keep state label allow access to DHCP server on LAN pass out quick on bge1 inet proto udp from 193.137.219.14 port = bootps to any port = bootpc keep state label allow access to DHCP server on LAN pass out quick on bridge0 inet proto udp from 193.137.219.14 port = bootps to any port = bootpc keep state label allow access to DHCP server on LAN pass in quick on bge0 proto udp from any port = bootps to any port = bootpc keep state label allow dhcp client out wan pass in quick on bridge0 proto udp from any port = bootps to any port = bootpc keep state label allow dhcp client out wan block drop in on ! bge1 inet from 193.137.219.0/28 to any block drop in on bge1 inet6 from fe80::21e:c9ff:feba:a598 to any block drop in inet from 193.137.219.14 to any anchor spoofing all anchor limitingesr all block drop in quick from virusprot to any label virusprot overload table pass out quick on bge1 proto icmp all keep state label let out anything from firewall host itself pass out quick on bridge0 proto icmp all keep state label let out anything from firewall host itself pass out quick on bge0 proto icmp all keep state label let out anything from firewall host itself pass out quick on bridge0 proto icmp all keep state label let out anything from firewall host itself pass out quick on bge0 all flags S/SA keep state (tcp.closed 5) label let out anything from firewall host itself anchor firewallout all pass out quick on bge0 all flags S/SA keep state label let out anything from firewall host itself pass out quick on bge1 all flags S/SA keep state label let out anything from firewall host itself pass out quick on bridge0 all flags S/SA keep state label let out anything from firewall host itself pass out quick on enc0 all flags S/SA keep state label IPSEC internal host to host anchor anti-lockout all pass in quick on bge1 inet from any to 193.137.219.14 flags S/SA keep state label anti-lockout web rule block drop in log proto tcp from sshlockout to any port = ssh label sshlockout anchor ftpproxy all anchor pftpx/* all pass in log quick on bge0 reply-to (bge0 193.137.219.2) inet all flags S/SA keep state label USER_RULE: WLAN - LAN pass in log quick on bridge0 reply-to (bge0 193.137.219.2) inet all flags S/SA keep state label USER_RULE: WLAN - LAN pass in log quick on bge1 all flags S/SA keep state label USER_RULE: Default LAN - any pass in log quick on bridge0 all flags S/SA keep state label USER_RULE: Default LAN - any pass in quick on bge1 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label FTP PROXY: Allow traffic to localhost pass in quick on bge1 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label FTP PROXY: Allow traffic to localhost pass in quick on bge0 inet proto tcp from any port = ftp-data to (bge0) port 49000 flags S/SA keep state label FTP PROXY: PASV mode data connection anchor imspector all anchor miniupnpd all block drop in log quick all label Default block all just to be sure. block drop out log quick all label Default block all just to be sure. No queue in use Tim Nelson wrote: We've got bridging setups that run well over 20mbit. What kind of NICs are you using? System specs/hardware? Firewall rules? Tim Nelson Systems/Network Support Rockbochs Inc.
Re: [pfSense Support] pfsense bridging
Hmmm... your hardware looks to be sufficient :-) I don't recall any specific problems with Broadcom NICs... if you have an Intel NIC or two around... give those a shot (assuming you can fit them since the R200 is a 1U). I can't see anything that jumps out at me in your ruleset... maybe try disabling any packages? Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 - Nuno Gonçalves wrote: Hi, thanks on responding. The hardware is a DELL PowerEdge R200 - Quad Core Intel® Xeon® X3220 - 2.4GHz The NICs are Dual embedded Broadcom Gigabit NICs. Runing pfsense 1.2 thanks once again Nuno these are the pfsense rules (just in case): TRANSLATION RULES: nat-anchor pftpx/* all nat-anchor natearly/* all nat-anchor natrules/* all rdr-anchor pftpx/* all rdr-anchor slb all rdr-anchor imspector all rdr-anchor miniupnpd all FILTER RULES: scrub all random-id fragment reassemble anchor ftpsesame/* all anchor firewallrules all block drop quick proto tcp from any port = 0 to any block drop quick proto udp from any port = 0 to any block drop quick proto tcp from any to any port = 0 block drop quick proto udp from any to any port = 0 block drop quick from snort2c to any label Block snort2c hosts block drop quick from any to snort2c label Block snort2c hosts anchor loopback all pass in quick on lo0 all flags S/SA keep state label pass loopback pass out quick on lo0 all flags S/SA keep state label pass loopback anchor packageearly all anchor carp all pass quick inet proto icmp from 193.137.219.13 to any keep state anchor dhcpserverlan all pass in quick on bge1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label allow access to DHCP server on LAN pass in quick on bridge0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label allow access to DHCP server on LAN pass in quick on bge1 inet proto udp from any port = bootpc to 193.137.219.14 port = bootps keep state label allow access to DHCP server on LAN pass in quick on bridge0 inet proto udp from any port = bootpc to 193.137.219.14 port = bootps keep state label allow access to DHCP server on LAN pass out quick on bge1 inet proto udp from 193.137.219.14 port = bootps to any port = bootpc keep state label allow access to DHCP server on LAN pass out quick on bridge0 inet proto udp from 193.137.219.14 port = bootps to any port = bootpc keep state label allow access to DHCP server on LAN pass in quick on bge0 proto udp from any port = bootps to any port = bootpc keep state label allow dhcp client out wan pass in quick on bridge0 proto udp from any port = bootps to any port = bootpc keep state label allow dhcp client out wan block drop in on ! bge1 inet from 193.137.219.0/28 to any block drop in on bge1 inet6 from fe80::21e:c9ff:feba:a598 to any block drop in inet from 193.137.219.14 to any anchor spoofing all anchor limitingesr all block drop in quick from virusprot to any label virusprot overload table pass out quick on bge1 proto icmp all keep state label let out anything from firewall host itself pass out quick on bridge0 proto icmp all keep state label let out anything from firewall host itself pass out quick on bge0 proto icmp all keep state label let out anything from firewall host itself pass out quick on bridge0 proto icmp all keep state label let out anything from firewall host itself pass out quick on bge0 all flags S/SA keep state (tcp.closed 5) label let out anything from firewall host itself anchor firewallout all pass out quick on bge0 all flags S/SA keep state label let out anything from firewall host itself pass out quick on bge1 all flags S/SA keep state label let out anything from firewall host itself pass out quick on bridge0 all flags S/SA keep state label let out anything from firewall host itself pass out quick on enc0 all flags S/SA keep state label IPSEC internal host to host anchor anti-lockout all pass in quick on bge1 inet from any to 193.137.219.14 flags S/SA keep state label anti-lockout web rule block drop in log proto tcp from sshlockout to any port = ssh label sshlockout anchor ftpproxy all anchor pftpx/* all pass in log quick on bge0 reply-to (bge0 193.137.219.2) inet all flags S/SA keep state label USER_RULE: WLAN - LAN pass in log quick on bridge0 reply-to (bge0 193.137.219.2) inet all flags S/SA keep state label USER_RULE: WLAN - LAN pass in log quick on bge1 all flags S/SA keep state label USER_RULE: Default LAN - any pass in log quick on bridge0 all flags S/SA keep state label USER_RULE: Default LAN - any pass in quick on bge1 inet proto tcp from any to 127.0.0.1 port = ftp-proxy flags S/SA keep state label FTP PROXY: Allow traffic to localhost pass in quick on bge1 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label FTP
[pfSense Support] LiveCD Serial Console Support?
I'm currently testing the pfSense LiveCD as a Recovery CD In case of a hard drive failure. This is working about 99%, i just can't get the serial console to work on the LiveCD. Searching around a little more, it appears the LiveCD /boot/loader.conf is not present and does not have the line console=comconsole to redirect console messages to the serial port. (I understand this is default behavior) I've tried various ways of editing the ISO and adding a /boot/loader.conf file. The custom LiveCD will boot up, but never seems to read /boot/loader.conf, and seems to have trouble booting, hangs in random places (I think this is because of the ISO repackaging, Using MagicISO) Has anyone edited the LiveCD for custom config.xml files or other tweaks? And if so, could you point me in the right direction. Thanks, Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
