Re: [pfSense Support] Re: Can't get more than 15kpps.
On Sun, Aug 2, 2009 at 12:21 PM, Tim Dressel tjdres...@gmail.com wrote: Install on both sides, not on pfsense. i.e. install on a machine on the WAN side, and on the LAN site. Or if you are testing between LAN and an OPT interface, put a machine on both subnets and test that way. iPerf on pfsense will not give you a throughput of the firewall (at least nothing that means anything) Cheers, Ok, so I made some tests with IPERF. I just hope I used the right syntax: on the server side: iperf -s on the client side: iperf -c server-ip -t 60 -M 500 I figured the M 500 is needed, because my average packet size in production is 500. Unless I'm totally wrong here? The results I got were 300Mbit/sec with em driver, while I saw the taskq em0 hit almost 90%. Of course, without the M 500 option I got 750Mbit/sec. I think it was less than 50kpps. When doing tests with bce driver, I got 284Mbit/sec and irq256: bce0 hit 85%. That was 73kpps. Another thing I noticed is regarding the new em driver. I understand it's supposed to be the Yandex one. So I found someone that had a screenshot of his top -S and it looked like that: PID USERNAMETHR PRI NICE SIZERES STATE C TIME WCPU COMMAND 11 root 1 171 ki31 0K16K CPU7 7 26.3H 100.00% idle: cpu7 12 root 1 171 ki31 0K16K CPU6 6 23.5H 98.29% idle: cpu6 18 root 1 171 ki31 0K16K RUN0 21.0H 96.88% idle: cpu0 17 root 1 171 ki31 0K16K RUN1 20.8H 88.67% idle: cpu1 15 root 1 171 ki31 0K16K CPU3 3 21.0H 86.96% idle: cpu3 13 root 1 171 ki31 0K16K CPU5 5 21.0H 86.57% idle: cpu5 14 root 1 171 ki31 0K16K CPU4 4 20.4H 86.47% idle: cpu4 16 root 1 171 ki31 0K16K CPU2 2 20.3H 82.57% idle: cpu2 35 root 1 43- 0K16K WAIT 2 682:43 27.59% em1_rx_kthread_0 36 root 1 43- 0K16K WAIT 3 681:24 25.49% em1_rx_kthread_1 31 root 1 43- 0K16K WAIT 0 587:29 19.58% em0_rx_kthread_0 32 root 1 43- 0K16K WAIT 5 586:51 18.07% em0_rx_kthread_1 19 root 1 -32- 0K16K WAIT 6 21:44 3.17% swi4: clock sio 34 root 1 -68- 0K16K WAIT 4 37:56 0.10% em1_txcleaner 30 root 1 -68- 0K16K WAIT 1 29:04 0.00% em0_txcleaner 53 root 1 -68- 0K16K - 1 17:25 0.00% dummynet 1234 root 1 440 206M 198M select 1 9:45 0.00% bgpd while in mine I don't see these, I only see 2 taskq emX and it doesn't matter how many threads I input in the sysctl.conf. So what am I doing wrong and is this a normal throughput for my server? Lenny.
[pfSense Support] backup before installing any package
Hi, I am planning (since my job move to another company) to install pfSense as well. But, one thing that took special consideration, are the packages... They are great to improve the product even more, but they might also break things (either on pfSense side, or in between the packages). If I install an empty pfSense (ie. without any package) and make a full backup using pfSense... can I truly revert to this backup and have no package at all installed at the end ?? (okay, files will be there on the harddisk - but I assume they are then just garbage) kind regards, michel servaes - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] VPN Questions
You can filter OpenVPN. Short howto is here: http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN if you're running multiple openVPN servers, how does pfSense know which tun device is allocated to which server/daemon? Updated that page. Chris, does the OpenVPN setup with the DHCP-Opt.: DNS-Domainname and DHCP-Opt.: DNS-Server config params mimic the Cisco Split-DNS concept where once the client connects, and queries for a host qhos FQDN has a search domain equal to DHCP-Opt.: DNS-Domainname will be redirected to the DHCP-Opt.: DNS-Server server? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Can't get more than 15kpps.
On Mon, Aug 3, 2009 at 3:52 AM, Lennyfive2one.le...@gmail.com wrote: On Sun, Aug 2, 2009 at 12:21 PM, Tim Dressel tjdres...@gmail.com wrote: Install on both sides, not on pfsense. i.e. install on a machine on the WAN side, and on the LAN site. Or if you are testing between LAN and an OPT interface, put a machine on both subnets and test that way. iPerf on pfsense will not give you a throughput of the firewall (at least nothing that means anything) Cheers, Ok, so I made some tests with IPERF. I just hope I used the right syntax: on the server side: iperf -s on the client side: iperf -c server-ip -t 60 -M 500 I figured the M 500 is needed, because my average packet size in production is 500. Unless I'm totally wrong here? The results I got were 300Mbit/sec with em driver, while I saw the taskq em0 hit almost 90%. Of course, without the M 500 option I got 750Mbit/sec. I think it was less than 50kpps. When doing tests with bce driver, I got 284Mbit/sec and irq256: bce0 hit 85%. That was 73kpps. Another thing I noticed is regarding the new em driver. I understand it's supposed to be the Yandex one. So I found someone that had a screenshot of his top -S and it looked like that: PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 11 root 1 171 ki31 0K 16K CPU7 7 26.3H 100.00% idle: cpu7 12 root 1 171 ki31 0K 16K CPU6 6 23.5H 98.29% idle: cpu6 18 root 1 171 ki31 0K 16K RUN 0 21.0H 96.88% idle: cpu0 17 root 1 171 ki31 0K 16K RUN 1 20.8H 88.67% idle: cpu1 15 root 1 171 ki31 0K 16K CPU3 3 21.0H 86.96% idle: cpu3 13 root 1 171 ki31 0K 16K CPU5 5 21.0H 86.57% idle: cpu5 14 root 1 171 ki31 0K 16K CPU4 4 20.4H 86.47% idle: cpu4 16 root 1 171 ki31 0K 16K CPU2 2 20.3H 82.57% idle: cpu2 35 root 1 43 - 0K 16K WAIT 2 682:43 27.59% em1_rx_kthread_0 36 root 1 43 - 0K 16K WAIT 3 681:24 25.49% em1_rx_kthread_1 31 root 1 43 - 0K 16K WAIT 0 587:29 19.58% em0_rx_kthread_0 32 root 1 43 - 0K 16K WAIT 5 586:51 18.07% em0_rx_kthread_1 19 root 1 -32 - 0K 16K WAIT 6 21:44 3.17% swi4: clock sio 34 root 1 -68 - 0K 16K WAIT 4 37:56 0.10% em1_txcleaner 30 root 1 -68 - 0K 16K WAIT 1 29:04 0.00% em0_txcleaner 53 root 1 -68 - 0K 16K - 1 17:25 0.00% dummynet 1234 root 1 44 0 206M 198M select 1 9:45 0.00% bgpd while in mine I don't see these, I only see 2 taskq emX and it doesn't matter how many threads I input in the sysctl.conf. So what am I doing wrong and is this a normal throughput for my server? Lenny. Hi Lenny, I'm not sure if this would be useful or not, if you connected the iperf server and client with a cable and repeated the same test (i.e. not going through the router) you should be able to see what the theoretical max is for your setup. If you compare that to the results you just got and you don't see a huge drop (more than 20%) then that should be pretty accurate for that. You probably should also do the bidirectional test as well (-d option) to see if your one way performance drops (it should not).
RE: [pfSense Support] Anything like fail2ban for PFSense?
-Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Sunday, August 02, 2009 6:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? Mark Crane added a DenyHosts package recently that does just this. - COOL! Thanks! Incidentally, there appears to be a bug in this package - if you are on Services - DenyHosts, and you click the PFSense logo, it takes you to the URL https://x.x.x.x/packages/denyhosts/index.php rather than https://x.x.x.x/index.php Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC supp...@atlasnetworks.us http://support.atlasnetworks.us/portal - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
On Mon, Aug 3, 2009 at 1:41 PM, Nathan Eisenbergnat...@atlasnetworks.us wrote: -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Sunday, August 02, 2009 6:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? Mark Crane added a DenyHosts package recently that does just this. - COOL! Thanks! Incidentally, there appears to be a bug in this package - if you are on Services - DenyHosts, and you click the PFSense logo, it takes you to the URL https://x.x.x.x/packages/denyhosts/index.php rather than https://x.x.x.x/index.php That's common to a couple packages, there's a ticket open on it, there is no easy fix that won't break other things. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
-Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Sunday, August 02, 2009 6:11 PM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? Mark Crane added a DenyHosts package recently that does just this. - COOL! Thanks! Incidentally, there appears to be a bug in this package - if you are on Services - DenyHosts, and you click the PFSense logo, it takes you to the URhttps://x.x.x.x/packages/denyhosts/index.php rather than https://x.x.x.x/index.phIs Is this working? I have it installed on 1.2.2 and it doesn't appear to be doing anything. I see a bunch of failed attempts for SSH, and the servers - denyhost doesn't display anything. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Anything like fail2ban for PFSense?
-Original Message- From: apiase...@midatlanticbb.com [mailto:apiase...@midatlanticbb.com] Sent: Monday, August 03, 2009 11:24 AM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? Is this working? I have it installed on 1.2.2 and it doesn't appear to be doing anything. I see a bunch of failed attempts for SSH, and the servers - denyhost doesn't display anything. - I too am running 1.2.2 and cannot get this package to work. I noticed that under status - services, the denyhosts service is not running. Attempting to start it fails. Is there a way to get this running on 1.2.2? Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] trying to boot embedded image fails
On Mon, Aug 3, 2009 at 4:14 PM, Joseph L. Casalejcas...@activenetwerx.com wrote: I have an HP DL120 G5 I am trying to use pfSense-1.2.3-RC1-Embedded on and it just hangs on the bootloader. I am using a 4gig USB key that I wrote the img to. Are there any particular bios requirements for this to work or other setup requirements? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Have you tried connecting to it using a serial cable? -- Linux User #452368 Ubuntu User #28025 Doing a thing well is often a waste of time. //HP Mini 2GB 60GB - Windows XP/Ubuntu Jaunty //Core 2 Duo 2.40Ghz 8GB 500GB - Windows 7/Ubuntu Jaunty //Core 2 Duo 2.40Ghz 8GB 320GB - MacOS Leopard //Athlon 64 2.7Ghz 8GB 400GB - CentOS 5.3 //Core 2 Duo 1.86Ghz 8GB 1TB - Proxmox 1.3 //Celeron 1.8Ghz 2GB 160GB - pfSense //NSLU2 266Mhz 32MB 1TB - Debian Lenny - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] trying to boot embedded image fails
Joseph L. Casale wrote: I have an HP DL120 G5 I am trying to use pfSense-1.2.3-RC1-Embedded on and it just hangs on the bootloader. I am using a 4gig USB key that I wrote the img to. Are there any particular bios requirements for this to work or other setup requirements? I have seen some BIOS that would only boot from a USB key in that case after a BIOS update and some option twiddling (though I don't recall what). We have also seen that some embedded devices require booting in packet mode or nopacket mode, depending on the BIOS it could be one or the other. This can be changed, but required plugging the device into another FreeBSD box or another pfSense box and running: boot0cfg -o packet /dev/da0 Where packet can also be nopacket, and /dev/da0 is the full path to the USB device as seen by the OS (check dmesg). I don't recall what the RC1 images are, but the current nanobsd snapshots should be using packet mode. Before doing much else, I'd also try a more recent snapshot than RC1. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] trying to boot embedded image fails
Have you tried connecting to it using a serial cable? I could, but it does hang, I am sure of that and I can see it clearly on the monitor. jlc
RE: [pfSense Support] trying to boot embedded image fails
I have seen some BIOS that would only boot from a USB key in that case after a BIOS update and some option twiddling (though I don't recall what). We have also seen that some embedded devices require booting in packet mode or nopacket mode, depending on the BIOS it could be one or the other. This can be changed, but required plugging the device into another FreeBSD box or another pfSense box and running: boot0cfg -o packet /dev/da0 Where packet can also be nopacket, and /dev/da0 is the full path to the USB device as seen by the OS (check dmesg). Wow, I don't have any bsd machines, lol. Can you reco what I should pull down to install on a recent desktop, with AHCI sata for example? I don't recall what the RC1 images are, but the current nanobsd snapshots should be using packet mode. Before doing much else, I'd also try a more recent snapshot than RC1. I didn't know there was anything newer except 2.0, which I read has all the embedded images not functional. Where do i get a more recent 1.2.3 image? Are you speaking of these: http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/nanobsd/ The pfSense-1.2.3-512mb-20090723-1908-nanobsd.img image didn’t hang the server but it just sat at a blinking cursor:) Thanks for all the advice! jlc
RE: [pfSense Support] trying to boot embedded image fails
Are you speaking of these: http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/nanobsd/ The pfSense-1.2.3-512mb-20090723-1908-nanobsd.img image didn’t hang the server but it just sat at a blinking cursor:) Sorry, spoke to soon! Same result. I wait for a suggestion on what freebsd iso to yank and get a desktop installed tomorrow to make that change you suggested. Thanks! jlc
AW: [pfSense Support] VPN Questions
It is intended to do so... Regards, martin -Ursprüngliche Nachricht- Von: Joseph L. Casale [mailto:jcas...@activenetwerx.com] Gesendet: Montag, 3. August 2009 15:55 An: support@pfsense.com Betreff: RE: [pfSense Support] VPN Questions You can filter OpenVPN. Short howto is here: http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN if you're running multiple openVPN servers, how does pfSense know which tun device is allocated to which server/daemon? Updated that page. Chris, does the OpenVPN setup with the DHCP-Opt.: DNS-Domainname and DHCP-Opt.: DNS-Server config params mimic the Cisco Split-DNS concept where once the client connects, and queries for a host qhos FQDN has a search domain equal to DHCP-Opt.: DNS-Domainname will be redirected to the DHCP-Opt.: DNS-Server server? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] trying to boot embedded image fails
Joseph L. Casale wrote: Are you speaking of these: http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_RELENG_1_2/nanobsd/ The pfSense-1.2.3-512mb-20090723-1908-nanobsd.img image didn’t hang the server but it just sat at a blinking cursor:) Sorry, spoke to soon! Same result. I wait for a suggestion on what freebsd iso to yank and get a desktop installed tomorrow to make that change you suggested. The nanobsd/embedded images switch to a serial console during the boot process, did you try using the serial console with that snapshot? Any FreeBSD install will work for that packet/nopacket change, even a pfSense system. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VPN Questions
On Mon, Aug 3, 2009 at 9:55 AM, Joseph L. Casalejcas...@activenetwerx.com wrote: You can filter OpenVPN. Short howto is here: http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN if you're running multiple openVPN servers, how does pfSense know which tun device is allocated to which server/daemon? Updated that page. Chris, does the OpenVPN setup with the DHCP-Opt.: DNS-Domainname and DHCP-Opt.: DNS-Server config params mimic the Cisco Split-DNS concept where once the client connects, and queries for a host qhos FQDN has a search domain equal to DHCP-Opt.: DNS-Domainname will be redirected to the DHCP-Opt.: DNS-Server server? DNS queries are done based on the binding order of the interfaces on the client. The domain name option acts no differently than that same option from a DHCP server, it doesn't send queries for only that domain to the defined DNS servers. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
On Mon, Aug 3, 2009 at 4:40 PM, Nathan Eisenbergnat...@atlasnetworks.us wrote: I too am running 1.2.2 and cannot get this package to work. I noticed that under status - services, the denyhosts service is not running. Attempting to start it fails. It was probably built for FreeBSD 7.1 or 7.2. Not sure. Don't know if Mark is on this list. He frequents the forum, you might want to post to the packages board there. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] trying to boot embedded image fails
The nanobsd/embedded images switch to a serial console during the boot process, did you try using the serial console with that snapshot? Darn, no. I have to wait until tomorrow. Would the KB become unresponsive during the switch such that numlock/capslock no longer functions? The lights on the intel quad port nic don’t light up so I was pretty sure it tanked before that driver initializes. Any FreeBSD install will work for that packet/nopacket change, even a pfSense system. Ok, does FreeSBIE have the needed tools? This way I don't have to open a case and shove a spare disc in:) Thanks! jlc
Re: [pfSense Support] backup before installing any package
On Mon, Aug 3, 2009 at 8:50 AM, Michel Servaesmic...@mcmc.be wrote: Hi, I am planning (since my job move to another company) to install pfSense as well. But, one thing that took special consideration, are the packages... They are great to improve the product even more, but they might also break things (either on pfSense side, or in between the packages). If I install an empty pfSense (ie. without any package) and make a full backup using pfSense... can I truly revert to this backup and have no package at all installed at the end ?? (okay, files will be there on the harddisk - but I assume they are then just garbage) The files will still be there, you shouldn't do that. Uninstall the packages, or reinstall the system and restore the config with packages removed. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] backup before installing any package
From: cbuech...@gmail.com [cbuech...@gmail.com] On Behalf Of Chris Buechler [...@pfsense.org] Sent: Monday, August 03, 2009 9:41 PM To: support@pfsense.com Subject: Re: [pfSense Support] backup before installing any package On Mon, Aug 3, 2009 at 8:50 AM, Michel Servaesmic...@mcmc.be wrote: Hi, I am planning (since my job move to another company) to install pfSense as well. But, one thing that took special consideration, are the packages... They are great to improve the product even more, but they might also break things (either on pfSense side, or in between the packages). If I install an empty pfSense (ie. without any package) and make a full backup using pfSense... can I truly revert to this backup and have no package at all installed at the end ?? (okay, files will be there on the harddisk - but I assume they are then just garbage) The files will still be there, you shouldn't do that. Uninstall the packages, or reinstall the system and restore the config with packages removed. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Help with Siproxd
Aloha, I'm running 1.2.3 on an Alix 2d3 and recently discovered the problem with PFsense + more than one sip phone the hard way. I'm using 5 polycom phones with a VOIP service (server is offsite) and would like to get PFsense working. Anyway, I've read about AON or editing /etc/inc/filter.inc on this thread: http://forum.pfsense.org/index.php?topic=12830.msg72156 I'm not comfortable with either solution since configuring AON or editing filter.inc is beyond me. Since I have 1.2.3 embedded, I figured I'd just install siproxd and be done with it (looking for the eaiest, GUI driven solution here). When I install siproxd, everything looks good, however when I go to my services page and press the play/start button, PFsense reports that siproxd has been started, but when the page refreshes, the status still shows up as stopped. Any help is appreciated. My knowledge of this is limited to what the GUI allows and setting up basic VPN stuff. My BSD knowledge is pretty limited. Mahalo, Jeremy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Help with Siproxd
On Mon, Aug 3, 2009 at 9:55 PM, Jeremy Bennettjbenn...@obtusion.com wrote: When I install siproxd, everything looks good, however when I go to my services page and press the play/start button, PFsense reports that siproxd has been started, but when the page refreshes, the status still shows up as stopped. Have you tried refreshing the ServicesStatus page after waiting a few more seconds? I haven't used the siproxd package, but I know that some services take longer to start than it does for the page to refresh. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org