[pfSense Support] Re: NIC choice
Bill Marquette a écrit : On Mon, Nov 2, 2009 at 1:32 PM, Vick Khera vi...@khera.org wrote: On Sun, Nov 1, 2009 at 9:12 PM, Ugo Bellavance u...@lubik.ca wrote: 3com 905 (xl) I'd put this on your WAN and the intel on the LAN. 3Com have been well support in FreeBSD (and even in the original 4.2BSD before that) forever. For a long while, back in the early early days of PC's running BSD's, I would only buy 3Com NICs, mostly the 509c (which even had barrel connectors!) and then the 905's when we moved up to the high-speed ethernets. Given the use of vlans, I imagine you might have LAN - LAN connectivity, the em(4) will provide better throughput than any of the non-gig cards. I'll definitely put the em on the lan side, but since this firewall is mostly to share the internet link, there is barely any vlan-to-vlan traffic (except for ntp and maybe some other management protocols). If you have an opportunity to drop an fxp(4) in there instead of the realtek or 3com cards, you'd be happier, but given only 30mbit throughput requirements, either will handle the traffic. The Intel card will also do vlan tagging in hardware (and checksumming) allowing you to save a bit of CPU. I'll use the em to handle the vlan'd side. I'll check how it goes, as it will be the first time that I copy a config from one machine to the other. I had a ton of those 509c ISA cards back in the day...they almost gave me 1mbit :) (at least one had AUI, TP, and BNC connectors) I understand the 3c905 on a PCI bus ran a tad faster *grin*. At any rate, I second this config...although I've had more than my share of issues with 3com cards, I'd still pick one over a realtek (and certainly over a dlink branded realtek). :) Thanks, Ugo - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Sending traffic out a 2nd WAN interface
Hi Chris and Keenan, It is still not working so this is exactly what I have. I don't usually post all the live IPs but at this point I just need it to work. Windows 2K3 Server (no firewall) 10.0.3.1 This guy needs to receive LDAP and SMPT traffic from OPT1 Interface LAN Rules: Proto Source Port DestPort GW Sched TCP * *142.46.226.22 25 142.47.56.89 TCP * *142.46.226.24 389 142.47.56.89 TCP * *10.250.223.148 389 142.47.56.89 * LAN net ** ** OPT1 Rules: TCP 142.46.226.24 *10.0.3.1389 142.47.56.89 TCP 10.250.223.148 *10.0.3.1389 142.47.56.89 TCP 142.46.226.22 *10.0.3.125 142.47.56.89 ICMP * ** ** TCP 142.46.226.16 *LAN net *142.47.56.89 OPT1 is on a private network with ip of 142.47.56.90/28 with GW of 142.47.56.89 From a workstation I can successfully telnet out to 142.46.226.22:25 but I cannot telnet to either of the 389 addresses When they try and telnet to me I do see traffic in my FW capture from them on OPT1 for 389 but it never gets passed to the inside machine. This is driving me nuts and I am sure I am missing something simple, please any help is appreciated. -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Monday, November 02, 2009 9:44 PM To: support@pfsense.com Subject: Re: [pfSense Support] Sending traffic out a 2nd WAN interface On Mon, Nov 2, 2009 at 8:10 PM, Ron Lemon rjle...@gmail.com wrote: Do I create this rule on the WAN or OPT tab under Firewall rules? Where ever the traffic is initiated (LAN probably). Do I need to enable AON or should I leave automatic? Automatic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.698 / Virus Database: 270.14.45/2476 - Release Date: 11/02/09 02:51:00 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Sending traffic out a 2nd WAN interface
Ron Lemon wrote: Hi Chris and Keenan, It is still not working so this is exactly what I have. I don't usually post all the live IPs but at this point I just need it to work. Windows 2K3 Server (no firewall) 10.0.3.1 This guy needs to receive LDAP and SMPT traffic from OPT1 Interface LAN Rules: Proto Source Port DestPort GW Sched TCP * *142.46.226.22 25 142.47.56.89 TCP * *142.46.226.24 389 142.47.56.89 TCP * *10.250.223.148 389 142.47.56.89 * LAN net ** ** OPT1 Rules: TCP 142.46.226.24 *10.0.3.1389 142.47.56.89 TCP 10.250.223.148 *10.0.3.1389 142.47.56.89 TCP 142.46.226.22 *10.0.3.125 142.47.56.89 ICMP * ** ** TCP 142.46.226.16 *LAN net *142.47.56.89 OPT1 is on a private network with ip of 142.47.56.90/28 with GW of 142.47.56.89 From a workstation I can successfully telnet out to 142.46.226.22:25 but I cannot telnet to either of the 389 addresses When they try and telnet to me I do see traffic in my FW capture from them on OPT1 for 389 but it never gets passed to the inside machine. This is driving me nuts and I am sure I am missing something simple, please any help is appreciated. I do not think you need to specify gateway in OPT1 rules, make it default. Then, you have to set up port forward nat on OPT1, so traffic destined to 142.47.56.90:389 should be forwarded to 10.0.3.1. When you create this forwarding proper rules will be created automatically. If I understand your task correctly... - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: NIC choice
On Mon, Nov 2, 2009 at 21:44, Ugo Bellavance u...@lubik.ca wrote: I wasn't sure if rl was Realtek, but I agree on your statement. The firewall will have 30 mbps throughput max, would I still benefit from the em card? I could also use the fxp card in the old firewall. Biggest issue I've found WRT rl cards is that they tend to flood the system with extraneous interrupts which slows everything down generally, so yes, you'll still get benefits from the em card but the fxp would also be adequate. Ideally given the cards you have to hand I'd do em for LAN and fxp for WAN. If I go with another em, do I need the server version? For 30Mb/sec no, not really. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
Lenny wrote: Hi, I'm the same guy that had that long thread about not being able to push more than 15kpps. Well, this is sort of a report + some additional questions. Anyway, eventually we purchased an IBM x3550 server with 2 Quad Core CPUs (5230 I think). Now I can push 310Mb, which is about 70kpps(my average packet size grew a little bit since then and I believe it's now about 600). Lenny. Hi Lenny! I can not give you any advice but would like to share my results with HP DL360 G4 box which has two dual-core Intels 3.4.GHz running *1.2.3-RC2* built on Mon Aug 31 06:09:28 UTC 2009. It was not built for performance and has only two Broadcom NICs on motherboard. One NIC is LAN, another one is tagged with 20 VLANs though usually only one-two (max three) vlans are pushing traffic really hard simultaneously. Traffic goes up to 450Mb/s with 38kpps and CPU load is 25% during these peaks. I suspect that it is when 1CPU (core) is loaded 100% and another 3 are idling. Is this the case for you as well with 100% one CPU load and 7 others idling? Your system is much newer then mine and everybody says that Intel NICs are better than Broadcom so I would expect better performance. Your results for real traffic or you were performing tests? What kind of traffic are you pushing? I've noticed that Intel NICs deal much better with TCP than with UDP in terms of CPU usage (it can be explained only by performing some TCP functions by NIC). Please keep us posted! Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
Evgeny Yurchenko wrote: Lenny wrote: Hi, I'm the same guy that had that long thread about not being able to push more than 15kpps. Well, this is sort of a report + some additional questions. Anyway, eventually we purchased an IBM x3550 server with 2 Quad Core CPUs (5230 I think). Now I can push 310Mb, which is about 70kpps(my average packet size grew a little bit since then and I believe it's now about 600). Lenny. Hi Lenny! I can not give you any advice but would like to share my results with HP DL360 G4 box which has two dual-core Intels 3.4.GHz running *1.2.3-RC2* built on Mon Aug 31 06:09:28 UTC 2009. It was not built for performance and has only two Broadcom NICs on motherboard. One NIC is LAN, another one is tagged with 20 VLANs though usually only one-two (max three) vlans are pushing traffic really hard simultaneously. Traffic goes up to 450Mb/s with 38kpps and CPU load is 25% during these peaks. I suspect that it is when 1CPU (core) is loaded 100% and another 3 are idling. Is this the case for you as well with 100% one CPU load and 7 others idling? Your system is much newer then mine and everybody says that Intel NICs are better than Broadcom so I would expect better performance. Your results for real traffic or you were performing tests? What kind of traffic are you pushing? I've noticed that Intel NICs deal much better with TCP than with UDP in terms of CPU usage (it can be explained only by performing some TCP functions by NIC). Please keep us posted! Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Hi Evgeny, You are right about the CPU load - it is exactly what's happening, only I have 2 Cores out of 8 reaching 100%(one for each interface). My traffic is production TCP, it's a website, with mostly pictures and flash files(advertisement). But I would really like to ask again, as this is very important: will replacing the PCI-X NIC with PCI-e one give some boost in performance? Lenny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput, haproxy
Lenny schreef: But I would really like to ask again, as this is very important: will replacing the PCI-X NIC with PCI-e one give some boost in performance? Unlikely, there is little reason to switch. The theoretical bandwidth cases are not too helpful. The intel dual port pci-e cards are x4 ~ (4 * 250MB/s) The intel dual port pci-x card is 64bit 133 mhz is ~ 1000MB/s So, no you are not likely to see any improvement. If any, I suspect it's more of a chipset thing. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
