Re: [pfSense Support] lagg (lacp) support 1.2
I would be interested for bringing support to it on 1.2. Since i wrote teh support for bonding in 2.0. Beaware that it will not be committed on 1.2 repo it will be a private addition to your install. What is your budget on this and we can come to an agreement. On Fri, Nov 13, 2009 at 12:08 AM, Leon Strong leon.str...@smx.co.nz wrote: Hi Team, I'm at a point here that i'm going to be needing to do some port level aggregation due to bandwidth/sub-netting requirements, currently, it seems that the only way to do this reliably in a semi supportable way, would be to do bonding/teaming/lacp on a linux/bsd box, and to virtualise pfSense, which i'm not terribly keen on. Whats the possibility of getting bonding into 1.2 - how much work would it be, and would there be anyone interested in doing this for a bounty? Cheers, Leon. -- *Leon Strong *| Technical Engineer *DDI:* +64 9 950 2203 *Fax:* +64 9 302 0518 *Mobile:* +64 21 0202 8870 *Freephone:* 0800 SMX SMX (769 769) Level 15, 19 Victoria Street, Auckland, New Zealand | SMX Ltd | smx.co.nz [image: SMX | Business Email Specialists] The information contained in this email and any attachments is confidential. If you are not the intended recipient then you must not use, disseminate, distribute or copy any information contained in this email or any attachments. If you have received this email in error or you are not the originally intended recipient please contact SMX immediately and destroy this email. This email has been scrubbed for your protection by SMX. For more information visit smx.co.nz http://smx.co.nz/scrubbed -- Ermal
Re: [pfSense Support] lagg (lacp) support 1.2
Hello, On Fri, Nov 13, 2009 at 00:08, Leon Strong leon.str...@smx.co.nz wrote: I'm at a point here that i'm going to be needing to do some port level aggregation due to bandwidth/sub-netting requirements, currently, it seems that the only way to do this reliably in a semi supportable way, would be to do bonding/teaming/lacp on a linux/bsd box, and to virtualise pfSense, which i'm not terribly keen on. Whats the possibility of getting bonding into 1.2 - how much work would it be, and would there be anyone interested in doing this for a bounty? Since 1.2 is in a feature-freeze and this is hardly a bug I don't know if even patches would be accepted for this in 1.2. Currently its not really that hard: * install package shellcmd * add following earlyshellcmds (substitute your ethernet interface names): * ifconfig lagg0 create * ifconfig lagg0 up laggproto lacp laggport em2 laggport em3 * add the following shellcmds: * ifconfig em2 up * ifconfig em3 up * reboot * you now have a lagg0 interface in Interfaces - assign * if you want to assign vlans to it in the gui you have to patch /usr/local/www/interfaces_vlan_edit.php: * comment out if (is_jumbo_capable($ifn)) {, add { to parent foreach We have done this a few times already, we can do it for you if you want. Regards, Aarno -- Aarno Aukia Atrila GmbH Switzerland
[pfSense Support] blacklist exceptions?
We are using pfSense 1.2.2 with squidguard as firewall/content filter for a school. Squidguard is configured to use the shallalist.de blacklists and it works quite well. But there are times when I want to whitelist a site (ie sexuality info sites that Shalla has mistakenly categorized as porn) - if I add it to Proxy server:Access control it's still blocked. Anything I can do other than putting in a request to Shalla to re-categorize? Luke Jaeger | Technology Coordinator Pioneer Valley Performing Arts Charter Public School www.pvpa.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Evgeny Yurchenko wrote: Jim Pingle wrote: Evgeny Yurchenko wrote: Yesterday it happened twice on one of my production firewalls. CPU load was less than 10%. Did not pay attention at the moment but accoring to RRD number of states was not unusual - 4-5k. I reproduced it in my lab - only test connection, so number of states was less than 100. When this happens, check the output of ifconfig -a on the master when it won't take back over, see what advskew it is advertising. There are certain failure states that cause it to set an advskew of 240 regardless of what it is actually configured to be. Figuring out what caused that, however, can be a bit trickier. I push quite a lot of traffic through my pfSense boxes and have never seen them failover in this manner. Nightly backups push just about wire speed through my CARP pair (100MBit). Agian hit the same situation on production firewall. All carp interfaces show carp: BACKUP vhid xxx advbase 1 advskew 0 like this: carp0: flags=49UP,LOOPBACK,RUNNING mtu 1500 inet 10.0.0.244 netmask 0xff00 carp: BACKUP vhid 100 advbase 1 advskew 0 On all interfaces see only partner's packets like this # tcpdump -ni vlan1 vrrp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vlan1, link-type EN10MB (Ethernet), capture size 96 bytes 19:11:39.871724 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:41.264295 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:42.656753 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:44.049203 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:45.441655 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 19:11:46.834109 IP 10.0.0.243 224.0.0.18: VRRPv2, Advertisement, vrid 100, prio 100, authtype none, intvl 1s, length 36 ^C # sysctl net.inet.ip.intr_queue_drops net.inet.ip.intr_queue_drops: 0 but now there is no load. If anybody can give any advice I can keep this situation for some time as it is afterbusiness hours Friday. Thanks, Evgeny. One more time on different pfSense cluster. If I pay for support would somebody be able to login and see what is going on here? Thanks. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
On Fri, Nov 13, 2009 at 4:31 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: If I pay for support would somebody be able to login and see what is going on here? Sure, absolutely. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Chris Buechler wrote: On Fri, Nov 13, 2009 at 4:31 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: If I pay for support would somebody be able to login and see what is going on here? Sure, absolutely. BTW https://portal.pfsense.org/index.php/subscribe-for-access does not look nice in IE. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP switchover to backup because of high traffic
Chris Buechler wrote: On Fri, Nov 13, 2009 at 4:31 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: If I pay for support would somebody be able to login and see what is going on here? Sure, absolutely. Paid. Should we proceed off list? Thanks. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] CARP and BGP
Am I correct in assuming that CARP and BGP cannot work together - as CARP pushes private ip addresses ? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP and BGP
On Fri, Nov 13, 2009 at 9:13 PM, Glenn Kelley gl...@typo3usa.com wrote: Am I correct in assuming that CARP and BGP cannot work together - as CARP pushes private ip addresses ? CARP doesn't push private IPs, not sure what you mean by that, but it can work just the same as anything with public IPs. Though there are likely complications related to the BGP package in combination with CARP. Haven't tried it personally, not sure. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org