Re: [pfSense Support] lagg (lacp) support 1.2

2009-11-13 Thread Ermal Luçi 
I would be interested for bringing support to it on 1.2. Since i wrote teh
support for bonding in 2.0.
Beaware that it will not be committed on 1.2 repo it will be a private
addition to your install.

What is your budget on this and we can come to an agreement.

On Fri, Nov 13, 2009 at 12:08 AM, Leon Strong leon.str...@smx.co.nz wrote:

  Hi Team,

 I'm at a point here that i'm going to be needing to do some port level
 aggregation due to bandwidth/sub-netting requirements, currently, it seems
 that the only way to do this reliably in a semi supportable way, would be to
 do bonding/teaming/lacp on a linux/bsd box, and to virtualise pfSense,
 which i'm not terribly keen on.

 Whats the possibility of getting bonding into 1.2 - how much work would it
 be, and would there be anyone interested in doing this for a bounty?

 Cheers,

 Leon.
 --

 *Leon Strong *| Technical Engineer
 *DDI:* +64 9 950 2203 *Fax:* +64 9 302 0518
 *Mobile:* +64 21 0202 8870 *Freephone:* 0800 SMX SMX (769 769)
 Level 15, 19 Victoria Street, Auckland, New Zealand | SMX Ltd | smx.co.nz
 [image: SMX | Business Email Specialists]
 The information contained in this email and any attachments is
 confidential. If you are not
 the intended recipient then you must not use, disseminate, distribute or
 copy any information
 contained in this email or any attachments. If you have received this email
 in error or you
 are not the originally intended recipient please contact SMX immediately
 and destroy this email.
  This email has been scrubbed for your protection by SMX. For more
 information visit smx.co.nz http://smx.co.nz/scrubbed




-- 
Ermal

Re: [pfSense Support] lagg (lacp) support 1.2

2009-11-13 Thread Aarno Aukia 
Hello,

On Fri, Nov 13, 2009 at 00:08, Leon Strong leon.str...@smx.co.nz wrote:

 I'm at a point here that i'm going to be needing to do some port level
 aggregation due to bandwidth/sub-netting requirements, currently, it seems
 that the only way to do this reliably in a semi supportable way, would be to
 do bonding/teaming/lacp on a linux/bsd box, and to virtualise pfSense,
 which i'm not terribly keen on.

 Whats the possibility of getting bonding into 1.2 - how much work would it
 be, and would there be anyone interested in doing this for a bounty?


Since 1.2 is in a feature-freeze and this is hardly a bug I don't know if
even patches would be accepted for this in 1.2.

Currently its not really that hard:
   * install package shellcmd
   * add following earlyshellcmds (substitute your ethernet interface
names):
  * ifconfig lagg0 create
  * ifconfig lagg0 up laggproto lacp laggport em2 laggport em3
   * add the following shellcmds:
  * ifconfig em2 up
  * ifconfig em3 up
   * reboot
   * you now have a lagg0 interface in Interfaces - assign
   * if you want to assign vlans to it in the gui you have to patch
/usr/local/www/interfaces_vlan_edit.php:
  * comment out if (is_jumbo_capable($ifn)) {, add { to parent
foreach

We have done this a few times already, we can do it for you if you want.

Regards,
Aarno
-- 
Aarno Aukia
Atrila GmbH
Switzerland

[pfSense Support] blacklist exceptions?

2009-11-13 Thread Luke Jaeger 
We are using pfSense 1.2.2 with squidguard as firewall/content filter  
for a school.


Squidguard is configured to use the shallalist.de blacklists and it  
works quite well. But there are times when I want to whitelist a site  
(ie sexuality info sites that Shalla has mistakenly categorized as  
porn) - if I add it to Proxy server:Access control it's still  
blocked. Anything I can do other than putting in a request to Shalla  
to re-categorize?


Luke Jaeger | Technology Coordinator
Pioneer Valley Performing Arts Charter Public School
www.pvpa.org


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP switchover to backup because of high traffic

2009-11-13 Thread Evgeny Yurchenko 

Evgeny Yurchenko wrote:

Jim Pingle wrote:

Evgeny Yurchenko wrote:
 

Yesterday it happened twice on one of my production firewalls. CPU load
was less than 10%. Did not pay attention at the moment but accoring to
RRD number of states was not unusual - 4-5k. I reproduced it in my 
lab -

only test connection, so number of states was less than 100.



When this happens, check the output of ifconfig -a on the master when
it won't take back over, see what advskew it is advertising.

There are certain failure states that cause it to set an advskew of 240
regardless of what it is actually configured to be. Figuring out what
caused that, however, can be a bit trickier.

I push quite a lot of traffic through my pfSense boxes and have never
seen them failover in this manner. Nightly backups push just about wire
speed through my CARP pair (100MBit).

  

Agian hit the same situation on production firewall.
All carp interfaces show carp: BACKUP vhid xxx advbase 1 advskew 0 
like this:

carp0: flags=49UP,LOOPBACK,RUNNING mtu 1500
   inet 10.0.0.244 netmask 0xff00
   carp: BACKUP vhid 100 advbase 1 advskew 0

On all interfaces see only partner's packets like this
# tcpdump -ni vlan1 vrrp
tcpdump: verbose output suppressed, use -v or -vv for full protocol 
decode

listening on vlan1, link-type EN10MB (Ethernet), capture size 96 bytes
19:11:39.871724 IP 10.0.0.243  224.0.0.18: VRRPv2, Advertisement, 
vrid 100, prio 100, authtype none, intvl 1s, length 36
19:11:41.264295 IP 10.0.0.243  224.0.0.18: VRRPv2, Advertisement, 
vrid 100, prio 100, authtype none, intvl 1s, length 36
19:11:42.656753 IP 10.0.0.243  224.0.0.18: VRRPv2, Advertisement, 
vrid 100, prio 100, authtype none, intvl 1s, length 36
19:11:44.049203 IP 10.0.0.243  224.0.0.18: VRRPv2, Advertisement, 
vrid 100, prio 100, authtype none, intvl 1s, length 36
19:11:45.441655 IP 10.0.0.243  224.0.0.18: VRRPv2, Advertisement, 
vrid 100, prio 100, authtype none, intvl 1s, length 36
19:11:46.834109 IP 10.0.0.243  224.0.0.18: VRRPv2, Advertisement, 
vrid 100, prio 100, authtype none, intvl 1s, length 36

^C

# sysctl net.inet.ip.intr_queue_drops
net.inet.ip.intr_queue_drops: 0
but now there is no load.
If anybody can give any advice I can keep this situation for some time 
as it is afterbusiness hours Friday.

Thanks,
Evgeny.


One more time on different pfSense cluster.
If I pay for support would somebody be able to login and see what is 
going on here?

Thanks.
Evgeny.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP switchover to backup because of high traffic

2009-11-13 Thread Chris Buechler 
On Fri, Nov 13, 2009 at 4:31 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote:

 If I pay for support would somebody be able to login and see what is going
 on here?


Sure, absolutely.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP switchover to backup because of high traffic

2009-11-13 Thread Evgeny Yurchenko 

Chris Buechler wrote:

On Fri, Nov 13, 2009 at 4:31 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote:
  

If I pay for support would somebody be able to login and see what is going
on here?




Sure, absolutely.

  
BTW https://portal.pfsense.org/index.php/subscribe-for-access does not 
look nice in IE.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP switchover to backup because of high traffic

2009-11-13 Thread Evgeny Yurchenko 

Chris Buechler wrote:

On Fri, Nov 13, 2009 at 4:31 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote:
  

If I pay for support would somebody be able to login and see what is going
on here?




Sure, absolutely.

  

Paid. Should we proceed off list?
Thanks.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] CARP and BGP

2009-11-13 Thread Glenn Kelley 
Am I correct in assuming that CARP and BGP cannot work together - as  
CARP pushes private ip addresses ?



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] CARP and BGP

2009-11-13 Thread Chris Buechler 
On Fri, Nov 13, 2009 at 9:13 PM, Glenn Kelley gl...@typo3usa.com wrote:
 Am I correct in assuming that CARP and BGP cannot work together - as CARP
 pushes private ip addresses ?


CARP doesn't push private IPs, not sure what you mean by that, but it
can work just the same as anything with public IPs. Though there are
likely complications related to the BGP package in combination with
CARP. Haven't tried it personally, not sure.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org