[pfSense Support] Bottleneck for some reason?
I had a P 500 III CPU with 1G of RAM and now a P 400II with 756M RAM running embedded (512M CF) 1.2.3 and three Intel 1000GT's. One WAN, Two LAN.LAN 2 is LAN1 10.a.b+1.c.d. (/24), both performed much the same. The cable download speed has just been upgraded from 4MBps to 10Mbps however downloads on pfSense are still limited to 4Mbps, despite several modem power cycles. A notebook direct connected to the cable modem does indeed get 10Mbps suggesting pfsense is the bottleneck. The book and http://doc.pfsense.org/index.php/Hardware_requirements suggest to me I should be getting 20-40Mbps throughput. Can anyone suggest how I can investigate from here? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bottleneck for some reason?
On Fri, Feb 5, 2010 at 3:52 AM, Tortise wrote: > I had a P 500 III CPU with 1G of RAM and now a P 400II with 756M RAM running > embedded (512M CF) 1.2.3 and three Intel 1000GT's. One WAN, Two LAN. LAN > 2 is LAN1 10.a.b+1.c.d. (/24), both performed much the same. > > The cable download speed has just been upgraded from 4MBps to 10Mbps however > downloads on pfSense are still limited to 4Mbps, despite several modem power > cycles. A notebook direct connected to the cable modem does indeed get > 10Mbps suggesting pfsense is the bottleneck. > > The book and http://doc.pfsense.org/index.php/Hardware_requirements suggest > to me I should be getting 20-40Mbps throughput. > > Can anyone suggest how I can investigate from here? > Traffic shaping enabled? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bottleneck for some reason?
- Original Message - From: "Chris Buechler" To: Sent: Friday, February 05, 2010 10:02 PM Subject: Re: [pfSense Support] Bottleneck for some reason? On Fri, Feb 5, 2010 at 3:52 AM, Tortise wrote: I had a P 500 III CPU with 1G of RAM and now a P 400II with 756M RAM running embedded (512M CF) 1.2.3 and three Intel 1000GT's. One WAN, Two LAN. LAN 2 is LAN1 10.a.b+1.c.d. (/24), both performed much the same. The cable download speed has just been upgraded from 4MBps to 10Mbps however downloads on pfSense are still limited to 4Mbps, despite several modem power cycles. A notebook direct connected to the cable modem does indeed get 10Mbps suggesting pfsense is the bottleneck. The book and http://doc.pfsense.org/index.php/Hardware_requirements suggest to me I should be getting 20-40Mbps throughput. Can anyone suggest how I can investigate from here? =Traffic shaping enabled? Yes! OK now disabled, that's doubled it to 8Mbps. As its evening here it might be high traffic cutting it down from 10 to 8, I'll try again during a lower demand time. Thanks Chris. Out of interest wouldn't a larger CPU increase the shapers limits? (there was little difference in the 400 and 500, I would have expected some difference?) Last test from http://www.nzdsl.co.nz/ was 9.5Mbps, so I guess that's the answer. (Looks to read book's traffic shaper section) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bottleneck for some reason?
> On Fri, Feb 5, 2010 at 3:52 AM, Tortise > wrote: > > I had a P 500 III CPU with 1G of RAM and now a P 400II with 756M RAM > running > > embedded (512M CF) 1.2.3 and three Intel 1000GT's. One WAN, Two LAN. > LAN > > 2 is LAN1 10.a.b+1.c.d. (/24), both performed much the same. > > > > The cable download speed has just been upgraded from 4MBps to 10Mbps > however > > downloads on pfSense are still limited to 4Mbps, despite several > modem power > > cycles. A notebook direct connected to the cable modem does indeed > get > > 10Mbps suggesting pfsense is the bottleneck. > > > > The book and http://doc.pfsense.org/index.php/Hardware_requirements > suggest > > to me I should be getting 20-40Mbps throughput. > > > > Can anyone suggest how I can investigate from here? > > > > =Traffic shaping enabled? > > Yes! OK now disabled, that's doubled it to 8Mbps. As its evening > here it might be high traffic cutting it down from 10 to 8, I'll > try again during a lower demand time. > Thanks Chris. Out of interest wouldn't a larger CPU increase the > shapers limits? (there was little difference in the 400 and 500, > I would have expected some difference?) > Last test from http://www.nzdsl.co.nz/ was 9.5Mbps, so I guess that's > the answer. (Looks to read book's traffic shaper section) > >From my memory you tell the shaper the bandwidth of your connection it order >for it to work. As a result the value set here is you upper limit regardless >of CPU > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bottleneck for some reason?
- Original Message - From: "Robert Mortimer" To: Sent: Friday, February 05, 2010 10:20 PM Subject: Re: [pfSense Support] Bottleneck for some reason? =Traffic shaping enabled? Yes! OK now disabled, that's doubled it to 8Mbps. As its evening here it might be high traffic cutting it down from 10 to 8, I'll try again during a lower demand time. Thanks Chris. Out of interest wouldn't a larger CPU increase the shapers limits? (there was little difference in the 400 and 500, I would have expected some difference?) Last test from http://www.nzdsl.co.nz/ was 9.5Mbps, so I guess that's the answer. (Looks to read book's traffic shaper section) From my memory you tell the shaper the bandwidth of your connection it order for it to work. As a result the value set here is you upper limit regardless of CPU qwanroot 0 No 2000 Kb qwanRoot qlanroot 0 No 4000 Kb qlanRoot Now that seems significant. It is such a long time ago since I ran that wizard I'd forgotten that bit! Thanks guys. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] sip device disconnects every 2 days.
> But my Voip device keeps disconnecting each and every 1,5 to 2 days... > and there is nothing I can do about on the sip-device itself... > rebooting won't help. > I also am guessing that it might be my DSL > line that the provider disconnects each 36 hours... Whilst that's certainly possible, it's not necessarily the only cause of the problem. I've noticed at a number of sites that Linksys SPA SIP phones (and I'm guessing probably ATAs such as the PAP2 as well, but have little experience with those) appear to disconnect about once every 24-72 hours, but Snom and Siemens devices appear to be fine. This is in an environment where the WAN connection is *not* dropping at all, and there are no IP changes on the WAN interface. Similar to the OP, restarting the SIP device does not resolve the problem, but restarting pfSense or simply resetting the state table immediately solves the problem. Any thoughts? Regards, Chris -- For full contact details visit http://www.minotaur.it This email is made from 100% recycled electrons - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP + FreeRADIUS
ping?
On Thu, Feb 4, 2010 at 5:21 PM, Fabio Rampazzo Mathias
wrote:
> Hi again,
>
> I've configured FreeRADIUS to work with NTLM_AUTH. Now my freeradius logs
> are ok and is autheticating without clear password (I'm gonna generate some
> howto to post here). But I still can't connect over PPTP. There's no problem
> with FreeRadius but my OSX says: "Authentication failure".
>
> I guess the problem is in pfSense's PPTP package. How can I track errors ?
> I've read the /var/log/vpn.log but it only gives me the successfully
> connections i've made without using freeradius.
>
> Thanks in advance
>
> On Tue, Jan 19, 2010 at 11:20 AM, Fabio Rampazzo Mathias <
> fmath...@gmail.com> wrote:
>
>> Hans,
>>
>> Thanks for the help.
>> Gonna try this and find some help in this way.
>>
>> Cheers
>>
>> On Tue, Jan 19, 2010 at 11:13 AM, Hans Maes wrote:
>>
>>> Fabio,
>>>
>>> I remember having the same problem when I configured my captive portal +
>>> pptp + freeradius + mysql backend.
>>> I'm no expert at this, but I may be able to give you a start in the right
>>> direction.
>>>
>>> The thing is captive portal radius check uses another authentication type
>>> than the pptp radius check.
>>>
>>> IMHO, the pptp authentication uses the MS-CHAP type which requires a
>>> plaintext password in the database.
>>> At least, switching from an encrypted entry to a plaintext Password entry
>>> fixed it for me.
>>> Without the password in plaintext in my db, I could not get PPTP radius
>>> auth working.
>>>
>>>
>>> Fabio Rampazzo Mathias wrote:
>>>
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user fmathias authorized to use remote access
>>> This would support my theory.
>>> freeradius can find the fmathias user and says the user itself is allowed
>>> to connect, but only if further password checks succeed.
>>>
>>>
>>> Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for fmathias with NT-Password
[mschap] FAILED: No NT/LM-Password. Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
>>> It then tries to check the MS-CHAP authentication, but can't find a
>>> usable password to generate the NT-Password field.
>>>
>>> I solved this by putting the cleartext-password in the db, so the
>>> NT-Password could be generated by freeradius.
>>> The better approach might be to find out what this NT-Password is and
>>> just add that field.
>>>
>>> H.
>>>
>>> -
>>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>>> For additional commands, e-mail: support-h...@pfsense.com
>>>
>>> Commercial support available - https://portal.pfsense.org
>>>
>>>
>>
>
Re: [pfSense Support] Bottleneck for some reason?
Does the default 1 states under system|advanced limit speed at some point? Mehma === On Fri, Feb 5, 2010 at 1:30 AM, Tortise wrote: > - Original Message - From: "Robert Mortimer" < > rmorti...@bluechiptechnology.co.uk> > To: > Sent: Friday, February 05, 2010 10:20 PM > > Subject: Re: [pfSense Support] Bottleneck for some reason? > > =Traffic shaping enabled? >>> >>> Yes! OK now disabled, that's doubled it to 8Mbps. As its evening >>> here it might be high traffic cutting it down from 10 to 8, I'll >>> try again during a lower demand time. >>> Thanks Chris. Out of interest wouldn't a larger CPU increase the >>> shapers limits? (there was little difference in the 400 and 500, >>> I would have expected some difference?) >>> Last test from http://www.nzdsl.co.nz/ was 9.5Mbps, so I guess that's >>> the answer. (Looks to read book's traffic shaper section) >>> >>> >> From my memory you tell the shaper the bandwidth of your connection it >> order for it to work. As a result the value set here is you upper limit >> regardless of CPU >> > > qwanroot 0 No 2000 Kb qwanRoot > qlanroot 0 No 4000 Kb qlanRoot > > Now that seems significant. It is such a long time ago since I ran that > wizard I'd forgotten that bit! > > Thanks guys. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
[pfSense Support] BGP MD5 weird behavior when connection closes
I think it is more FreeBSD's problem than pfSense's but decided anyway to post it here as somebody might run into the same issue. When we use MD5 TCP signing with OpenBGP package TCP connection termination does not go properly which results in BGP password errors on remote cisco side and thus problems with reestablishing connection/routing. So, normal tcp connection tearing down procedure: ---FIN---> <---ACK--- <---FIN--- ACK---> All these TCP packets must be MD5 signed (correct me if I am wrong). The problem is: when pfSense initiates connection termination (you want to clear BGP session) the last ACK is not MD5 signed. It makes cisco keep this connection active for some time sending FINs as it attempts to close the connection. If somebody has a clue how to fix this I would be very grateful for solution. Thanks. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BGP MD5 weird behavior when connection closes
On Fri, Feb 5, 2010 at 11:22 PM, Evgeny Yurchenko wrote: > I think it is more FreeBSD's problem than pfSense's but decided anyway to > post it here as somebody might run into the same issue. > When we use MD5 TCP signing with OpenBGP package TCP connection termination > does not go properly which results in BGP password errors on remote cisco > side and thus problems with reestablishing connection/routing. > > So, normal tcp connection tearing down procedure: > ---FIN---> > > <---ACK--- > <---FIN--- > ACK---> > All these TCP packets must be MD5 signed (correct me if I am wrong). The > problem is: when pfSense initiates connection termination (you want to clear > BGP session) the last ACK is not MD5 signed. It makes cisco keep this > connection active for some time sending FINs as it attempts to close the > connection. > If somebody has a clue how to fix this I would be very grateful for > solution. > Try disabling selective acks. should be net.inet.tcp.sack.enable=0 > Thanks. > > Evgeny. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- Ermal
Re: [pfSense Support] BGP MD5 weird behavior when connection closes
Ermal Luçi wrote: On Fri, Feb 5, 2010 at 11:22 PM, Evgeny Yurchenko mailto:evg.yu...@rogers.com>> wrote: I think it is more FreeBSD's problem than pfSense's but decided anyway to post it here as somebody might run into the same issue. When we use MD5 TCP signing with OpenBGP package TCP connection termination does not go properly which results in BGP password errors on remote cisco side and thus problems with reestablishing connection/routing. So, normal tcp connection tearing down procedure: ---FIN---> <---ACK--- <---FIN--- ACK---> All these TCP packets must be MD5 signed (correct me if I am wrong). The problem is: when pfSense initiates connection termination (you want to clear BGP session) the last ACK is not MD5 signed. It makes cisco keep this connection active for some time sending FINs as it attempts to close the connection. If somebody has a clue how to fix this I would be very grateful for solution. Try disabling selective acks. should be net.inet.tcp.sack.enable=0 -- Ermal I will but I do not think SACK algorithm is in use here. Thanks. Evgeny. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
