[pfSense Support] interrupt v kernel usage
I'm using a pair of onboard (vr) NICs on a net5501-80 (500 MHz Geode) with vlans to firewall a 36/4 mlppp connection. During heavy download top reports interrupts around 40-50% CPU usage with most of the remainder being idle. I dropped in an Intel Pro 1000 GT (em, PCI) in place of one of the onboards to handle the internal vlans and during heavy downloading the interrupts dropped down to around 20%, but now the kernel process was reporting ~17% CPU usage. The idle process was not significantly different from the vr NIC to the em. I was surprised by this result, not only because of Intel's sterling reputation among pfsense users, but also because of the fact alone that the Intel NIC is gigabit hardware (on a gigabit switch). Was I wrong to expect a drop in CPU usage with the Intel GBE? Also, before somebody mentions it, TSO and LRO were enabled for this test. I tried disabling LRO, but this immediately caused pfsense to become unresponsive on the network and the serial console. After resetting it LRO was still enabled, so I didn't provoke it further. Within a couple hours pfsense had locked up again, so I moved the LAN cable back to the onboard NIC and it's been running stably for 17 hours since (with the Intel card still installed but not assigned). Thoughts? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: interrupt v kernel usage
Sorry, forgot to mention 2.0 nanobsd August 2 snapshot. On Wed, Aug 25, 2010 at 12:20 AM, David Burgess apt@gmail.com wrote: I'm using a pair of onboard (vr) NICs on a net5501-80 (500 MHz Geode) with vlans to firewall a 36/4 mlppp connection. During heavy download top reports interrupts around 40-50% CPU usage with most of the remainder being idle. I dropped in an Intel Pro 1000 GT (em, PCI) in place of one of the onboards to handle the internal vlans and during heavy downloading the interrupts dropped down to around 20%, but now the kernel process was reporting ~17% CPU usage. The idle process was not significantly different from the vr NIC to the em. I was surprised by this result, not only because of Intel's sterling reputation among pfsense users, but also because of the fact alone that the Intel NIC is gigabit hardware (on a gigabit switch). Was I wrong to expect a drop in CPU usage with the Intel GBE? Also, before somebody mentions it, TSO and LRO were enabled for this test. I tried disabling LRO, but this immediately caused pfsense to become unresponsive on the network and the serial console. After resetting it LRO was still enabled, so I didn't provoke it further. Within a couple hours pfsense had locked up again, so I moved the LAN cable back to the onboard NIC and it's been running stably for 17 hours since (with the Intel card still installed but not assigned). Thoughts? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] interrupt v kernel usage
On Wed, Aug 25, 2010 at 2:20 AM, David Burgess apt@gmail.com wrote: I'm using a pair of onboard (vr) NICs on a net5501-80 (500 MHz Geode) with vlans to firewall a 36/4 mlppp connection. During heavy download top reports interrupts around 40-50% CPU usage with most of the remainder being idle. I dropped in an Intel Pro 1000 GT (em, PCI) in place of one of the onboards to handle the internal vlans and during heavy downloading the interrupts dropped down to around 20%, but now the kernel process was reporting ~17% CPU usage. The idle process was not significantly different from the vr NIC to the em. I was surprised by this result, not only because of Intel's sterling reputation among pfsense users, but also because of the fact alone that the Intel NIC is gigabit hardware (on a gigabit switch). Was I wrong to expect a drop in CPU usage with the Intel GBE? No, but in the 5501's case it doesn't surprise me. If you had a PC or server with vr PCI NICs and replaced them with em PCI NICs, there is a considerable difference (though the vr NICs I have at least aren't too bad performance-wise, they beat out Realtek rl handily). Not sure what the bus on the 5501 is like but there could be a big difference between going from onboard to PCI on that kind of hardware. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense list still there?
Thank you I´m glad not to be alone Regards On Tue, Aug 24, 2010 at 11:08 PM, Chris Buechler cbuech...@gmail.comwrote: On Tue, Aug 24, 2010 at 4:47 PM, Danny metal...@gmail.com wrote: Hi, Normally I don´t send mails to this list, because most of the times, googling, reading the forum, and of course playing with make me solve problems... In the last month I asked this list for support with 3 different issues (still got them), and zero answers... Did yoy received my emails? Looks like it. You can confirm they went to the list here. http://news.gmane.org/gmane.comp.security.firewalls.pfsense.support Am I banned? No Am I asking silly things? (I don´t think so) I only see one post. Not silly, just something apparently no one (with the time to respond) knows the answer to. You're welcome to bump your posts if they don't get an answer after 24 hours. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- dpc
Re: [pfSense Support] interrupt v kernel usage
I would turn on Device polling (Or off if it is on) Am 25.08.2010 um 08:20 schrieb David Burgess: I'm using a pair of onboard (vr) NICs on a net5501-80 (500 MHz Geode) with vlans to firewall a 36/4 mlppp connection. During heavy download top reports interrupts around 40-50% CPU usage with most of the remainder being idle. I dropped in an Intel Pro 1000 GT (em, PCI) in place of one of the onboards to handle the internal vlans and during heavy downloading the interrupts dropped down to around 20%, but now the kernel process was reporting ~17% CPU usage. The idle process was not significantly different from the vr NIC to the em. I was surprised by this result, not only because of Intel's sterling reputation among pfsense users, but also because of the fact alone that the Intel NIC is gigabit hardware (on a gigabit switch). Was I wrong to expect a drop in CPU usage with the Intel GBE? Also, before somebody mentions it, TSO and LRO were enabled for this test. I tried disabling LRO, but this immediately caused pfsense to become unresponsive on the network and the serial console. After resetting it LRO was still enabled, so I didn't provoke it further. Within a couple hours pfsense had locked up again, so I moved the LAN cable back to the onboard NIC and it's been running stably for 17 hours since (with the Intel card still installed but not assigned). Thoughts? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org Viele Grüße Tom Müller-Kortkamp -- kommunity GmbH Co.KG - Goseriede 4, D-30159 Hannover Telefon: +49 (0)5 11 - 80 72 58 - 0 Fax: +49 (0)5 11 - 80 72 58 - 10 Mail: mailto:tmu...@kommunity.net, Web: http://www.kommunity.net USt.-IDNr.: DE 813740826; Handelsregister: Amtsgericht Hannover; Registernummer: HRA 26721; Persönlich haftende Gesellschafterin: kommunity Verwaltungsgesellschaft mbH vertreten durch den Geschäftsführer Tom Müller-Kortkamp; Handelsregister: Amtsgericht Hannover; Registernummer: HRB 60200 Teamviewer-Support-Link: http://www.kommunity.biz - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] captive portal
Hi, I'm running a few (6 at the moment) pfsense 1.2.3-RELEASE boxes on a rather large scale wireless network, as border routers and firewalls between the internet uplinks and the rest of the network. (network background info: +600 subnets, +150 router nodes, 6 internet uplinks, about 1000 unique mac-address clients per 24h, www.wirelessbelgie.be , non-profit organisation running on volunteers ) The traffic shaper is active on the pfsense boxes to allow different internet speeds to different subnets on the network. I'm currently using very large alias lists to manage the +600 private subnets in the traffic shaper. We are currently looking at switching to a captive portal + traffic shaper + freeradius, so we can set speeds based on user/pass combination in stead of IP subnet. Tests are successful up till now, and we are going to switch this into production pretty soon. However, I have one problem: The network contains a lot of 'dumb' devices (ipcams, sound encoders, serial2ip, ...) which also need internet access, but have no clue on how to log in to the captive portal. I cannot use mac-authentication with the captive portal and the radius server because there are routers in between the pfsense boxes and the devices. From what I see now the only way to allow these devices access to the internet is to add them to the Allowed IP list in the captive portal. But managing this list seperately on every box would be a lot of work. I would prefer to use an alias containing all my allowed ip's which I can then update through the fetch alias list from url package. First Question: Is there any way to use aliases in the captive Allowed IP list, or to automate managing this list in any way ? (maybe some radius attribute I don't know about?) Second question: Are the devices in the allowed list allowed to pass through the captive portal right away, or do they need to open an HTTP connection first to 'trigger' the captive portal logic ? Third Question: I'm currently running 1.2.3 but switching to 2.0 would be possible, if this would help me in this situation. What would you guys recommend for this situation, 1.2.3 or 2.0 ? Thanks! Regards, Hans - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] pfSense Captive Portal and Motorola BackFlip
I have a user who has a Motorola Backflip. It comes up with the Captive Portal pages, but afterward authenticating, he receives a 411 - Length required error page. Has anyone dealt with this before? Thank you and while search the DHCP login, I noticed I had some users who END times on DHCP were 1969/12/31 at 17:59. I am still searching the forums for this as well. Thank you Dwane
Re: [pfSense Support] pfSense Captive Portal and Motorola BackFlip
On Wed, Aug 25, 2010 at 12:05 PM, Atkins, Dwane P atki...@uthscsa.edu wrote: I have a user who has a Motorola Backflip. It comes up with the Captive Portal pages, but afterward authenticating, he receives a 411 – Length required error page. Has anyone dealt with this before? Never heard of that happening. 411 means The server refuses to accept the request without a defined Content- Length. The client MAY repeat the request if it adds a valid Content-Length header field containing the length of the message-body in the request message. No properly functioning browser should send such a request, it isn't HTTP 1.1 compliant. Seems to be common to some other Android devices, and a wide range of sites, if you search on it. Its browser is broken. Hacking the source to disable HTTP 1.1 in lighttpd should work around that, but could cause any number of other issues. Something that broken on the phone has probably been fixed I presume, see if there is an update for the phone available. Thank you and while search the DHCP login, I noticed I had some users who END times on DHCP were 1969/12/31 at 17:59. I am still searching the forums for this as well. I believe that's the date on leases that don't expire (that's shortly before the Unix epoch) but not completely sure. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] pfSense Captive Portal and Motorola BackFlip
I have the user seeing if they can download Dolphin. Yeah, I recognized the dates and knew they were close to the Unix Epoch, but why would they be the release times for DHCP address. Do you think it is time for a reboot? -Original Message- From: Chris Buechler [mailto:cbuech...@gmail.com] Sent: Wednesday, August 25, 2010 1:48 PM To: support@pfsense.com Subject: Re: [pfSense Support] pfSense Captive Portal and Motorola BackFlip On Wed, Aug 25, 2010 at 12:05 PM, Atkins, Dwane P atki...@uthscsa.edu wrote: I have a user who has a Motorola Backflip. It comes up with the Captive Portal pages, but afterward authenticating, he receives a 411 - Length required error page. Has anyone dealt with this before? Never heard of that happening. 411 means The server refuses to accept the request without a defined Content- Length. The client MAY repeat the request if it adds a valid Content-Length header field containing the length of the message-body in the request message. No properly functioning browser should send such a request, it isn't HTTP 1.1 compliant. Seems to be common to some other Android devices, and a wide range of sites, if you search on it. Its browser is broken. Hacking the source to disable HTTP 1.1 in lighttpd should work around that, but could cause any number of other issues. Something that broken on the phone has probably been fixed I presume, see if there is an update for the phone available. Thank you and while search the DHCP login, I noticed I had some users who END times on DHCP were 1969/12/31 at 17:59. I am still searching the forums for this as well. I believe that's the date on leases that don't expire (that's shortly before the Unix epoch) but not completely sure. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense Captive Portal and Motorola BackFlip
On Wed, Aug 25, 2010 at 4:18 PM, Atkins, Dwane P atki...@uthscsa.edu wrote: I have the user seeing if they can download Dolphin. Yeah, I recognized the dates and knew they were close to the Unix Epoch, but why would they be the release times for DHCP address. Do you think it is time for a reboot? Reboot won't change anything. Can you email me or post the contents of /var/dhcpd/var/db/dhcpd.leases? Go to Diagcommand and run: cat /var/dhcpd/var/db/dhcpd.leases - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org