[pfSense Support] OpenNTP offset & sync

[Karl Fife]

We're running Embedded 1.2.3 on Soekris 5501.

We ran into a funny situation last week where ntpd was failing to sync even 
though the stratum 1 ntp server was reachable, and the OpenNPT service was 
running.  pfSense offset grew by about 2 seconds per day, and our ntp 
clients were in dutiful lockstep with this drift.  Restarting the OpenNTP 
service didn't seem to trigger a resync, but forcing a sync from the command 
line did seem eliminate the (eventual) 38 second offset.  However, even 
after the explicit resync, windows clients wouldn't sync, complaining that 
the time server (pfSense) had not resync'd recently enough.  This message 
persisted even after subsequent "forced resyncs" (resyncs that resulted in 
<.01 sec offset correction).


Later that evening (after the elves had gone home) I simply rebooted 
pfSense, and today it all seems to be syncing, and all of our network clocks 
(appliances) and windows clients seem to be syncing nicely with no 
complaints.  Naturally I went to check the logs, but I was somewhat 
surprised to see that /var/log/ntpd.log was empty.  Is there a different log 
file I should be checking?


Has anyone else has seen OpenNTPD fail similarly?  I've never seen my other 
pfSense instances drift by more than a few hundred milliseconds.  We have 
some market traders that rely on a very reliable real time clock for market 
close.  I'd appreciate any tips.


Thanks!
-Karl




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[Steven Sherwood]

Hi all,

Apart from the Realtek onboard NICs (2x1000Mbps), this looks nice for a 
non-rackmounted option built around a dual core Atom 330 :

http://www.newegg.com/Product/Product.aspx?Item=N82E16856115033

-- Steve

-Original Message-
From: Jim Pingle [mailto:li...@pingle.org] 
Sent: Thursday, September 02, 2010 12:21 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 
3.0) Service

On 9/2/2010 12:03 PM, Curtis Maurand wrote:
> I found one Vyatta feature that trumped pfsense where I am.  the ability
> to route VPN via a secondary address/lan on one of the NIC's.  I could
> not make that happen w/pfsense.  Otherwise I would be using it, here. 
> In another location that I'm responsible for, I have it running quite
> nicely.  I really like the road-warrior IPSEC abilities that Vyatta
> doesn't have.

That should be possible by putting "local x.x.x.x;" in the config where
x.x.x.x is your LAN or internal IP, and by making sure you have a static
route to the other endpoint that leads out a local gateway.

In 2.0 you can pick any interface (even LAN) to run an OpenVPN instance on.

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[Jim Pingle]

On 9/2/2010 12:03 PM, Curtis Maurand wrote:
> I found one Vyatta feature that trumped pfsense where I am.  the ability
> to route VPN via a secondary address/lan on one of the NIC's.  I could
> not make that happen w/pfsense.  Otherwise I would be using it, here. 
> In another location that I'm responsible for, I have it running quite
> nicely.  I really like the road-warrior IPSEC abilities that Vyatta
> doesn't have.

That should be possible by putting "local x.x.x.x;" in the config where
x.x.x.x is your LAN or internal IP, and by making sure you have a static
route to the other endpoint that leads out a local gateway.

In 2.0 you can pick any interface (even LAN) to run an OpenVPN instance on.

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[Curtis Maurand]

 On 9/2/2010 11:42 AM, Tim Dickson wrote:

   Contacting you off the board, as I have questions about the "other" firewall 
software you carry.  What do you think of Vyatta and Untangled?  I came from using 
m0n0wall so naturally recommend pfSense to my clients, but wanted to know if you think 
either of the others are better.


I use both pfSense and Untangled on my sites.  I can't give up pfSense for the 
power it has as a multi-network router/firewall.  I really haven't come across 
anything that can come close.
However, Untangle is a great platform as a UTM - it's dang simple to install, 
and the reporting is great to keep on file, and easily readable for HR etc..
I tried Vyatta for a week (and gave Endian a try too) and there were no 
features that I used that trumped pfSense.


I found one Vyatta feature that trumped pfsense where I am.  the ability 
to route VPN via a secondary address/lan on one of the NIC's.  I could 
not make that happen w/pfsense.  Otherwise I would be using it, here.  
In another location that I'm responsible for, I have it running quite 
nicely.  I really like the road-warrior IPSEC abilities that Vyatta 
doesn't have.


--Curtis


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[bsd]

You can check this : 

http://www.osnet.eu/en/content/firewall-fwa-3035s

Actually there is a fwa-3035l (not yet sold), which might interest you… 


I'll send you off list the specs, It runs on low voltage and might suite your 
needs.

Thanks. 


Le 1 sept. 2010 à 17:00, Michael Riglin a écrit :

> Christmas came early this year, and I am moving to the new DOCSIS 3.0 service 
> that is available from my ISP. This new service will provide a 100/5 Mbps 
> service which is a nice upgrade from the 15/1 Mbps service that I currently 
> have in place. Unfortunately, the reliable ALIX appliances I have used to run 
> pfSense will not support the full downstream bandwidth of this new service. 
> The ALIX model I have currently use is the ALIX2D3 which use the AMD Geode 
> LX800 500 MHz chip and is not quite beefy enough for the full 100 Mbps 
> unfortunately.
>  
> So, I need to seek out a new ALIX-like appliance to purchase, or I have to 
> build a new mini-ITX box to get the full capabilities of the connection. 
> Before I research the best custom mini-ITX system build options, I wanted to 
> ask the list for any experience-based recommendations on low power 
> consumption appliances for purchase that have enough CPU power to support 100 
> Mbps and above. (Quality and future-proofing is more important than cost.)
>  
> Thanks in advance to anyone who replies.
>  
> Best regards,
> Michael
>  
>  
> Service link, in case there is an interest:
> http://www.shaw.ca/en-ca/ProductsServices/Internet/Nitro/
>  
>  


Gregober ---> PGP ID --> 0x1BA3C2FD
bsd @at@ todoo.biz





-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[Curtis Maurand]

On 9/1/2010 12:17 PM, Jeppe Øland wrote:

I did a similar speed upgrade to find my trusty old WRAP capped out at
like 15 mbit.

What I ended up getting was a mini-ITX enclosure/PSU:
http://www.mini-box.com/M350-enclosure-with-picoPSU-80-and-60W-adapter

Supermicro X7SPA-H motherboard (It's fanless, so quiet and reliable):
http://www.newegg.com/Product/Product.aspx?Item=N82E16813182233&nm_mc=OTC-Froogle&cm_mmc=OTC-Froogle-_-Motherboards+-+Server-_-SuperMicro-_-13182233

And of course some RAM.

That thing isn't even breaking a sweat saturating the connection, and
power usage was something like 18 watts if I remember correctly.

Regards,
-Jeppe

Try one of these.

http://www.newegg.com/Product/ComboBundleDetails.aspx?ItemList=Combo.489867

--Curtis


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[Tim Dickson]

>  Contacting you off the board, as I have questions about the "other" firewall 
>software you carry.  What do you think of Vyatta and Untangled?  I came from 
>using m0n0wall so naturally recommend pfSense to my clients, but wanted to 
>know if you think either of the others are better.  


I use both pfSense and Untangled on my sites.  I can't give up pfSense for the 
power it has as a multi-network router/firewall.  I really haven't come across 
anything that can come close. 
However, Untangle is a great platform as a UTM - it's dang simple to install, 
and the reporting is great to keep on file, and easily readable for HR etc..
I tried Vyatta for a week (and gave Endian a try too) and there were no 
features that I used that trumped pfSense. 

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[lee hall]

LinuxAppliance.net also has pfSense firewall options, shipping from the U.S.



--Tim

Tim,

Thanks for the shamelessplug, I have bookmarked your site. Contacting you off 
the board, as I have questions about the "other" firewall software you carry. 
What do you think of Vyatta and Untangled? I came from using m0n0wall so 
naturally recommend pfSense to my clients, but wanted to know if you think 
either of the others are better. 

Lee

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[Tim Nelson]

- "lee hall"  wrote: 
> 

- Original Message - 



From: Gavin Spurgeon 

Sent: 09/02/10 10:28 AM 

To: support@pfsense.com 

Subject: Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 
3.0) Service 
> 
Another good box might be something like:-  
http://linitx.com/viewproduct.php?prodid=12711  Http://linitx.com is a good 
source for these kind of units and also has Duel Motherboard Chassis as well. 
http://linitx.com/viewproduct.php?prodid=11041  They also have a section on the 
store for Firewalls:- http://linitx.com/viewcategory.php?catid=79&pp=79  - --   
Gavin Spurgeon. AKA Da Geek Commercial support available - 
https://portal.pfsense.org 


> 

The rackmount http://linitx.com/viewproduct.php?prodid=11041 does look very 
good, I like the front NICs. 


> 

I am in the US and shipping is much more reasonable with a US based supplier. 
http://nw-ds.com/shop/firewalls.html They sell rackmount unit with pfSense 
preinstalled but the NICs are in the back. 


> 




 




 




LinuxAppliance.net also has pfSense firewall options, shipping from the U.S. 




 




--Tim 

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[lee hall]

- Original Message -
From: Gavin Spurgeon
Sent: 09/02/10 10:28 AM
To: support@pfsense.com
Subject: Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 
3.0) Service

Another good box might be something like:- 
http://linitx.com/viewproduct.php?prodid=12711 Http://linitx.com is a good 
source for these kind of units and also has Duel Motherboard Chassis as well. 
http://linitx.com/viewproduct.php?prodid=11041 They also have a section on the 
store for Firewalls:- http://linitx.com/viewcategory.php?catid=79&pp=79 - -- 
Gavin Spurgeon. AKA Da Geek Commercial support available - 
https://portal.pfsense.org
The rackmount http://linitx.com/viewproduct.php?prodid=11041 does look very 
good, I like the front NICs.

I am in the US and shipping is much more reasonable with a US based supplier. 
http://nw-ds.com/shop/firewalls.html They sell rackmount unit with pfSense 
preinstalled but the NICs are in the back.

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[Gavin Spurgeon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Another good box might be something like:-

http://linitx.com/viewproduct.php?prodid=12711

Http://linitx.com is a good source for these kind of units and also has
Duel Motherboard Chassis as well.
http://linitx.com/viewproduct.php?prodid=11041

They also have a section on the store for Firewalls:-
http://linitx.com/viewcategory.php?catid=79&pp=79

- -- 

Gavin Spurgeon.
AKA Da Geek

- --
"The happiest of people don't necessarily have the best of everything,
they just make the most of everything that comes along their way.."
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx/tH0ACgkQvp6arS3vDiquQACePTXC+hAua+M0KyCXipE1l90V
lxsAn1eG3rPdQqNVR4Cuhb/z/vcAQWGA
=4Ffn
-END PGP SIGNATURE-

--
This message was scanned by DaGeek Spam Filter and is believed to be clean.


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[Sean Cavanaugh]

not pushing appliance shop either but browsing thru their products they did 
have a "GHz edition" of same dual setup


-Original Message- 
From: Duncan Hall

Sent: Thursday, September 02, 2010 6:28 AM
To: support@pfsense.com
Subject: Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 
3.0) Service


Looking at the specs I'd say there are 2 Alix boards in that appliance.
According to the hardware sizing document
(http://doc.pfsense.org/index.php/Hardware_requirements) you are going
to need something in excess of 700Mhz to handle the full throughput,
more if you start using VPNs and plugins.

Perhaps something atom based?
http://www.logicsupply.com/products/ps_fw101b

(No I don't work for logic supply).

Regards,

Duncan







On 2/09/2010 7:12 PM, Jonathan Marriott wrote:

This place does a two-in-one unit:

http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-pfsense-dual-19-appliance.html

I'm
not affiliated with applianceshop.

On 1 September 2010 18:51, Tim Nelson mailto:tnel...@rockbochs.com>> wrote:

- "Tonix (Antonio Nati)" mailto:to...@interazioni.it>> wrote:
 > Is there any case which can contain two motherboards and two power
 > supplies?
 > It would be nice hTo have one 1U case with clustered pfsense 
inside.

 >

Travla makes the T1200 which holds 2x Mini-itx boards with
independent PSUs:

http://www.travla.com/product_d.php?id=16

--Tim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com

For additional commands, e-mail: support-h...@pfsense.com


Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[Duncan Hall]

Looking at the specs I'd say there are 2 Alix boards in that appliance. 
According to the hardware sizing document 
(http://doc.pfsense.org/index.php/Hardware_requirements) you are going 
to need something in excess of 700Mhz to handle the full throughput, 
more if you start using VPNs and plugins.


Perhaps something atom based?
http://www.logicsupply.com/products/ps_fw101b

(No I don't work for logic supply).

Regards,

Duncan







On 2/09/2010 7:12 PM, Jonathan Marriott wrote:

This place does a two-in-one unit:

http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-pfsense-dual-19-appliance.html

I'm
not affiliated with applianceshop.

On 1 September 2010 18:51, Tim Nelson mailto:tnel...@rockbochs.com>> wrote:

- "Tonix (Antonio Nati)" mailto:to...@interazioni.it>> wrote:
 > Is there any case which can contain two motherboards and two power
 > supplies?
 > It would be nice hTo have one 1U case with clustered pfsense inside.
 >

Travla makes the T1200 which holds 2x Mini-itx boards with
independent PSUs:

http://www.travla.com/product_d.php?id=16

--Tim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com

For additional commands, e-mail: support-h...@pfsense.com


Commercial support available - https://portal.pfsense.org




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] IPSec and dual WAN

[Jonathan Marriott]

Hi all,

I've got a really weird problem and I'm completely stuck, hoping someone
here will have some insight.

I've got pfSense with three WAN (WAN, OPT1 and OPT2) interfaces, two DMZ
(OPT3 and OPT4) and a LAN (LAN) with private addressing. I have setup an
IPSec tunnel with the LAN as the local network and WAN as the terminating
interface and it works perfectly.

Unfortunately, the DMZ networks also pass traffic to the same destination
network as the IPSec tunnel and this does not work. I have firewall rules on
the DMZ interfaces that route all their outbound traffic through a load
balanced gateway that includes OPT1 and OPT2. Usually this works fine but
now I have enabled the IPSec tunnel all their outbound traffic ignores the
firewall rule and goes out unencrypted on the WAN interface. The traffic
never reaches the destination network because the ISP filters source
addresses. It's like there is a firewall rule before mine that is altering
the gateway.

Pings that are inbound from the remote network arrive on OPT2, reach the
machine in the DMZ and then replies are sucessfully passed back to the
remote network. Sticky connections are switched off.  I've tried clearing
any states relating to the DMZ machines but it doesn't help.

I'm at the point where I'm considering a restart but that'll have to wait
until the weekend!

Anybody got any ideas?

Many thanks,
Jon

Re: [pfSense Support] racoon and radius support

[Dan Candea]

On 09/02/2010 12:08 PM, Chris Buechler wrote:

On Thu, Sep 2, 2010 at 5:05 AM, Dan Candea  wrote:
   

hello

maybe this question was already put, but I could find it in the archives.
Is there any support for radius in racoon?
 

You'll have to use 2.0 or compile it yourself for that.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

   

I'm using 2.0. but it said is not supported

--
Dan Cândea
Does God Play Dice?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service

[Jonathan Marriott]

This place does a two-in-one unit:

http://www.applianceshop.eu/index.php/firewalls/opnsense/opnsense-pfsense-dual-19-appliance.html

I'm
not affiliated with applianceshop.

On 1 September 2010 18:51, Tim Nelson  wrote:

> - "Tonix (Antonio Nati)"  wrote:
> > Is there any case which can contain two motherboards and two power
> > supplies?
> > It would be nice hTo have one 1U case with clustered pfsense inside.
> >
>
> Travla makes the T1200 which holds 2x Mini-itx boards with independent
> PSUs:
>
> http://www.travla.com/product_d.php?id=16
>
> --Tim
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>

Re: [pfSense Support] racoon and radius support

[Chris Buechler]

On Thu, Sep 2, 2010 at 5:05 AM, Dan Candea  wrote:
> hello
>
> maybe this question was already put, but I could find it in the archives.
> Is there any support for radius in racoon?

You'll have to use 2.0 or compile it yourself for that.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] racoon and radius support

[Dan Candea]

hello

maybe this question was already put, but I could find it in the archives.
Is there any support for radius in racoon?
I tried xauth with radius and I receive racoon not configured with
--with-libradius
I need this cause I want to assign static IPs per roadwarrior user


 thank you

--
Dan Cândea
Does God Play Dice?


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Re: Can't get more than 10k connections on an IP

[Chris Buechler]

On Tue, Aug 31, 2010 at 1:26 AM, Tom  wrote:
> worked great..
> one firewall is 1.2.3 and it was exactly as you mentioned.
> the other firewall is 1.2.2 and there is no "set skip on pfsync" line but I
> added it in the same section before the
> $rules .= "\n";
> touched a rule to force the firewall reload and the numbers show up as
> expected.
> # pfctl -sm
> states        hard limit   20
> src-nodes     hard limit    23456

That doesn't affect all scenarios but in some cases it can limit
per-IP connections, so I changed it to stay the same as the state
table size for future releases.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org