Re: [pfSense Support] hardware to run pfsense with multiple ethernet ports

[David Burgess]

On Mon, Jan 3, 2011 at 10:47 PM, Chris Buechler  wrote:

> The cheapest new hardware option I'm aware of that can do 6 or more
> NICs is a Soekris 5501 with a dual or quad port card, for 6-8 ports.
> About $375-400. That's the only very low power option I'm aware of,
> should draw under 10 wt.


I can second that. I have a 5501-70 that measured 7W on a kill-a-watt
with an Intel Pro 1000 GT installed. The unit was not heavily loaded
when I took the reading, but I don't think it varied much under load.
A dual or quad-port 10/100 card shouldn't use more power than the GBE,
I think.

Another nice thing about the 5501 is that it takes 6-25VDC input,
which can be nice on a tower setup. No poe though.

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] Squid Log and MAC adress

[Koray AGAYA]

Hi,

Can I  add computers mac adresses  ( squid logs ) is it possible ?


Thank you for everything

Re: [pfSense Support] Squid Log and MAC adress

[Jostein Elvaker Haande]

On 4 January 2011 13:53, Koray AGAYA  wrote:
> Hi,
>
> Can I  add computers mac adresses  ( squid logs ) is it possible ?
>
>
> Thank you for everything

Hello Koray,

You've already asked this question once, without anyone replying.
There's no need for a second e-mail with the same content. If someone
knows, they will answer in due time.

Seeing as I'm a bit on the generous side today, I actually took the
time to Google your question, and after spending two minutes skimming
through the results, I can't see that you can log the MAC address in
Squid. And to be honest, I would be surprised if it did. If you are so
dead set to get the MAC addresses, I think your only option is to make
a perl script that parses your Squid log files, and uses tools like
i.e proxy-arp to get the MAC address.

As you can see from Squid's Log Format [1], the only thing logged is
the client address (read: IP address).

[1] http://wiki.squid-cache.org/Features/LogFormat

-- 
Yours sincerely Jostein Elvaker Haande
"A free society is a place where it is safe to be unpopular"
- Adlai Stevenson

http://tolecnal.net -- tolecnal at tolecnal dot net

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Squid Log and MAC adress

[Yehuda Katz]

On Tue, Jan 4, 2011 at 8:53 AM, Jostein Elvaker Haande
wrote:

> On 4 January 2011 13:53, Koray AGAYA  wrote:
> > Hi,
> >
> > Can I  add computers mac adresses  ( squid logs ) is it possible ?
> >
> >
> > Thank you for everything
>
> Seeing as I'm a bit on the generous side today, I actually took the
> time to Google your question, and after spending two minutes skimming
> through the results, I can't see that you can log the MAC address in
> Squid. And to be honest, I would be surprised if it did. If you are so
> dead set to get the MAC addresses, I think your only option is to make
> a perl script that parses your Squid log files, and uses tools like
> i.e proxy-arp to get the MAC address.
>
> As you can see from Squid's Log Format [1], the only thing logged is
> the client address (read: IP address).
>
> [1] http://wiki.squid-cache.org/Features/LogFormat


I have no idea where you would put this in pfSense, you might need to edit
the package, but:

*%http://www.squid-cache.org/Doc/config/logformat/

[pfSense Support] Advice?

[Nicolas Roussi]

Hi all,
after using pfsense 1.2.3 for a while as the DHCP server and secondary NAT for 
my wireless net, I decided to go ahead and replace my perimeter firewall and 
pfsense 1.2.3 with one device running pfsense 2.0 with 3 NICs. One for the WAN, 
one for the LAN and one for my WLAN. I have an HP proliant DL380 (2 dual core 
XEONS 2.8 with 2.5 gb RAM) sitting around and I am planning to have 5 SCSI 
drives in RAID5, the 2 embedded NICs (LAN and WLAN) plus another NIC in a PCI 
slot (WAN). The number of clients on the LAN is between 150-190 and on the WLAN 
600-800. Attached on the WLAN side I will have about 15 access points. The 
access points now are different brands.
Couple of questions: Would this setup be sufficient? 
And does anyone know a way to manage the access points, not necessarily though 
the pfsense but maybe a software or hardware solution? Changing the access 
points is also part of the plan, Aerohive, Motorolla or Meru Networks...not 
sure yet.

Any help/advice/suggestion is highly appreciated.
Thanks


-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Advice?

[David Burgess]

On Tue, Jan 4, 2011 at 8:25 AM, Nicolas Roussi
 wrote:

> Would this setup be sufficient?

Depends on the bandwidth limits you will put on your clients. I have
2.0 with squid running on an Atom D510 with 4GB RAM and a 40/4 mbps
mlppp connection and it has no trouble. This is servicing 6 clients
with 10/1 each and a campus with 300 wifi customers, limited to 7/1
each.

> And does anyone know a way to manage the access points, not necessarily 
> though the pfsense but maybe a software or hardware solution? Changing the 
> access points is also part of the plan, Aerohive, Motorolla or Meru 
> Networks...not sure yet.

We use open-mesh indoors and ubiquiti outdoors. Open-mesh networks are
managed entirely centrally (on their web site). Ubiquiti (AirMax
only?) equipment is managed through their free AirControl software,
but it's not feature-complete. In other words, you still have to log
into individual units for some changes, or script something with pssh.
They have announced a beta version that is supposed to centralise this
a lot better.

Ubiquiti has also just released Unifi, which is their indoor
enterprise mesh, and they claim it is managed centrally. It looks
good, but frankly we're happy with our open-mesh, so I haven't had a
chance to try the Unifi.

db

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] New Alias Rules

[James Bensley]

Hi List,

If I make 3 alias' for some static port mappings so lets say I make,
-"port1" with the port #100
-"port2" with the port #200
-"port3" with the port #300

and then make another alias called "myports" with three ports defined
where in the first I write "port1", "port2" in the second and "port3"
in the third, nesting the alias's, is this supported under pfSense? I
ask because I can't do this? As soon as I define "myports" and put the
actual port values for each port it works but nesting the alias' as it
wer throws up this error when reloading the filter;

Should this work?

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] New Alias Rules

[Jim Pingle]

On 1/4/2011 11:21 AM, James Bensley wrote:
> Hi List,
> 
> If I make 3 alias' for some static port mappings so lets say I make,
> -"port1" with the port #100
> -"port2" with the port #200
> -"port3" with the port #300
> 
> and then make another alias called "myports" with three ports defined
> where in the first I write "port1", "port2" in the second and "port3"
> in the third, nesting the alias's, is this supported under pfSense? I
> ask because I can't do this? As soon as I define "myports" and put the
> actual port values for each port it works but nesting the alias' as it
> wer throws up this error when reloading the filter;
> 
> Should this work?

It should work on 2.0, but not on 1.2.3. Though I haven't tried it with
port aliases, it does work with IPs.

Jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] New Alias Rules

[James Bensley]

Sorry I forgot to mention this is 2.0.


I haven't tried the IPs but for ports I am defiantly going to need it. I
have many to define that are used in various rules again and again,
obviously I don't want to define every port every time but so far it simply
isn't working (when applying my changes during the filter reload and error
is thrown). I'm not at work at the minute, I will grab the error I am
receiving and post it here next time I'm in.

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand Vigesimal,
and J others...?

RE: [pfSense Support] Advice?

[Adam Thompson]

> Subject: [pfSense Support] Advice?
[...]
> and one for my WLAN. I have an HP proliant DL380 (2 dual core XEONS
> 2.8 with 2.5 gb RAM) sitting around and I am planning to have 5
> SCSI drives in RAID5, the 2 embedded NICs (LAN and WLAN) plus
> another NIC in a PCI slot (WAN). The number of clients on the LAN
> is between 150-190 and on the WLAN 600-800. Attached on the WLAN
> side I will have about 15 access points. The access points now are
> different brands.
> Couple of questions: Would this setup be sufficient?
> And does anyone know a way to manage the access points, not
> necessarily though the pfsense but maybe a software or hardware
> solution? Changing the access points is also part of the plan,
> Aerohive, Motorolla or Meru Networks...not sure yet.

Whether that platform is sufficient or not depends on the packet rate, 
packet size, bandwidth used (which is just packet rate * packet size), # 
of firewall rules, simultaneous NAT sessions, etc., etc., etc.

That said, it'll be pretty hard to find a routing platform *better* than 
what you have without spending $70k+ for a high-end Cisco 7600 series. 
Some dedicated routers have ASICs that provide hardware acceleration of 
routing functions; I believe Cisco has this in the 3600 series (or 
whatever has replaced it by now).

I have a Dell PowerEdge 1650, dual PIII (Xeon-class) @ 1.2GHz that can 
almost do wire-speed gigabit between two subnets; the limiting factor 
appears to be overhead and latency, not raw cpu cycles.  Oh, and it's 
running a BGP feed at the same time.  I don't think I've ever seen the 
aggregate CPU usage climb above 20%.

RAM won't be much of an issue unless you're running every single service 
available for pfSense.

I haven't stress-tested NAT functionality, so I can't offer any concrete 
data on that.

I have some limited experience with the Symbol-cum-Motorola wireless 
controller architecture in small deployments (~6 APs), and while I won't 
say the manageability is great, the overall system is quite good: a 
*reasonable* mix of performance, management capability, support, and 
price.

Some people I know who have used Meru equipment have had co-existence 
issues - specifically, the Meru equipment tends to obliterate any other 
WLANs being used in the geographic and/or spectral vicinity.  I don't know 
if this is still a problem for them.  OTOH, Meru networks tend to be 
faster than usual; I remember reading somewhere that these two aspects 
were directly linked.

-Adam Thompson
 athom...@athompso.net




-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] 1 big pfSense or 2 smaller ones?

[Pandu Poluan]

Hello,

I am planning to deploy pfSense, mostly for firewall and NAT, on my
production Cloud. It is based on VMware.

What do you recommend:
+ 1 big multi-CPU pfSense VM, or
+ 2 smaller single-CPU pfSense VMs

A question:
Will 2 smaller VMs provide higher throughput than a single big VM?

And some notes:
- RAM is at a premium here.
- I got only 2 Public IP Addresses.

Thank you for any input!

Rgds,
--
Pandu E Poluan
* ~ IT Optimizer ~ *
*Visit my Website: http://pandu.poluan.info*
 Google Talk:pepoluan
Y! messenger: pepoluan
MSN / Live:  pepol...@hotmail.com (do *not* send email here)
Skype:pepoluan
More on me:  LinkedIn 
Facebook

Re: [pfSense Support] 1 big pfSense or 2 smaller ones?

[Jesse Vollmar]

On Tue, Jan 4, 2011 at 9:32 PM, Pandu Poluan  wrote:

> Hello,
>
> I am planning to deploy pfSense, mostly for firewall and NAT, on my
> production Cloud. It is based on VMware.
>
> What do you recommend:
> + 1 big multi-CPU pfSense VM, or
> + 2 smaller single-CPU pfSense VMs
>
> A question:
> Will 2 smaller VMs provide higher throughput than a single big VM?
>
> And some notes:
> - RAM is at a premium here.
> - I got only 2 Public IP Addresses.
>
> Thank you for any input!
>
> Rgds,
> --
> Pandu E Poluan
> * ~ IT Optimizer ~ *
> *Visit my Website: http://pandu.poluan.info*
>  Google Talk:pepoluan
>  Y! messenger: pepoluan
> MSN / Live:  pepol...@hotmail.com (do *not* send email here)
>  Skype:pepoluan
> More on me:  LinkedIn    
> Facebook
>
>
Not sure how you plan on using 2 routers to do the same job, but keep in
mind that adding multiple CPUs to a vmware virtual machine is nothing like
having multiple physical CPUs. It will allow the VM to process more than a
single thread at a time, but the scheduling can be slowed down. There has to
be the same number of physical threads available on your host system as the
number of virtual CPUs on your VM. This means that even single threads can
end up waiting on processor ready time because you added more virtual CPUs
than the underlying system has idle.

Bottom line = Don't add more than 1 or 2 virtual CPUs to a pfsense VM.

What kind of host system(s) would it run on?

Jesse Vollmar
Aedis IT, LLC

Re: [pfSense Support] Squid Log and MAC adress

[Jim Cheetham]

Quoting Koray AGAYA (from 05/01/11 01:53):
> Can I  add computers mac adresses  ( squid logs ) is it possible ?

If the computers in question are on the same subnet as the squid server,
then it is *possible* but I don't know how to configure it in pfSense.

If they are on a different subnet, then all you will see in the actual
requests is the MAC address of the last router in between.

Why do you need the MAC address? If it is because you are using DHCP and
the MAC/IP addresses are not guaranteed to match, and you are attempting
to identify the originating computer, then perhaps you need to consider
authentication instead.

-jim

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] Embedded hardware recommendation - Fan-less andmany NIC ports

[Angus Scott-Fleming]

On 17 Dec 2010 at 3:26, Kevin Tollison wrote:

> I had a quote for the 7535 a few months ago. $459 IIRC barebones. This was 
> from the 
> manufacturer. If you want the guys info I will forward it. I do plan to try 
> one of these soon. 

Would love to see the quote.  Forward off-list if you can't post the entire 
thing here.


--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] 1 big pfSense or 2 smaller ones?

[Pandu Poluan]

Well, I just divide the servers in the private network, half using the 1st
pfSense as the Def.Gateway, the other half using the 2nd pfSense.

I'm not really sure about the underlying system in terms of Make/Model; it's
in my Cloud Providers datacenter.

I'm guaranteed, though, to have the following:
* 4 Physical Cores (at 2.0 GHz each, whatever that's supposed to mean)
* 4 GB RAM
* 100 GB Storage
* 2 Public IP addresses

Since I have 4 Physical Cores, I figure allocating 2 vCPUs should burden the
system too much, and helps threading in pfSense.

I could be wrong, though, so I'd value your input very much.

Rgds,
--
Pandu E Poluan


On Wed, Jan 5, 2011 at 09:42, Jesse Vollmar  wrote:

> On Tue, Jan 4, 2011 at 9:32 PM, Pandu Poluan  wrote:
>
>> Hello,
>>
>> I am planning to deploy pfSense, mostly for firewall and NAT, on my
>> production Cloud. It is based on VMware.
>>
>> What do you recommend:
>> + 1 big multi-CPU pfSense VM, or
>> + 2 smaller single-CPU pfSense VMs
>>
>> A question:
>> Will 2 smaller VMs provide higher throughput than a single big VM?
>>
>> And some notes:
>> - RAM is at a premium here.
>> - I got only 2 Public IP Addresses.
>>
>> Thank you for any input!
>>
>> Rgds,
>> --
>> Pandu E Poluan
>> * ~ IT Optimizer ~ *
>> *Visit my Website: http://pandu.poluan.info*
>>  Google Talk:pepoluan
>>  Y! messenger: pepoluan
>> MSN / Live:  pepol...@hotmail.com (do *not* send email here)
>>  Skype:pepoluan
>> More on me:  LinkedIn    
>> Facebook
>>
>>
> Not sure how you plan on using 2 routers to do the same job, but keep in
> mind that adding multiple CPUs to a vmware virtual machine is nothing like
> having multiple physical CPUs. It will allow the VM to process more than a
> single thread at a time, but the scheduling can be slowed down. There has to
> be the same number of physical threads available on your host system as the
> number of virtual CPUs on your VM. This means that even single threads can
> end up waiting on processor ready time because you added more virtual CPUs
> than the underlying system has idle.
>
> Bottom line = Don't add more than 1 or 2 virtual CPUs to a pfsense VM.
>
> What kind of host system(s) would it run on?
>
> Jesse Vollmar
> Aedis IT, LLC
>

Re: [pfSense Support] 1 big pfSense or 2 smaller ones?

[Chris Buechler]

On Wed, Jan 5, 2011 at 12:00 AM, Pandu Poluan  wrote:

> Well, I just divide the servers in the private network, half using the 1st
> pfSense as the Def.Gateway, the other half using the 2nd pfSense.
>
>
No reason to do that, just ugly, keep one ingress and egress point where you
can.

Re: [pfSense Support] 1 big pfSense or 2 smaller ones?

[Pandu Poluan]

Ahh, okay! Thanks for the help!

I <3 pfSense :-)

Rgds,
--
Pandu E Poluan


On Wed, Jan 5, 2011 at 12:24, Chris Buechler  wrote:

>
>
> On Wed, Jan 5, 2011 at 12:00 AM, Pandu Poluan  wrote:
>
>> Well, I just divide the servers in the private network, half using the 1st
>> pfSense as the Def.Gateway, the other half using the 2nd pfSense.
>>
>>
> No reason to do that, just ugly, keep one ingress and egress point where
> you can.
>
>

Re: [pfSense Support] Embedded hardware recommendation - Fan-less andmany NIC ports

[Seth Mos]

Op 5 jan 2011, om 05:14 heeft Angus Scott-Fleming het volgende geschreven:

> On 17 Dec 2010 at 3:26, Kevin Tollison wrote:
> 
>> I had a quote for the 7535 a few months ago. $459 IIRC barebones. This was 
>> from the 
>> manufacturer. If you want the guys info I will forward it. I do plan to try 
>> one of these soon. 
> 
> Would love to see the quote.  Forward off-list if you can't post the entire 
> thing here.

Our is in production for a while now at work and it's performing to 
expectations. The power consumption wasn't too bad, but easily 20 or 30 watts.

I benchmarked the performance of the thing in the forum. You should be able to 
find it.

Regards,

Seth
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org