Re: [pfSense Support] Outbound port forward
On Tue, Sep 6, 2011 at 1:08 PM, Arquivos arqui...@otv.com.br wrote: i need to forward all the requests going out by the port 53 (DNS) to a single external DNS server, in dispite off the DNS configured in the clients. Can someone help me in that? What you want is a NAT Port Forward entry on your LAN interface to destination port 53 and a redirect target IP of the server you want to force. I haven't tried this but I believe it will do what you are asking. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] dialup router
I'm trying to build a dialup router on an HP t5710. It has 512 MB of flash and a single serial port, which I intend to use for an external modem. I'm wondering if a generic install of 1.2.3 or 2.0 will fit on the 512 MB of flash, or can I do an embedded install and disable the console so that the serial port can be freed up for the modem. Any insight? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Happy Birthday Chris
Happy Birthday, eh. (Canadian) db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PPTP Broken in latest AMD 2.0 Snapshots
On Wed, Aug 17, 2011 at 1:49 PM, Chris Buechler cbuech...@gmail.com wrote: http://redmine.pfsense.org/issues/1107 Fixing that broke PPPoE entirely on AMD64, doubt if that gets fixed for 2.0. Can you please clarify? Are you saying that folks who use PPPoE on the WAN should not update to the newer 2.0 snaps until this is resolved post-2.0? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ppp - 3G on 2.0 rc3
On Sat, Jul 30, 2011 at 4:28 PM, Nenhum_de_Nos math...@eternamente.info wrote: ps: how ofter do nanobsd images are updated ? there is just this from July 4th and no more available. http://forum.pfsense.org/index.php/topic,38687.0.html db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: unknown cause of limited throughput
2.0-RC3 (amd64) built on Tue Jul 12 21:23:55 EDT 2011 On Tue, Jul 5, 2011 at 11:52 PM, David Burgess apt@gmail.com wrote: I hope that's not too confusing. To summarize, any two machines, real or virtual, get iperf results near wire speed when on the same L2 network. Any two machines on different (routed) networks see iperf speeds between 320 and 550, which is expected due to the limitations of the router. The exception is rip. Of my three virtual hosts, which all live on the same ESXi server, only rip is seeing very slow iperf speeds (and similar nfs speeds) when acting as server to routed hosts. I did some more testing and was surprised by the results. I created a new virtual server chunk running Ubuntu Server 10.10 and expected that because it was now the same version OS as my other servers, it would now exhibit normal routed network speeds. But I was wrong. Chunk consistently serves iperf at 12.8 Mbps to a routed client. Intrigued, I moved chunk to a different local vlan/network and tested again. The result: iperf client vlanserver vlan result renreal85chunk virtual250 380 Mbps routed renreal85chunk virtual240 12.8 Mbps routed mule real85chunk virtual250 380 Mbps routed mule real85chunk virtual240 12.8 Mbps routed ren real85 mule real 240 16.8 Mbps routed So it's not the server, it's the vlan or something related to it. vlan85 is my LAN, and the only firewall rule on that interface is a PASS all rule. There is no floating rule that should touch any of this as far as I can tell. The only thing that distinguishes vlan 240 from the other vlans I'm testing (besides being slower) is that the hosts on this vlan have publicly routable IP addresses, while the hosts on every other vlan are 192.168.x.x addresses. There is no NAT occurring between local networks. I've now ruled out virtualization and OS as being the cause of this, and that leaves pfsense and the switch. The switch is not slow where the router is not involved, so unless I've misjudged, this is a pfsense problem. Any ideas? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: unknown cause of limited throughput
On Thu, Jul 14, 2011 at 11:56 AM, Adam Thompson athom...@athompso.net wrote: Are you passing the VLAN tags all the way into the pfSense VM on a single vNIC, or are you splitting the VLANs at the vSwitch level and passing them into multiple vNICs on the pfSense VM? Adam, Thanks for the info. In fact, pfsense is not virtualized here, so in my most recent posting I was able to eliminate virtual machines from the problem altogether by testing from ren to mule, and passes only through pfsense and one vlan switch (twice, on different ports). Ermal, Thanks for the hints. I will test and post back. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: unknown cause of limited throughput
On Thu, Jul 14, 2011 at 4:39 AM, Ermal Luçi ermal.l...@gmail.com wrote: Try to tune these sysctl: net.isr.numthreads: 1 net.isr.bindthreads: 0 net.isr.direct: 1 net.isr.direct_force: 1 I tried those in System: Advanced: System Tunables. Throughput is still 17.4 Mbps between vlan240 and any other. Does pfsense require a reboot to make those sysctl effective? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: unknown cause of limited throughput
On Tue, Jul 5, 2011 at 11:52 PM, David Burgess apt@gmail.com wrote: I'll probably kick myself when I figure this one out And the answer is... traffic shaper. I'm so embarrassed. ::Off to kick self:: db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] unknown cause of limited throughput
I'll probably kick myself when I figure this one out, but here's a riddle for you. pfsense is 2.0RC3. Atom D510 (2x1.6GHz, GBE) Clear DF bit: enabled Scrub: disabled I have a number of real and virtual hosts (single ESXi server with vlans) connected to pfsense through a Netgear gigabit switch using vlans. All hosts are wired and local, so latency is 3 ms in all cases. I noticed some serious slowness using nfs, so I investigated with iperf. All iperf tests were half-duplex, 4 threads, 30 seconds in duration to the server, like so: iperf -c rip -P4 -t30. Here is the results matrix: Client Real/Virtual Vlan Server Real/Virtual VlanResult Notes ren real 85 ripvirtual 240 17 Mbps routed: slow crag virtual 250 rip virtual 240 17 Mbps routed: slow slab virtual85 ripvirtual 240 17 Mbps routed: slow slab virtual85 crag virtual 250 345 Mbps routed renreal 85crag virtual 250 320 Mbps routed renreal 85mule real 85 950 Mbps L2 wire speed renreal 85mule real 250 380 Mbps routed renreal 85slab virtual 85 950 Mbps L2 wire speed slab virtual 85mule real 25 548 Mbps routed mule real 240ripvirtual240 950 Mbps L2 wire speed I hope that's not too confusing. To summarize, any two machines, real or virtual, get iperf results near wire speed when on the same L2 network. Any two machines on different (routed) networks see iperf speeds between 320 and 550, which is expected due to the limitations of the router. The exception is rip. Of my three virtual hosts, which all live on the same ESXi server, only rip is seeing very slow iperf speeds (and similar nfs speeds) when acting as server to routed hosts. I can't explain this, as rip has access to more cores and RAM on the ESXi host than the other VMs. There is no pfsense limiter in place to throttle this traffic. top shows no strain on rip during the tests. All real and VM hosts are running Ubuntu x86_64, although rip is 11.04 while the others are 10.10. All VMs have open-vm-tools installed. I guess this could be an issue with pfsense, Ubuntu 11.04, or ESXi. I'm not sure which, but I find it odd that 1/3 VMs has poor network performance, but only when the traffic is routed. Any ideas where to look? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Current Production Version
On Sat, Jun 18, 2011 at 7:22 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: Well, this is a little annoying. I have RC1 too, and I had checked only about a week ago, and there is no newer than RC1 on the servers The images are labelled RC1, but if you install them they will show up in your dashboard and console as RC2, for several weeks now. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multible PPPoE on same NIC?
On Thu, Jun 16, 2011 at 10:21 AM, Steven Sherwood stev...@coc.ca wrote: Hi there - I assume that you are using multiple modems? Should be possible to create VLANs and have multiple PPPoE sessions, one on each VLAN. You will need a VLAN capable switch upstream of you pfSense box for connecting the modems, but I don't see why that wouldn't work. Are you planning to use mlppp, or something else, like load-balancing? I use 8 modems on vlans for mlppp and it works great. If you're not using mlppp and the pppoe sessions will all be using the same gateway then you may have problems. This does not work in pfsense 1.x, and I know there's been a lot of discussion in the forums over whether it works in 2.0 right now. I think not. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] need reboot after changing firewall rules?
On Thu, Jun 9, 2011 at 10:59 AM, Roberto Nunnari roberto.nunn...@supsi.ch wrote: Hi. I just discovered that modifications to the firewall rules will not be active until the box is rebooted.. Is it a known bug or a misconfiguration on my side? Did you try this? http://doc.pfsense.org/index.php/Reset_States db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Splitting a /24 into multiple subnets
On Mon, May 23, 2011 at 4:14 PM, Andreas Kaiser di...@binary-punks.com wrote: That allows you to do any routing you want between interfaces / WAN and gives you granular control of everything. *That* is exactly what I want ;-) Have you turned off automatic outbound NAT and disabled or deleted all the automatically created rules for every interface that has a part of the /24 public subnet? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IPsec, Multi-WAN Session Setup Problems. (2.0 RC1)
On Fri, May 20, 2011 at 1:51 AM, A Mohan Rao mohanra...@gmail.com wrote: not able to do client side open vpn setup properly any body can help for which open vpn client i have to download and install run properly i have to do server side setup which is i have to attached video. Awaiting for positive response .! You have attempted (at least twice now) to hijack this thread (your post has nothing to do with the going topic). Kindly start a new thread if you would like assistance. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] A REALLY Simple Question, Really
On Fri, Apr 29, 2011 at 3:05 PM, Yehuda Katz yeh...@ymkatz.net wrote: On Fri, Apr 29, 2011 at 4:49 PM, Mehma Sarja mehmasa...@gmail.com wrote: Alix running pf 20 RC1 nano. Trying to change from default 192.168.1.x network to 192.168.100.x on the LAN interface - nothing fancy. WHAT I DID With DHCP enabled and serving on 192.168.1.x, tried to change LAN ip using the web GUI. I can guess why it does not work - DHCP is trying to serve on the old network and the LAN is trying to change it's network. Don't get any love on either network. Turning DHCP off - figured I'd assign my laptop a new address manually since there is no DHCP. Nothing on either network. I think it's time to go read the book. It might be easiest for you to fix this from the console. Log in (if you have it configured to require login), then choose option 2 from the menu (Set interface(s) IP address). Make sure you enter the DHCP addresses in full: i.e. 192.168.100.x. - Yehuda The book is for 1.2.3, so much of it may not apply to 2.0. Reset your interfaces on the console as Yehuda said, then reboot from the console if it's still not working. Pfsense sometimes requires a reboot after editing the interfaces, even though it does not prompt you. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense to use more memory
On Thu, Mar 31, 2011 at 11:17 AM, Shibashish shi...@gmail.com wrote: My pfSense box says real memory = 12884901888 (12288 MB) avail memory = 2567946240 (2448 MB) How can i ask pfSense to use more memory? Use the 64-bit version. I tried the 64-bit version but it kept crashing, hence reverted back to 32-bit. 2.0 is in RC. Please provide feedback so we can determine the cause of the problem, and either you or the devs can fix it, depending where it lies. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfsense site down?
Was down briefly here, but up now.
Re: [pfSense Support] Upgrading options
On Fri, Mar 25, 2011 at 2:25 PM, - Dickie Bradford - dbradf...@never-enuff.net wrote: Is it possible to do backup on a 1.2.3 machine and reload it with a fresh2.0 and reload the backup? Yes. The only issues I've seen come up in the forum are from users who have international characters in the config file. Delete those and you should be fine. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] can't block https://facebook.com via firefox
On Tue, Mar 22, 2011 at 10:53 AM, Luke Jaeger ad...@pvpa.org wrote: Hello, I have squid configured as transparent proxy on my network. The point of transparent proxy is that it doesn't require any system or browser proxy setting; it intercepts all http requests from the user on the active interfaces. I suspect from your description rather that you have squid not in transparent mode and are using group policy or something similar to set the system proxy. Maybe you need to move to true transparent mode, which works with firefox and any other browser. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cisco AnyConnect
On Sun, Dec 5, 2010 at 12:10 AM, Chris Buechler cbuech...@gmail.com wrote: On Sun, Dec 5, 2010 at 2:02 AM, David Burgess apt@gmail.com wrote: But openconnect works, at least for me on Linux, and from what I gather it's available for FreeBSD too. What are the chances of installing openconnect on pfsense as a package to this end? There is a port for it, that should do it. security/openconnect/ I finally attempted this and it was surprisingly easy to do. The problem now is when I try to use the tunnel from the LAN. Of course the AnyConnect server doesn't know how to route to my LAN, and since I have no control over it the obvious answer is outbound NAT. But since pfsense's web UI doesn't know about the tun0 interface, the Outbound NAT page doesn't offer it as an option when creating a rule (a similar problem will exist when trying to make firewall or traffic shaper rules, but I'm not worried about that now). Can somebody point out a pattern for making an outbound NAT rule for openconnect's tun0? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RRD quits collecting
On Wed, Mar 9, 2011 at 3:49 PM, k_o_l k_...@hotmail.com wrote: Since I installed 2.0-RC1 last Friday I’ve noticed RRD at least on two different occasion stopped collecting data see attached. http://forum.pfsense.org/index.php/topic,33154.0.html db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] List Posting Etiquette [WAS: Re: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout]
On Tue, Mar 8, 2011 at 8:02 AM, Yehuda Katz yeh...@ymkatz.net wrote: Does anyone else see why this is annoying? I lost all understanding of this thread many posts back. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: throughput tuning in 2.0
On Fri, Mar 4, 2011 at 1:24 AM, Seth Mos seth@dds.nl wrote: The current 2.0 snapshots have a different driver for the Intel gigabit cards. We switched to the Yandex drivers to debug driver issues with the Intel supplied ones. I wondered. The difference on this system is positive and obvious. This has fixed performance issues for a number of people but introduced other issues for a number of others. You can't win them all. We'll leave this for atleast a week or so until we have a larger sample set. I have another system with different em NICs that was experiencing mbuf leaks. I just updated it to the latest snap and noticed the initial mbufs are much higher. We'll see if they grow over time as with the last driver. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Intel Gigabit - em0: Watchdog Timeout
On Fri, Mar 4, 2011 at 8:22 AM, Jim Pingle li...@pingle.org wrote: Since the switch to the Yandex Intel drivers a couple days ago my VMs all constantly print watchdog timeouts on the console... It seems to operate OK, but it makes the console useless. I, for one, welcome our new console-crapping overlords ;) Oops, I mean, too bad about the side effects, but I'm certainly relieved for the worlds-better performance of the new intel driver in 2.0. And FWIW, I have seen no such message on my vga console or in the log. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Thoughts on hardware for a possible pfSense installation for firewalling 5000+ workstations on a 30-40Mbps Internet uplink
On Fri, Mar 4, 2011 at 10:03 AM, Eric Feldhusen efeldhusen.li...@gmail.com wrote: As part of a regional education service agency to multiple K-12 school districts, we're talking about using pfSense for our nat/firewalling for approximately 5000+ workstations on a 30-40 Mbps internet uplink. Any one on the list have a pfSense similar to that for any suggestions? http://www.pfsense.org/index.php?option=com_contenttask=viewid=52Itemid=49 I have used a net5501-70 (Geode 500MHz, 512MB) on a 40/4 connection with ~300 users, and it is fine if you don't expect a quick UI. I have also used an Atom D510 with 4GB of RAM on the same connection and the UI is much more responsive, but power usage jumped from 7W to 19W. If you want to spend a little more for that 'instant' feel, I can tell you that a Core i3 550 on the same connection feels pretty much instant and won't eat more than 40W at the loads you'll be subjecting it to (depending on the hardware you marry it with). db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Thoughts on hardware for a possible pfSense installation for firewalling 5000+ workstations on a 30-40Mbps Internet uplink
On Fri, Mar 4, 2011 at 10:12 AM, David Burgess apt@gmail.com wrote: If you want to spend a little more for that 'instant' feel, I can tell you that a Core i3 550 on the same connection feels pretty much instant To clarify, I was referring to navigating the UI. All of the hardware I mentioned has provided a satisfactory routing experience in my environment. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
On Fri, Mar 4, 2011 at 3:34 PM, Kevin Tollison ktolli...@gmail.com wrote: Sorry for the top post. (BlackBerry) I worked with Scott and Ermal a while today on an em issue. Ermal was able to improve the situation some, but it is still not resolved. I had to bail on him. Is anyone experiencing traffic to stop passing when these errors happen. My boxes are Supermicro with Intel gig NICs. They randomly start and stop passing traffic. Console is still functional when it happens. As I recall, you're using the X7SPE-HF. My home system is an X7SPA-H, which has the same NICs, and is almost entirely identical save for the IPMI, I think. And yet, I have had no issue with traffic stopping, just the mbuf leaks I had mentioned in the forum. Are you seeing the same thing in one of the newer snaps with the Yandex em driver? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
On 2011 3 4 20:09, Kevin Tollison ktolli...@gmail.com wrote: 2 B5 was good until a month or so ago. Are you using any vlans? I am beginning to think it may be in vlans. Yes. One of my onboards has 8 vlans and the other 5.
Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
Client. Sent from my phone. On 2011 3 4 20:14, Kevin Tollison ktolli...@gmail.com wrote: What about openVPN? -- Kevin Tollison Sent from my Blackberry -Original Message- From: David Burgess apt@gmail.com Date: Fri, 4 Mar 2011 20:12:21 To: support@pfsense.com Reply-To: support@pfsense.com Subject: Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout On 2011 3 4 20:09, Kevin Tollison ktolli...@gmail.com wrote: 2 B5 was good until a month or so ago. Are you using any vlans? I am beginning to think it may be in vlans. Yes. One of my onboards has 8 vlans and the other 5.
Re: AW: [pfSense Support] Re: Intel Gigabit - em0: Watchdog Timeout
On Fri, Mar 4, 2011 at 8:22 PM, Kevin Tollison ktolli...@gmail.com wrote: That kills my theories. Must still be driver or kernel. Wonder if one of the panic fixes caused the issue I am seeing. Ermal did some voodoo that I didn't understand today. Worked better, but not completely fixed. Glad to see we have at least one other person seeing this as well. At least I'm not crazy. My openvpn is very light use, just a heartbeat from a couple remote WAPs for the most part. What kind of traffic are you putting over your vpn? I can try to mimc. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: throughput tuning in 2.0
On Wed, Mar 2, 2011 at 11:21 PM, David Burgess apt@gmail.com wrote: On Wed, Mar 2, 2011 at 2:44 AM, David Burgess apt@gmail.com wrote: the NIC is sending and receiving a total of about 530 mbit x2 during the test. This gets worse I'm afraid. Well, some good news. I have reinstalled this system fresh (after trying 1.2.3--no NIC driver :( ), and I'm now seeing the expected LANWAN throughput of 900+ mbps sustained. Either something has changed in the latest snaps, or I had a bad setting. I had done not much besides tighten up non-LAN firewall rules a bit and turn on powerd. Now I'm wondering if I had enabled NIC checksumming. I'll play a bit and find out what difference that makes. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: throughput tuning in 2.0
On Wed, Mar 2, 2011 at 2:44 AM, David Burgess apt@gmail.com wrote: the NIC is sending and receiving a total of about 530 mbit x2 during the test. This gets worse I'm afraid. I recreated my setup, substituting a GS724T switch in for the GS108E, hoping the switch might be the bottleneck. Again, testing LANWAN iperf throughput was a flat 500 mbps, with about 10 mbps on the return during the push test. I then moved one test machine from the WAN to OPT1 and repeated the test. This time throughput dropped to around 200 mbps, and pfsense became totally unresonsive in the UI. As soon as the test ended, the UI quickly responded to whatever I might have clicked on during the iperf test. Similarly in an ssh session on pfsense, I could type in the shell and see the characters I typed with no observable latency, but pressing enter returned the carriage and produced no further output until iperf was halted. Even if I started top running before starting the iperf test, top did not update itself until after iperf was killed. Next I changed the mtu on pfsense and my test machines to 4078, the largest supported by pfsense. This time iperf throughput dropped to 96 mbps and pfsense was similarly unresponsive during the test. These results are troubling. I will probably have to test 1.2.3 on this hardware and hope for better results. Perhaps the Yandex drivers will turn this around? http://forum.pfsense.org/index.php/topic,33345.msg175595.html#msg175595 This is an Intel DG57JG board, FYI, with on-board 82578DC GBE using the em driver. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] throughput tuning in 2.0
2.0-RC1 (amd64) built on Tue Mar 1 15:52:28 EST 2011 Core i3 550 3.2 GHz 4GB RAM Intel GBE I've just set this system up doing some crude throughput testing with iperf. The most I can push through this box from LAN to WAN is a steady 503-520 mbps, using the default mtu (higher mtu values produce no throughput on iperf for reasons I haven't looked into. I'm suspecting no support in the switch). top -SH is showing ~25% interrupt usage and 30%+ idle on both cores. Hyperthreading is disabled. I'm using a single NIC with vlans, but testing in only one direction, so the NIC is sending and receiving a total of about 530 mbit x2 during the test. iperf test machines show minimal CPU usage during the test, and have no other significant network activity happening concurrently. The switch is a Netgear ProSafe GS108E, which is ostensibly non-blocking. I expected better throughput than that. Any ideas what is holding this thing back, or where I could look to find out? Thanks, db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] throughput tuning in 2.0
On Wed, Mar 2, 2011 at 12:38 AM, Seth Mos seth@dds.nl wrote: I'm routing it from one interface to another although it's destination is also a VLAN on that other interface. Maybe that's where the issue lies. It would be unfortunate if vlan-vlan traffic on a given interface has its maximum throughput reduced by almost half. I would be interested to see how your throughput would differ using two distinct physical interfaces, all else being equal. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Microsoft updates through pfSense
On Thu, Feb 17, 2011 at 8:42 PM, Shali K.R. sh...@vidyaacademy.ac.in wrote: Dear all, I am having 500 windows client machines connected through pfSense and squid, please suggest me a suitable method for handling updates. You'll find the appropriate info here: http://doc.pfsense.org/index.php/Squid_Package_Tuning db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Microsoft updates through pfSense
On Thu, Feb 17, 2011 at 8:52 PM, Shali K.R. sh...@vidyaacademy.ac.in wrote: Dear db, i have tried this, but it showing a high bandwidth usage, is this a proper way?? I uninstalled the squid package about three months ago, unable to get it to function properly. I will try it again when pfsense 2.0 is stable, and probably pick up the book as well. I wish I could be more helpful than that. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] install pfsense from usb stick
The 2.0 snapshots include a usb image. Installing 1.2.3 from usb will be a bit of a trick, as you have learned. db
[pfSense Support] pfsense and DDOS
An article popped up on /. today, and although it's a poorly written article, some of the ensuing discussion did provoke some thought. http://it.slashdot.org/story/11/02/01/181200/Firewalls-Make-DDoS-Attacks-Worse I think the article is mostly just scare marketing, but it raises the question of how a firewall would best react to a DDOS scenario. I recently read a page in the pfsense docs (can't find it in the wiki or FAQ now), which I believe quoted the pfsense book (don't have it), where cmb states that pfsense is the best open source firewall, and one of the best firewalls at handling DDOS attacks. So the thing I'm wondering now, is best practice in terms of hardening pfsense against DDOS. Acknowledging that DDOS is best handled in cooperation with your provider, what can we do at our end? Or are the default firewall settings pretty tight in that regard? Is there anything one might do that would inadvertently expose one's pfsense to DDOS-related troubles? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: pfsense and DDOS
On Tue, Feb 1, 2011 at 12:25 PM, David Burgess apt@gmail.com wrote: I recently read a page in the pfsense docs (can't find it in the wiki or FAQ now), which I believe quoted the pfsense book (don't have it), where cmb states that pfsense is the best open source firewall, and one of the best firewalls at handling DDOS attacks. ok, found it. http://forum.pfsense.org/index.php?topic=10471.msg%msg_id% db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Traffic Graph accurate--but not the host list
On Mon, Jan 24, 2011 at 11:38 AM, Dimitri Rodis dimit...@integritasystems.com wrote: pfSense 2.0, most recent builds When I go to status/traffic graph, the graph is correct but the list of hosts is not. I don’t know if there’s something I’m not doing, but here’s what I did to test it: Put a windows machine (my laptop) on the LAN interface, and plug the WAN into my internal network. I connected to my file server from the laptop, and copied 10 GB of data from the file server to the laptop. When I did, the graph showed 98Mb of traffic fairly consistently, but the host list never showed more than a few kb of traffic for my laptop, and on the WAN side it never showed the file server’s ip address at all. It almost looks like the host list is only looking at traffic directed to pfSense itself as opposed to through that particular interface. It's not clear to me from your email if you looked at the graph for both WAN and LAN interface. In fact, when I look at the WAN graph I only ever see public IP addresses that are local to pfsense. In other words, I have NATed hosts and routed hosts internally, and while I see the routed hosts show up on the WAN graph, I do not see NATed hosts, but I do see their corresponding WAN address. When I look at the LAN graph I see addresses of individual hosts on the LAN. What I do find strange is that I also sometimes see the network and broadcast address of my internal routed network show up on the WAN graph even though that network is routed through a private gateway, and not directly connected to pfsense. So I have this: pfsense WAN: x.x.224.55 pfsense LAN: 192.168.172.254/24 static route: x.x.225.176/30 gw 172.21.172.101 So the only host beyond the 192.168.172.0 network is x.x.225.178, and yet on the LAN graph I occasionally see x.x.225.y, where y = 176-179, although normally it just shows y = 178, which is expected. I also occasionally see addresses show up there and then freeze, where they don't disappear and the rate doesn't change, although that host may be long silent. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense 2.0, upgrade to this morning's snap problem
On Mon, Jan 24, 2011 at 11:42 AM, Dimitri Rodis dimit...@integritasystems.com wrote: After an upgrade to this morning’s snap, I received the following after the upgrade/reboot (it’s what’s on my PuTTY atm): This looks a lot like what's being discussed here, although I don't see the em driver implicated in your output: http://forum.pfsense.org/index.php/topic,31721.0.html db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Network Traffic difference
On Wed, Jan 19, 2011 at 9:44 PM, Shali K.R. sh...@vidyaacademy.ac.in wrote: sir .. In my pfsense traffic graphic shows WAN in 4 Mbps LAN out 1Mbps Why this differenceanything wrong with mypfsense? http://forum.pfsense.org/index.php/topic,31855.0.html For pcap use tcpdump on the pfsense console. bd - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] MHz myth?
I'm familiar with the hardware sizing guide, and I've done a few benchmarks myself, but I'm wondering if a MHz is a MHz when it comes to pf performance, or do things like IPC and cache sizes matter? What about RAM frequencies and latency? Putting encryption and the various pfsense packages aside, can anybody tell me (based on theory and/or experience) what kind of comparative routing throughput I could expect to see from say an Athlon X2, Athlon II X2, Phenom 2, Atom D510, Pentium D, Celeron D, Core Duo, Core 2 Duo, Pentium G6950 and a Core i7, all dual-core and controlling for NIC and core clock differences? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Is it possible to Port Forward same PORT to TWO servers? pfsense + TWO Asterisk servers and NAT
On Fri, Jan 14, 2011 at 11:55 AM, Bruce B bruceb...@gmail.com wrote: Hi Everyone, I am facing a dilemma here. If I port forward 1-2 to my first Asterisk server which sets behind pfSense v1.2.3 then I have two way audio. If I remove it I don't have any audio but call establishes. Now, I have a second server, so I am stuck with what to do on the NAT. I tried to set NAT destination to network subnet like 192.168.0.0/24 but it doesn't accept that. Can you please tell me what I need to do? ***I have only 1 IP address so adding more IPs is not an option. Would I have to take advantage of 1:1 NAT? I am not sure what it is and how to set it up if at all. Please guide. http://doc.pfsense.org/index.php/VoIP_Configuration My money is on #3. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] autorollback?
On Thu, Jan 13, 2011 at 2:00 PM, Charles N Wyble char...@knownelement.com wrote: Phase one applies the configuration. Phase two rolls it back if you don't confirm it. So if you did something that blocked you out of the device for example, it would auto roll back. Ubiquiti's AirOS 5 has a change button which updates the config file but doesn't apply it. Pressing it also causes three buttons to appear on the page, Test, Apply and Cancel. If you hit the test button it applies your changes then posts a countdown from 180 seconds and the 3 previous buttons are replaced by 2 new, Apply and Revert. This feature has saved me many walks in the snow, and I can see how it could be useful in pfsense. AirOS is open, so I imagine the code could be borrowed if it proves useful/portable to a dev. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi WAN
On Thu, Jan 13, 2011 at 10:29 PM, Shali K.R. sh...@vidyaacademy.ac.in wrote: Dear all, I have 2 WAN ( Static and another PPPOE )connections and a LAN connection i added PPPOE as WAN and static as OPT1 two connections are active and i added a firewall rule for OPT1 allow all to all then i check the connectivity of OPT1, i can ping to OPT1 from out side but cant ping from OPT1 to anywhere, any idea??/ You said OPT1 is a WAN with static IP, so I assume you configured it with a gateway. If you didn't turn off automatic outbound NAT then OPT1 will not accept any LAN-destined traffic unless you define port forward rules. Alternately, you could turn off AON if your LAN is in public IP address space (or if one of your WANs is). db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multi WAN
On Thu, Jan 13, 2011 at 11:30 PM, Shali K.R. sh...@vidyaacademy.ac.in wrote: Dear sir, How can i create rule for out going? i already created all allow rule for OPT1 in firewal- Rules When you create a firewall rule on an interface, that rule will govern only packets arriving on that interface, not leaving it. So by creating a rule on OPT1 to allow all, you are allowing all internet traffic to enter your network--generally not a good idea from a security standpoint, however without any port forward rules defined you have not yet exposed any LAN hosts, only pfsense itself (ie, any services listening there, such as web UI, ssh, DNS). If you want LAN traffic to be able to connect to external hosts via OPT1 then you need to create LAN rules, wherein you may define the WAN interface/gateway that matching traffic will use. I suggest you read up on this document and then come back with specific questions you may have. http://doc.pfsense.org/index.php/Multi_WAN_/_Load_Balancing Enjoy. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Testing 2.0 - What is the upgrade and downgrade process for Daily snapshots?
On Wed, Jan 12, 2011 at 1:37 PM, Dimitri Rodis dimit...@integritasystems.com wrote: if that doesn’t work, you can use the gui to boot off of the old slice. Very nice and easy. Or if it /really/ doesn't work you can use the initial boot menu to choose the other slice at boot time. You will see something like this: 1 pfsense 2 pfsense 1 Whichever number automatically appears at the prompt is the one you were running (if you're just rebooting), or the one you just upgraded to, if you're rebooting after an upgrade. You'll want to change that value before the automatic boot if that slice is giving you problems. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Testing 2.0 - What is the upgrade and downgrade process for Daily snapshots?
On Wed, Jan 12, 2011 at 1:46 PM, Bruce B bruceb...@gmail.com wrote: So, if I am on: 1 pfsense and do an upgrade, does the upgrade apply to 1 pfsense or 2 pfsense ? If you booted from 1 then upgraded, it will overwrite the 2 slice. Also, rather using the Console Cable each time, can I change settings somewhere to boot from a specific partition? something like Grub equivalent of Redhat in FreeBSD? Normally only two things will cause the default boot slice to change, a firmware upgrade or user intervention. Besides changing it on the console at boot time, you may also go to Diagnostics: nanoBSD in the webUI to change it. There is a CLI utility to change it as well, but I don't know why a person would want to mess with it. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: squid continues downloading but LAN client stalls
On Fri, Jan 7, 2011 at 10:58 AM, David Burgess apt@gmail.com wrote: I am trying to download a large iso from microsoft.com. At some point (different every time), the download stalls on the client. Sorry, forgot to mention what I'm using. 2.0-BETA5 (amd64) built on Tue Jan 4 02:47:18 EST 2011 squid 2.7.9_4 Further, after some time wget on the client did transfer a few more bytes and then stalled again, twice. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Advice?
On Tue, Jan 4, 2011 at 8:25 AM, Nicolas Roussi nicolas.rou...@archimedean.org wrote: Would this setup be sufficient? Depends on the bandwidth limits you will put on your clients. I have 2.0 with squid running on an Atom D510 with 4GB RAM and a 40/4 mbps mlppp connection and it has no trouble. This is servicing 6 clients with 10/1 each and a campus with 300 wifi customers, limited to 7/1 each. And does anyone know a way to manage the access points, not necessarily though the pfsense but maybe a software or hardware solution? Changing the access points is also part of the plan, Aerohive, Motorolla or Meru Networks...not sure yet. We use open-mesh indoors and ubiquiti outdoors. Open-mesh networks are managed entirely centrally (on their web site). Ubiquiti (AirMax only?) equipment is managed through their free AirControl software, but it's not feature-complete. In other words, you still have to log into individual units for some changes, or script something with pssh. They have announced a beta version that is supposed to centralise this a lot better. Ubiquiti has also just released Unifi, which is their indoor enterprise mesh, and they claim it is managed centrally. It looks good, but frankly we're happy with our open-mesh, so I haven't had a chance to try the Unifi. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] FAQ item request: Do I need to know how to use a shell to use PFSense?
I'm annoyed by the recurrence of posts like this: http://www.dslreports.com/forum/r25224935- I see the Linux myth is debunked in the FAQ, but is there something substantial that I can link to that states or demonstrates that pfsense is adequately administered from the UI for most non-dev users? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] pfSense and adsl
On Fri, Dec 17, 2010 at 12:39 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: Or if you can answer more generally what is genereal pfSense set up if you get DSL line from ISP? I'm not familiar with that Netgear or PPPoA. My DSL uses PPPoE, and I have two options for handling that login: 1. modem in bridge mode, pfsense uses PPPoE on WAN to login and get IP address. 2. modem in router mode, uses PPPoE on WAN and static IP with or without DHCP server on LAN. PfSense uses static IP or DHCP on WAN. I always keep my modems in bridge mode and let the router do the routing, and normally recommend to others that they do the same. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] custom files in /var/etc/ gone after reboot
On Wed, Dec 15, 2010 at 11:14 AM, Scott Benson sben...@a-1networks.com wrote: [r...@host]/conf(17): mkdir blah mkdir: blah: Read-only file system [1.2.3-RELEASE] [r...@host]/conf(18): /etc/rc.conf_mount_rw db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 2.0 book?
Is there any public plan for a 2.0 book? I sure would like to pick one up. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: OT: coexisting with cisco
On Wed, Dec 8, 2010 at 1:38 PM, David Burgess apt@gmail.com wrote: Can somebody please tell me the cisco equivalent of a firewall rule that will keep state? After some closer inspection I don`t think there is a Cisco firewall on site at all, just a router and layer 3 switching. I talked to the Cisco admin and he was surprised to hear that anything was being routed that way without NAT, and has since closed the tap. Too bad, as I would have liked so much access without routing over the internet. Thanks for the suggestions. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RDD failed in BETA
On Wed, Dec 8, 2010 at 9:33 AM, k_o_l k_...@hotmail.com wrote: “There has been an error creating the graphs, please check your system logs” I would like to keep my RRD data is there a work around? This has been discussed in the forum, and IIRC, the only solution that was offered was to delete the graphing info. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] OT: coexisting with cisco
Can somebody please tell me the cisco equivalent of a firewall rule that will keep state? I have hosts (Windows and pfSense) on opposite sides of a cisco firewall and router which I don't control. When I try to reach pfSense from Windows, tcpdump shows that pfSense is receiving the packet and responding, but Windows never gets the response. I want to tell Mr Cisco-Admin that his firewall is passing packets but not allowing the return, but I don't know the Cisco lingo, and I'm not confident that he'll know what I'm talking about unless I'm very specific. Thanks for your help. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] RFC1918 on WAN
My WAN is mlppp with a static public IP address. pfSense is 2.0 beta4. Out of curiosity I disabled the check box on the WAN config page to block private networks. I then created an alias for RFC1918 and loopback addresses and manually created a logging reject rule at the top of the WAN rules for this alias. To my surprise the rule started logging packets at a rate of around 4/minute, suggesting that my ISP is not dropping these as prescribed in the RFC. Before I bring this to their attention, I wanted to ask the list a couple related questions: 1. Is there any reason for an ISP to forward these packets? AFAIK, my ISP does no NATing ever, and every customer gets only publicly routable IP addresses from them. 2. Is there a chance that my logs are misrepresenting, like maybe these packets came from an internal interface, even though the log shows they are from the WAN? Here's a snippet from the Firewall Log page to illustrate what I'm seeing. Dec 4 14:18:44 WAN 192.168.0.2:57198 69.165.225.177:57815 UDP block Dec 4 14:17:30 WAN 172.16.36.144:58728 69.165.225.177:40730 TCP:R block Dec 4 14:17:10 WAN 172.16.36.144:58661 69.165.225.177:40730 TCP:R block Dec 4 14:17:09 WAN 192.168.0.2:22836 69.165.225.177:57815 UDP block Dec 4 14:17:06 WAN 192.168.0.2:22836 69.165.225.177:57815 UDP block Dec 4 14:15:17 WAN 192.168.9.10:5050569.165.225.177:49615 UDP block Dec 4 14:14:41 WAN 192.168.230.178:56200 69.165.225.177:13945 TCP:R - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] RFC1918 on WAN
On Sat, Dec 4, 2010 at 2:35 PM, Evgeny Yurchenko evg.yu...@rogers.com wrote: I would suggest to tcpdump. This way you for sure will know where these packets are coming from. Thanks for the hint. tcpdump confirms that these are coming from pppoe0, so I'll be talking to my ISP. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Cisco AnyConnect
Is there a way to connect pfsense with an Anyconnect server? Google isn't turning up much for me. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] (non)local address resolution
pfsense is setup like this: pfsense--WAN (public IP x) --OPT1 (public IP y/30) Connected to OPT1 is client's cisco firewall which is NATing for a 172.21.50/23 subnet. Their dhcp is handing out pfsense's OPT1 address as DNS server, and pfsense is running DNS forwarder. This works well, but I see a lot of this in tcpdump: 12:16:56.091858 IP 172.21.253.1.52683 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:16:57.104593 IP 172.21.253.1.52683 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:16:58.118720 IP 172.21.253.1.52683 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:17:00.130979 IP 172.21.253.1.52683 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:17:04.140636 IP 172.21.253.1.52683 69.165.225.178.53: 55447+ SOA? 166.50.21.172.in-addr.arpa. (44) 12:17:08.150841 IP 172.21.253.1.64392 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:09.162988 IP 172.21.253.1.64392 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:10.177054 IP 172.21.253.1.64392 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:12.189584 IP 172.21.253.1.64392 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:16.198448 IP 172.21.253.1.64392 69.165.225.178.53: 20581+ SOA? 172.50.21.172.in-addr.arpa. (44) 12:17:20.210048 IP 172.21.253.1.62240 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:21.221601 IP 172.21.253.1.62240 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:22.235856 IP 172.21.253.1.62240 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:24.247893 IP 172.21.253.1.62240 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:28.256892 IP 172.21.253.1.62240 69.165.225.178.53: 5700+ SOA? 175.50.21.172.in-addr.arpa. (44) 12:17:32.267370 IP 172.21.253.1.53081 69.165.225.178.53: 32343+ SOA? 177.50.21.172.in-addr.arpa. (44) 12:17:33.280650 IP 172.21.253.1.53081 69.165.225.178.53: 32343+ SOA? 177.50.21.172.in-addr.arpa. (44) 172.21.253.1 is the Windows DNS server on the client's network which they were using, but won't be using for this subnet in the future. The DNS server option was changed in DNS just a few hours short of 7 days ago, and dhcp leases are 1 week, so I suppose it's possible but not likely that there are dhcp clients active on that network that are still using (or trying to use) the old DNS server. So I'm just wondering exactly what these packets are about and whether I should be concerned at all for proper DNS function. I did a bit of searching on SOA DNS but no lights are going on for me yet. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] ath0: ath_rx_proc: no mbuf!
On Sun, Nov 28, 2010 at 3:07 PM, Cyril Jaquier cyril.jaqu...@jaqpot.net wrote: I searched the pfsense forum and found someone with a similar issue. ermal suggested to disable the shaper on the wireless interface. This seems to fix the problem for me. Is this a known bug? Any better workaround than disabling the shaper? I don't use wireless with pfsense, so I'm not sure if my situation is related, but my mbuf numbers also climb steadily. After a reboot it starts around 700. Presently at almost 10 days uptime, my mbuf usage is 10142 /10890, although I don't see any negative symptoms that I could attribute to it. This is on 2.0 embedded, Nov 18 snap. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On 2010-11-19 9:56 AM, Richard Amerman fi...@7technw.com wrote: I do this all the time and using a separate nic is simpler and easier to manage than an alias. Unless I am missing something, a vlan for this case is overkill. I discussed this with the m0n0wall list back in '07 where cmb and others essentially said that it's a bad idea to run 2 subnets on a physical network, mostly for security reasons, I think. Given the option I would do the vlan thing, just for the added layer separating the hostile users from my stuff. db
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Thu, Nov 18, 2010 at 12:39 PM, Fred Boiteux fblis...@free.fr wrote: The different LAN subnets' trafic aren't VLAN tagged, and all traffic comes from one Ethernet port (from the nearest antenna), so I don't understand how VLAN could be used there ? Most carrier-grade radios support tagging packets from the management interface, so client traffic comes through untagged and management happens on the management vlan. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Thu, Nov 18, 2010 at 3:11 PM, Adam Thompson athom...@athompso.net wrote: I think the OP was referring to running two subnets concurrently on the same wire, something I often have to do for various reasons, sometimes to solve co-existence issues while renumbering a network. I have no idea how to accomplish this in pfSense; apparently I haven't had to do this since I started using pfSense! In that case you can add an alias to the LAN interface. IIRC, you just run ifconfig appending 'alias' to the end. Don't quote me on it though. Get that working, then use shellcmd to make it stick across reboots. You will also want to check the box in the UI to supress arp errors in the logs. vlans are still the preferred method if your radios support it. What brand are you using? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] how to manage 2 subnets for LAN ?
On Thu, Nov 18, 2010 at 3:51 PM, fi...@7technw.com fi...@7technw.com wrote: Another easy solution is to just add another nic. Not an option in this case. The OP described a wireless network where the client subnet and management subnet exist on the same physical network. You can't change that in this case, so your two options are to separate them virtually (vlans) or just run them on the same physical network. Yes, he could use another NIC and plug it into a switch along with the first NIC and the wireless network, but this still doesn't separate the two networks, and is no better than creating an alias on the existing NIC. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] New to pfSense, need some advice
On Sun, Nov 7, 2010 at 10:19 PM, Neonicacid neonica...@gmail.com wrote: My main issue with how it is set up right now is that File and Printer Sharing does not jump across the subnets, so none of the computers can communicate. Does anyone have any advice or solutions for this problem? If you want all your computers to have access to each other then why don't you throw them all on a common LAN switch? Do you have a reason for having OPT1 and OPT2 interfaces and 3 routers? db
Re: [pfSense Support] New to pfSense, need some advice
On Sun, Nov 7, 2010 at 10:43 PM, Neonicacid neonica...@gmail.com wrote: David, I don't have a single switch big enough to support all of the devices that I currently have on the network. The routers help with that by providing extra ports to connect devices with. So the simplest way to accomplish this is to a) get a switch with enough ports and attach it to the LAN, or b) disable dhcp on both the wrt54g and befsr41 and just use the LAN ports, effectively using them both as switches, or c) bridge all the OPT and LAN interfaces on pfsense, or d) some combination of the above. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] carp with bridge
On Thu, Oct 28, 2010 at 11:35 AM, Gerald Waugh gwa...@frontstreetnetworks.com wrote: We use bridging as the pfsense machine firewalls servers with public IP addresses. Clues on how to accomplish with routing appreciated. You have a public subnet from your ISP, 1.1.1.0/24, for example. You get a static IP from your ISP that is outside your subnet, 2.2.2.1, for example. Your ISP has to route your subnet to your static IP. On pfsense: WAN is 2.2.2.1 LAN is 1.1.1.1/24 dhcp server on LAN (if desired) gives out 1.1.1.2 - 1.1.1.254 Did I understand your question correctly? Or is this somehow more complicated when carp is involved? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] networked file systems
After some contemplation I think I would like to run squid on my pfsense box, but mount the squid cache directory (/var/squid) on an external host. After some research, I believe the following options would provide the best performance with the least overhead, in descending order: 1. AoE http://en.wikipedia.org/wiki/ATA_over_Ethernet 2. iSCSI http://en.wikipedia.org/wiki/ISCSI 3. nfs http://en.wikipedia.org/wiki/Network_File_System_(protocol) I believe pfsense has nfs client ability natively, so no problem there. According to wikipedia, FreeBSD can be an iSCSI initiator, while AoE support on FreeBSD is 3rd party and out of date. pfsense and the FS host will be on the same ethernet, so connectivity is not an issue here. Any thoughts from the list? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] networked file systems
On Wed, Oct 27, 2010 at 4:00 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: iSCSI is relatively excellent - and as a block device, has great performance. I've had less than pleasing results with AOE in several different use-cases. If you want to share the cache across multiple firewalls, NFS is your only real choice of the 3. I don't plan to access it other than from pfsense. I'm moving it external simply because I'm a lot more comfortable handling my SSD from Linux that I would be from pfsense. I'm referring specifically to TRIM support, IO schedulers and partition alignment. TRIM, I'm pretty sure, is not present in pfsense (not sure about FreeBSD). I know nothing at all about IO schedulers in FreeBSD. I've done some research on partition alignment using fdisk and disklabel, and although it appears doable, I'm left not knowing if I've actually done it right in pfsense. All these are non-issues for me in Linux. nfs is no problem for me to set up, but from what I've read I expected iSCSI and AOE to perform better under load. I'm surprised to read that you had poor results with AOE. I've never used it, but the theory appears to be sound. Can anybody tell me how hard it would be to turn pfsense into an iSCSI initiator? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: Re: [pfSense Support] networked file systems
On Wed, Oct 27, 2010 at 5:59 PM, Adam Thompson athom...@c3a.ca wrote: If you want to take advantage of Linux' TRIM support, you should be using NFS. TRIM support (AFAIK) requires underlying knowledge of the filesystem or at least the block allocation... iSCSI hides all of those details, as it merely exposes one large chunk of disk blocks to the client. Thanks for pointing that out. That may have crossed my mind once, but I had forgotten about that. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LAGG Question
On Tue, Oct 26, 2010 at 9:09 AM, James Bensley jwbens...@gmail.com wrote: can the pfSense box handle incoming balancing this way as well as out going? Incoming load balancing in pfsense is different from outgoing load balancing. It allows you to have more than one server on your internal networks responding to incoming connections on a single interface. For example, if your WAN is taking http requests on port 80 from the internet, inbound load balancing allows you to forward those requests to multiple web servers on your LAN, OPT1, etc. Outbound load balancing of course can be configured to route packets from your internal networks out via multiple WANs. The natural result of this is that return packets will come back via the same WAN interface they went out on. Some protocols, including http and bittorrent are very efficient at making use of all your available bandwidth due to generating multiple parallel sessions, which pfsense will balance across the available gateways. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LAGG Question
On Mon, Oct 25, 2010 at 6:53 AM, James Bensley jwbens...@gmail.com wrote: Hello Everybody :) I would like to use the LAGG to bond multiple ADSL lines for a faster, more reliable internet access (using LACP). LAGG acts by bonding multiple interfaces at layer 2. You're trying to bond a pair of interfaces at layer 3. There's a fundamental gap there that you're not going to overcome. You may as well as how you can bond two DSL lines using just em1; you can't. As Steve said, your best bet is mlppp, but if your ISP doesn't support that, then load balancing will have to do. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] LAGG Question
On Mon, Oct 25, 2010 at 9:33 AM, James Bensley jwbens...@gmail.com wrote: Thanks guys for your responses, I will look into MLPPP but in the mean time, with regards to load balancing; Again, how does this work in pfSense? For 1.2: http://doc.pfsense.org/index.php/MultiWanVersion1.2 For 2.0: http://forum.pfsense.org/index.php/topic,10407.0.html Note that there seems to be some confusion as to whether you can do multiwan in 2.0 if more than one interface uses the same gateway (it definitely won't work in 1.2). Drop a NAT router between pfsense and the redundant gateway to overcome this limitation. pfSense doesn't allow you to configure an IP address, mask and gateway for every interface on the box, only the interfaces assigned as LAN and WAN. Not so. See the guides linked above. So if I group some interfaces together as a load balancing LAG group the bonded interfaces aren't going to do anything? Not as a LAG group, as a gateway group. The guide is good. Let us know how you make out. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Cannot achieve 100 mbps Full Duplex (C2D, Intel NICs)
On Thu, Oct 21, 2010 at 12:06 PM, Christian Borchert ccb...@gmail.com wrote: I have tried this network card in another machine (HP Core 2 Quad) and it works perfectly under the same test conditions. I have limited experience with Dell servers, but I have found some of their newer laptops (Vostro and Latitude) are absolutely atrocious for IO, constantly stuttering mouse pointer, keyboard and sound, for no obvious reason. This is with good hard drives, lots of RAM, page file disabled, speedboot enabled, Windows and Linux, etc... I have reached the conclusion that there is something terribly flawed with the way their hardware is configured. Sorry to be a wet blanket. I hope you find a solution to your problem. :P db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] archives incomplete?
Why is it that when I browse the list archives for this month (gmane and marc), I only see 2 threads? Specifically I'm looking for a link to the ongoing discussion started by Luke Jaeger on script-heavy sites, and I don't see it there. Likewise, when I search the archive for his name I get no hits. Is there an update delete in the archives? Am I doing it wrong? Thanks. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 2.0-BETA4 - Admin logout link?
On Sat, Oct 9, 2010 at 9:53 PM, Yehuda Katz yeh...@ymkatz.net wrote: I just installed 2.0-BETA4, logged in as admin, and created a new user. I have not been able to find a logout link so I can try using that user. Is it there and I just don't see it or is it really not there? - Yehuda Under the first menu on the left. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Siproxd
On Wed, Oct 6, 2010 at 4:46 AM, belkhiria aymen belkhiria.ay...@gmail.com wrote: Hi, I need to configure siproxd as Sip proxy for external users. I don't think siproxd is designed for this, nor is it necessary. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] How do I break down a /22 into smaller subnets to use behind(LAN) side of my pfsense box
On Mon, Oct 4, 2010 at 5:19 PM, Chris Flugstad ch...@cascadelink.com wrote: -how to i break up the large block into smaller blocks Like this? http://www.vlsm-calc.net/ db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] BLOCK IP or ALIAS firewall rule not blocking traffic
On Wed, Sep 22, 2010 at 5:14 PM, Chris Flugstad ch...@cascadelink.com wrote: wan rules proto source port dest port gw block * 216.127.61.72 * * * * lan rules block * * * 216.127.61.72 Although you weren't explicit, I got the impression that the host you are trying to block is local to you. If so, then you need to reverse your interfaces OR reverse the source/dest IP addresses. If on the other hand 216.127.61.72 is an internet host that you're trying to detach from your network, then your rules look good. db
Re: [pfSense Support] BLOCK IP or ALIAS firewall rule not blocking traffic
On Wed, Sep 22, 2010 at 5:30 PM, Chris Flugstad ch...@cascadelink.com wrote: I did what i needed to do for the time being though. much appreciated. And that, ladies and gentlemen, is what we call poaching the solution ;) If this list ran on a points system I would get a flogging now. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Allow Traffic Between Interfaces
On Sat, Sep 18, 2010 at 8:54 PM, Ron Lemon r...@maplewood.com wrote: Action: Pass Interface: LAN Protocol: any (I assume this also include ICMP???) Source: Single Host (10.0.1.100) Destination: Network (10.0.0.0 / 24) Gateway: default To me this means that 10.0.1.100 can talk to any machine in the 10.0.0.0 / 24 network about anything (ping, ftp, www, ldap, etc) Almost. In your original post you said that 10.0.1.100 is on OPT1. pfsense's firewall rules operate on packets entering the chosen interface. The rule above doesn't do anything until you change LAN to OPT1. On OPT1 tab I have Action: Pass Interface: OPT1 Protocol: any (I assume this also include ICMP???) Source: Network (10.0.0.0 / 24) Destination: Single Host (10.0.1.100) Gateway: default To me this means that any machine in the 10.0.0.0 / 24 network can talk to 10.0.1.100 about anything (ping, ftp, www, ldap, etc) As you may have guessed by now, if you change OPT1 in the above rule to LAN I think you will be in business. Note also that in your original post you didn't say whether you wanted 10.0.1.100 to talk to LAN hosts. If not, then your first rule is not wanted. (if a LAN host connects to 10.0.1.100, it will be allowed to respond, as pfsense is stateful.) Hope that helps. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Write 512MB image onto 4GB CF-card ?
On Fri, Sep 17, 2010 at 2:45 AM, Michel Servaes mic...@mcmc.be wrote: Thanks for the explaining - don't know if this dane-elec has wear-levelling though (I'd suspect they would mention this, if it was) My understanding with SSDs (no idea if CFs are the same way) is that wear-levelling works with available formatted area as well as unpartitioned space. Or having read all the SSD articles on anandtech in the last couple years I have the belief that the fuller your drive is the quicker you will defeat its wear-levelling benefits. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] power-out and Alix-boards
On Thu, Sep 9, 2010 at 2:26 PM, Michel Servaes mic...@mcmc.be wrote: I am a bit worried about the fact that the CF card should be set read-only. If I may paraphrase Bob, I thought he was meaning that because/if you are using the embedded version, the problem you describe must be due to some other contributing factor. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] power-out and Alix-boards
On Thu, Sep 9, 2010 at 3:12 PM, Bob Gustafson bob...@rcn.com wrote: I don't know the significance of 'embedded' in the context of CF cards. Sorry, I meant to say I was paraphrasing Beat, not Bob. The pfsense embedded version, which is recommended for CF installs, mounts the filesystem read-only, and remounts it read-write when making config changes or committing RRD graphs to the CF. My point was that Michel need not worry about his mount options if he is running the embedded version, as it takes care of this. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Broadcom opens Linux wireless drivers
So will this benefit the FreeBSD crowd any time soon? http://www.osnews.com/story/23786/BREAKING_BROADCOM_OPEN_SOURCES_WIRELESS_DRIVERS db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFsense 2.0 roadmap
On Wed, Sep 8, 2010 at 11:42 AM, Tonix (Antonio Nati) to...@interazioni.it wrote: Thanks... I see no dates at all. About 2.0, I see no documentation around. Is there a list where to ask for 2.0 features explained? Generally speaking, the forum is where most discussion around 2.0 happens, from what I have seen. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Over 2GB File can not copy LAN to WAN Pfsense
On Tue, Sep 7, 2010 at 8:32 AM, Michel Servaes mic...@mcmc.be wrote: What happens, if you transfer the file in direct (eg. without the pfsense in between ?) Definitely try that. pfsense has a workaround specifically for NFS on System: Advanced: Firewall and NAT (system_advanced_firewall.php). Did you try checking the Clear invalid DF bits instead of dropping the packets option? You may also need to set the Firewall Optimization Options to Conservative on the same page. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Over 2GB File can not copy LAN to WAN Pfsense
On Tue, Sep 7, 2010 at 10:34 AM, Bradley D. Thornton brad...@northtech.us wrote: I thought there was about a 2GByte file size limit on Ext2 File systems too. Not according to wikipedia, however There are also many userspace programs that can't handle files larger than 2 GB. http://en.wikipedia.org/wiki/Ext2#File_system_limits db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Benchmark tool
On Sat, Sep 4, 2010 at 3:58 AM, bsd b...@todoo.biz wrote: Hi, I am looking for a tool (or a configuration setup) that will allow me to benchmark (performance test) couple of firewall based on pfSense, and eventualy to compare them with other software / hard solution. Any idea, clue, link will be highly appreciated. iperf is not sophisticated, but will give you an indicator of raw throughput. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Appliance Recommendation for 100 Mbps (DOCSIS 3.0) Service
On Wed, Sep 1, 2010 at 11:17 AM, stephen at stephenjc step...@stephenjc.com wrote: Supermicro twin is like that but they share a ps. I was going to suggest that it wouldn't be hard to modify a SM twin to use dual independent PicoPSU or M4-ATX or the like, but it appears the twins are all Xeon models, and perhaps a little power-hungry for DC power supplies. Anybody know otherwise? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] QoS for Dummies?
On Mon, Aug 30, 2010 at 9:09 PM, Dane Reugger d...@downtownpc.com wrote: I'm a long time fan of PfSense but several concepts elude me ... so I was hopping somebody had a VoIP QoS for PfSense how-to they could point me at. The single most important aspect of a working QoS solution is to make sure your outbound root queue is smaller than the upstream queue. I've had perfect voip performance when this is done properly, but set it one kbps too high and when the congestion happens it will be as if you had no QoS. I wrote a quick and dirty howto for QoS with voip on Tomato. It's a different platform but the concepts are the same, in particular the points on properly sizing your root queue. http://www.dslreports.com/forum/r24028032- - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] interrupt v kernel usage
I'm using a pair of onboard (vr) NICs on a net5501-80 (500 MHz Geode) with vlans to firewall a 36/4 mlppp connection. During heavy download top reports interrupts around 40-50% CPU usage with most of the remainder being idle. I dropped in an Intel Pro 1000 GT (em, PCI) in place of one of the onboards to handle the internal vlans and during heavy downloading the interrupts dropped down to around 20%, but now the kernel process was reporting ~17% CPU usage. The idle process was not significantly different from the vr NIC to the em. I was surprised by this result, not only because of Intel's sterling reputation among pfsense users, but also because of the fact alone that the Intel NIC is gigabit hardware (on a gigabit switch). Was I wrong to expect a drop in CPU usage with the Intel GBE? Also, before somebody mentions it, TSO and LRO were enabled for this test. I tried disabling LRO, but this immediately caused pfsense to become unresponsive on the network and the serial console. After resetting it LRO was still enabled, so I didn't provoke it further. Within a couple hours pfsense had locked up again, so I moved the LAN cable back to the onboard NIC and it's been running stably for 17 hours since (with the Intel card still installed but not assigned). Thoughts? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: interrupt v kernel usage
Sorry, forgot to mention 2.0 nanobsd August 2 snapshot. On Wed, Aug 25, 2010 at 12:20 AM, David Burgess apt@gmail.com wrote: I'm using a pair of onboard (vr) NICs on a net5501-80 (500 MHz Geode) with vlans to firewall a 36/4 mlppp connection. During heavy download top reports interrupts around 40-50% CPU usage with most of the remainder being idle. I dropped in an Intel Pro 1000 GT (em, PCI) in place of one of the onboards to handle the internal vlans and during heavy downloading the interrupts dropped down to around 20%, but now the kernel process was reporting ~17% CPU usage. The idle process was not significantly different from the vr NIC to the em. I was surprised by this result, not only because of Intel's sterling reputation among pfsense users, but also because of the fact alone that the Intel NIC is gigabit hardware (on a gigabit switch). Was I wrong to expect a drop in CPU usage with the Intel GBE? Also, before somebody mentions it, TSO and LRO were enabled for this test. I tried disabling LRO, but this immediately caused pfsense to become unresponsive on the network and the serial console. After resetting it LRO was still enabled, so I didn't provoke it further. Within a couple hours pfsense had locked up again, so I moved the LAN cable back to the onboard NIC and it's been running stably for 17 hours since (with the Intel card still installed but not assigned). Thoughts? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Simultaneous client connection limit / Maximum state entries per host
On Mon, Aug 16, 2010 at 8:21 AM, Dominic dominic@gmail.com wrote: My query though is, how can I test that this is working correctly? Is there a tool that I can use to make connections from a single machine? Ideally something that provides the Would this do it? http://www.smallnetbuilder.com/lanwan/lanwan-howto/31103-how-we-test-hardware-routers-revision-3 I've never used it, but it seems to do what you want to do. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Simultaneous client connection limit / Maximum state entries per host
On Mon, Aug 16, 2010 at 8:28 AM, David Burgess apt@gmail.com wrote: On Mon, Aug 16, 2010 at 8:21 AM, Dominic dominic@gmail.com wrote: My query though is, how can I test that this is working correctly? Is there a tool that I can use to make connections from a single machine? Ideally something that provides the Would this do it? http://www.smallnetbuilder.com/lanwan/lanwan-howto/31103-how-we-test-hardware-routers-revision-3 Oops, I guess this would be the link to the actual software: http://www.ixchariot.com/downloads.html db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] SSD partition alignment in 2.0
On Mon, Aug 16, 2010 at 12:03 PM, Scott Ullrich sullr...@gmail.com wrote: That is a good question. The 2.0 installer uses pc-sysinstaller which I am not entirely sure if it takes into account this or not. I did an install yesterday and worked on this. I manually changed geometry to 32 heads and 32 sectors and adjusted the cylinders count accordingly, but when I tried to create my partitions the installer insisted on changing the sector count to a number that was divisible by 1008 (in fact the number I gave it was divisible by both 1008 and 1024, but it still complained for some reason). I partitioned with Linux fdisk and then skipped formatting and partitioning with the pfsense installer, as recommended by the installer. I found the whole thing quite confusing, and I'm not 100% positive that I ended up with the desired result, but this is due in part to my lack of understanding of BSD slices. It would be nice to have an installer that automatically handles this, as some SSDs perform hugely better with their partition boundaries aligned to the flash's erase block boundaries, as can be seen on anantech.com's SSD Bench. Not a big issue for standard installs, perhaps, but potentially significant on a loaded squid box, which is exactly my intention. Thanks for the response. Looking forward to this in 2.1. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org