Re: [pfSense Support] Blocking a MAC id through squid
On 2/17/11 9:43 PM, Shali K.R. wrote: Dear all, is there any way to block a MAC id using squid in pfSense. I don't know the answer but I doubt this would be useful, since every router rewrites the source MAC. So, unless you're trying to block some host on your local subnet, the host's MAC gets rewritten by every router between it and your pfSense box. dn -- Thanks Regards Shali K R Server Administrator Vidya Academy of Science Technology Thrissur,Kerala. Mob:9846303531 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] CARP IP Not Registering MAC Address or Switch Disregarding CARP MAC Address -- Maybe???
On 2/9/11 1:12 PM, Vaughn L. Reid III wrote: According to page 15 of the reference manual address learning is: Enable or disable MAC address learning for the selected ports. When Enabled, destination and source MAC addresses are automatically listed in the forwarding table. When address learning is Disabled, MAC addresses must be manually entered into the forwarding table. This is sometimes done for reasons of security or efficiency. See the section on Forwarding/Filtering for information on entering MAC addresses into the forwarding table. The default setting is Enabled. This just means the switch dynamically learns the source MAC of each attached device. 99.999 percent of all switches on the market have dynamic MAC learning enabled. This isn't the problem. One other thing. I need to note that I have dedicated a CARP interface on each Pfsense box connected to each over via a cross-over cable. Sorry, I don't completely understand your CARP setup. I too use a crossover cable between pairs of boxes but that's for pfsync, not CARP. pfsync migrates table state between pf boxes; CARP is for redundant sharing of a virtual IP address among multiple pf boxes, and would be of little use on a network consisting of a crossover cable. IIRC CARP uses multicast addressing for its keepalive messages. You might also want to verify that the switch is configured to forward multicast. dn On 2/9/2011 2:35 PM, e...@tm-k.com wrote: [snip] Address Learning enabled on the Switch (default setting): [snip] Can you briefly explain what 'address learning' is according to D-Link? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Desperately Need Help With Wan
Either both sides should bond at layer 2 (and thus there's only one IP address on either end, and thus one gateway for your pfSense box) or both should bond at layer 3 and use something like a routing protocol with ECMP to load-share across multiple IP addresses on each side. I don't know the particulars for the latter on pfSense, but at first glance getting the L2/L3 mismatch sorted out seems a higher priority. dn On 11/22/10 1:39 PM, James Bensley wrote: Hello List, I have gotten my self in a pickle trying to get my WAN links working and I'm desperate now to get things up an running :) Scenario: My ISP offer line bonding on their ADSL lines. So I have two lines with them to get things going, then I will add more over time. I have two ADSL lines with them and they split the packets down the lines 50/50 (if I had 3 lines it would be 33/33/33 and so on..) this is done at layer 3, evenly dividing the packets over the active lines for true up and down balancing (so if a line goes down the packet distribution is recalculated over the remaining lines). How can I use pfSense to merge the packets my end, and of course, balance them out on the outbound journey? This is my set up: http://i51.tinypic.com/2qaqyqs.png The 2 ZyXel P-660r ADSL modems are in bridged mode passing all ADSL traffic out their Ethernet interface (my ISP has given me a /29 so the first usable address is assigned to the first modem, the second address to the second modem, the last usable address to the lagg0 interface [say 1.0.0.6], obviously fake IPs used here!). Testing this, it didn't work. Thinking about it now I'm home, that makes sense. The lagg0 interface can only be assigned 1 gateway, not both, so it cant balance across both lines. I guess it thought it would balance across both lines thinking they both terminated at say 1.0.0.1 for example. What options exist in pfSense for this (if any?). Many thanks for your time, sorry for such a long post everyone :) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] multi-wan, multi-lan security
On 8/5/10 8:13 AM, David Burgess wrote: Paul, I understand your post up to this point: if the switch's port are set so that connected devices can't cause them to flip from untagged to tagged mode (in cisco speak from access to trunk - switchport nonegotiate I'm looking at the help file for my switch, and thinking this section is saying what you're saying: Ingress Filtering - When enabled, the frame is discarded if this port is not a member of the VLAN with which this frame is associated. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an untagged frame, the VLAN is the Port VLAN ID specified for the port that received this frame. When disabled, all frames are forwarded in accordance with the 802.1Q VLAN bridge specification. The factory default is disabled. The switchport nonegotiate command has a different meaning in the context of Cisco Catalyst switches: It disables the use of Dynamic Trunking Protocol, a proprietary means of determining whether two switches will use trunking (tagged frames) to carry traffic between them. There may be exceptions, but DTP generally won't work between a Cisco and a non-Cisco device, or between two non-Cisco devices. Here's an sample reference from the Catlyst 3560 docs: http://is.gd/e4mFq dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Maximum New Connections Per Second
On 6/18/10 1:08 PM, Code Ghar wrote: In the pfSense book, there's a section (6.6.9.3) titled Maximum New Connections / Per Second. It says that Any IP address exceeding that number of connections within the given time frame will be blocked for one hour. When using VoIP, which uses UDP, if one IP sends calls to your VoIP switch with pfSense in the middle, there's one state established. Within that state if that same IP sends, say 5 messages in a second, are these messages considered 5 connections in one state or 1 connection in one state? My aim is to restrict UDP connections per second from all IPs in a rule. The most common case with VoIP traffic is that you have at least two streams, one apiece for signaling and media traffic.* The signaling stream typically uses a well-known port (i.e., 5060 for SIP) and the media traffic (often RTP/RTSP) uses some random port. There are some sample VoIP captures here: http://techtraces.com/sample_captures/ dn *Caveat: VoIP is a very broad term, covering lots of different signaling and media transport methods. The example I gave above is a simple and very commonly used case, but there are lots of others. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Maximum New Connections Per Second
On 6/18/10 1:58 PM, Code Ghar wrote: You both are right that VoIP is a very broad term. So let me clarify. I am running Asterisk behind pfSense with multiple endpoints, such as ATAs and softphones, registering to this Asterisk server. Then I have some trunks with carriers and such. On the carrier side I am not too worried because I know their IPs and can create rules to allow traffic from them unhindered. However, on the other side are registered endpoints, for which there is not definitive IP. Users could plug it in their home, office, hotel, etc. Then there are some malicious users who try to brute force their way into the Asterisk server sending a flood of registration attempts. To allow legitimate use and to mitigate fraudulent registrations, one way would be to have a reasonable upper limit to connections per second. This way unusually large attempts can be blocked at the firewall level instead of letting Asterisk deal with it. In this scenario if I set, say 5 max connections per second, then from one IP there can be 5 different states. In this case if a malicious user sends 6 registration attempts in one second then the first five would be allowed and the sixth would be dropped. On the flip side, if a legitimate user has two SIP endpoints coming from the same IP, then they can still establish two calls, one from each endpoint, as there would be four states: in and out for both endpoints. This still leaves a third connection or state for some breathing space. Did I understand this correctly? Yes. My experience with the rate-limiting stuff is that pf can take a little while (seconds) to recognize and respond to brute-force attacks. This may be due to high attack rates or less-than-studly hardware or both. Either way, blocking might not be instantaneous, but ultimately pfSense will drop further connection attempts. dn On Fri, Jun 18, 2010 at 3:33 PM, Chris Buechler cbuech...@gmail.com mailto:cbuech...@gmail.com wrote: On Fri, Jun 18, 2010 at 4:08 PM, Code Ghar codeg...@gmail.com mailto:codeg...@gmail.com wrote: In the pfSense book, there's a section (6.6.9.3) titled Maximum New Connections / Per Second. It says that Any IP address exceeding that number of connections within the given time frame will be blocked for one hour. When using VoIP, which uses UDP, if one IP sends calls to your VoIP switch with pfSense in the middle, there's one state established. Within that state if that same IP sends, say 5 messages in a second, are these messages considered 5 connections in one state or 1 connection in one state? With the typical SIP, one connection is one state, regardless of how many packets come over that state, it's one connection. If there are 50 SIP phones NATed to one public IP connecting to you, that's going to be 50 simultaneous SIP connections, plus RTP for calls. In cases like an Internet outage at that location, you'll see a bunch of connections opened quickly. That could more accurately read Maximum new states / per second. As David noted, with a wide variety of things that VoIP can cover, it's hard to say. Generally you have up to two connections/states per SIP endpoint. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com mailto:support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com mailto:support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Slow TCP connection
On 3/2/10 7:59 AM, David Burgess wrote: On Tue, Mar 2, 2010 at 8:54 AM, Hiren Joshi j...@moonfruit.com wrote: I'm using the packet capture bit in pfsense. Is there a way of doing this via the shell (I'm new to BSD, more of a Linux person) and leaving it running (filtered by hostname) for a few hours/days? This way I can dump it all and analyse it in wireshark. tcpdump. For example, tcpdump -i vr0 -n -w capture.pcap -i for the interface, -n to disable name resolution, capture.pcap is the capture file. I'm not sure if you have to do anything special to make it readable in wireshark. No special treatment needed -- wireshark will take pcap files as input. However, you might want to bear a couple of things in mind: 1. By default, tcpdump grabs only the first 68 bytes of each packet. You can override this with the '-s' flag, for example with a switch such as '-s 1500'. This is essential if you need to see deeper into the packet but the tradeoff is increased processing time. If you just need TCP headers you shouldn't need this switch. 2. Depending on link utilization tcpdump can capture a *lot* of traffic. If you know you only want to see traffic from/to a specific host, or for a given protocol, there are filters you can add at the end of a tcpdump command to limit what it will capture -- and wireshark uses identical capture filter syntax. The tcpdump manpage or wireshark docs have more info. dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] migrating pf to pfSense
For possible migration of a couple of OpenBSD/pf boxes to pfSense, is there a import facility for pf.conf configs? thanks dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Multiple IPs via MAC/DHCP
On 2/3/10 7:38 PM, Dave Donovan wrote: As for getting the new MAC, you can pretty much make it up. Pretty much is the operative term here. Some MAC address space is reserved for multicast (always beginning with 01:00:5E) and locally administered addresses (where the second bit of the first byte is set). But as long as high-order bits 0 and 1 of the MAC address' first byte are 0, and the addresses you choose aren't already in use on the same network, you should be fine. I should say that this is an unconventional approach. Yes. dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: SV: [pfSense Support] virtual ip
On 1/15/10 2:36 PM, a_subscribti...@fiberby.dk wrote: 1. Question. Imagine a setup where I have /30 as wan ip and routed a /29 public ip net to that address. This part is unclear. If your WAN interface uses a /30 prefix (255.255.255.252), then you are on a /30 subnet, not a /29 subnet. I have several lan-interfaces that I want to separate, so that every lan net will be natted through its own public ip. This can be true for only very small instances of several: - with a /29 there are six valid hosts possible, one of which is your ISP's router - with a /30 there are two valid hosts possible, one of which is your ISP's router In the former case, yes, you can map each of five IP addresses on your WAN interface to some other address(es) on your protected interfaces. In the latter case, you have only one routable address. You still can map multiple services onto this address but you'd need different port numbers for each (to make up an example, you could map ports , 1 and 2 to three different sshd servers on your protected network). dn If I have understood correctly, then I don't need to set up an interface with the public ip net, as long as I'm using other VIPs. Is that right? 2. Question. Imagine a setup where I have /30 as wan ip and routed a /29 public ip net to that address. I want to hand some of the public ips directly to servers, and I want to use some as virtual ips. If I have understood correctly, then I would set up an interface with the public ip net. But what vips will I use? Kind regards Anders Please don't double post... you asked this question on Wed 1/13/2010 3:59 AM. Best Regards, Nathan Eisenberg Ok, But if you are able, I'll really appreciate your or someone else help. Kind regards, Anders Dahl - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Less bandwidth available behind the firewall
On 1/13/10 8:14 AM, Ugo Bellavance wrote: Le 2010-01-13 09:49, Chris Buechler a écrit : On Wed, Jan 13, 2010 at 12:59 AM, David Newmandnew...@networktest.com wrote: On 1/12/10 9:51 PM, Ugo Bellavance wrote: On 2010-01-12 23:56, Chris Buechler wrote: On Tue, Jan 12, 2010 at 11:50 PM, Ugo Bellavanceu...@lubik.ca wrote: Hi, I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM. HDD install. When I start a download from a nearby centos mirror, directly from the firewall (using fetch), I get the full bandwith available from my ISP (60 mbps). However, If I try to download the same file from the same server, but from a linux server behind the firewall, using wget, I only get about 20 mbps. If I start multiple download, I can reach 60mbps. Is there an explanation? Probably a TCP window difference of some sort between FreeBSD and your Linux box. How would I check that? Run tcpdump to capture traffic from both types of transfers (from the firewall and behind the firewall). Then examine the captures to compare the TCP receive window sizes during the transfers. That's the best way, though maybe not the easiest to decipher if you aren't intricately familiar with how TCP functions. ## Linux box net.ipv4.tcp_tso_win_divisor = 3 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_window_scaling = 1 net.core.rmem_default = 107520 net.core.wmem_default = 107520 net.core.rmem_max = 131071 net.core.wmem_max = 131071 ## pfsense box # sysctl -a | grep -i tcp | grep space net.inet.tcp.sendspace: 65228 net.inet.tcp.recvspace: 65228 I hope I got all the numbers, these are the default values, we didn't change them. I would strongly recommend against messing with TCP sysctls unless (a) you know what the actual problem is and (b) you fully understand TCP sliding windows and window scaling mechanics. TCP is a complex beast, and easily upset. Better to first isolate and understand the problem before attempting fixes. dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: Less bandwidth available behind the firewall
On 1/12/10 9:51 PM, Ugo Bellavance wrote: On 2010-01-12 23:56, Chris Buechler wrote: On Tue, Jan 12, 2010 at 11:50 PM, Ugo Bellavanceu...@lubik.ca wrote: Hi, I'm running pfsense 1.2.2 on a pentium 4, 3.0 ghz, 1 GB RAM. HDD install. When I start a download from a nearby centos mirror, directly from the firewall (using fetch), I get the full bandwith available from my ISP (60 mbps). However, If I try to download the same file from the same server, but from a linux server behind the firewall, using wget, I only get about 20 mbps. If I start multiple download, I can reach 60mbps. Is there an explanation? Probably a TCP window difference of some sort between FreeBSD and your Linux box. How would I check that? Run tcpdump to capture traffic from both types of transfers (from the firewall and behind the firewall). Then examine the captures to compare the TCP receive window sizes during the transfers. dn Thanks, ugo - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VLAN Setup
On 1/10/10 8:39 PM, Tim Dickson wrote: The 1.2.2 and 1.2.3 GUI interface section does indeed allow for definition of multiple VLAN IDs -- but exactly one IPv4 address per physical interface. Define the VLAN and it becomes an interface in the GUI where you can define an IP/subnet. I currently have 5 VLANs (with separate IP and subnets) leaving a single physical NIC. I think the key is to either use VLANS on a physical nic OR the physical interface. IE if interface 1 is to be used for VLANS, don't assign it as a physical interface. It can work that way - but I believe is a best practice to avoid. So step 1. Assign VLANS, Step 2 go to interfaces tab, enable the interface, and set the IP/Subnet Step 3 Configure VLANS on the switch port that is connected to the NIC. Yup, this works fine, thanks. I'd missed the part about defining the VLANs first and then assigning them to physical interfaces and then configuring IP addresses. So, getting back to Fabian Abplanalp's original post, yes it is possible to use one pfSense box to connect multiple IP subnets/VLANs per interface. dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VLAN Setup
On 1/10/10 1:08 AM, Fabian Abplanalp wrote: Correct. The two VLANs have their own IP Subnets. .. Yep. The setup is working already with 2 VLANs, but with two pfSense boxes. To your original question, I do not see a way to do this on one pfSense box. At least on 1.2.2, each physical interface can be configured with multiple VLANs but only one IP address. I believe this is a limitation of the GUI, and not the underlying firewall or OS. I have pf-on-OpenBSD boxes with multiple IP subnet/VLAN logical interfaces configured on each physical interface. I also have configured multiple subnets/VLANs on FreeBSD using interface aliases. You may be able to do the same thing on a pfSense box from the shell, but it would not be manageable from the GUI and it might screw up routing and firewall tables if the pfSense code expects exactly one subnet per physical interface. dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VLAN Setup
On 1/10/10 5:44 PM, Nathan Eisenberg wrote: At least on 1.2.2, each physical interface can be configured with multiple VLANs but only one IP address. To be clear - each VLAN CAN be configured with its own IP address. Where? I'm new to pfSense and maybe shouldn't have jumped to that conclusion. But I don't see anything about VLANs on the LAN or WAN interface screen, or anything about addressing or subnets on the VLAN screen. Again, though, I may be missing something. dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VLAN Setup
On 1/10/10 6:14 PM, Glenn Kelley wrote: I strongly suggest you buy the book. It is a great resource. Also - vlans are under the interfaces section - you need to add each. Thanks, but that wasn't the question. The previous post suggested pfSense supports configuration of multiple VLANs *and* multiple IP subnets on a single physical interface. The 1.2.2 and 1.2.3 GUI interface section does indeed allow for definition of multiple VLAN IDs -- but exactly one IPv4 address per physical interface. There might be some other way to bind multiple logical interfaces to each physical interface, each with one IP subnet and one VLAN ID, but AFAICT it isn't covered in the interfaces section. dn _ * Glenn Kelley | Operations Director | Typo3USA | www.Typo3USA.com http://www.Typo3USA.com * Ohio NOC | 317 South North Street | Washington CH OH 43160 *Skype Messenger*: vinehosting Email: gl...@typo3usa.com mailto:gl...@typo3usa.com Phone: 740-490-8668 Pplease don't print this e-mail unless you really need to. On Jan 10, 2010, at 8:47 PM, David Newman wrote: here? I'm new to pfSense and maybe shouldn't have jumped to that conclusion. But I don't see anything about VLANs on the LAN or WAN interface screen, or anything about addressing or subnets on the VLAN screen. Again, though, I may be missing something. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] VLAN Setup
On 1/9/10 5:40 PM, Tortise wrote: I thought a managed switch was a pre-requisite for VLAN's, as is one pfSense box (or equivalent). Not necessarily. At least one box that can forward traffic among VLANs is the only requirement. In many network designs there's a 1:1 correspondence between VLANs and IP subnets, so that box is ... a router. pfSense is a router in the sense that it moves traffic between different IP subnets on different interfaces. (Routers also can run dynamic routing protocols such as OSPF but that's neither here nor there with regard to VLAN and subnet configuration.) VLANs are Ethernet constructs and subnets are IP constructs: - at layer 2, each VLAN is its own broadcast domain (and collision domain, if using 802.11 or old half-duplex Ethernet stuff) - at layer 3, each IP subnet is its own broadcast domain As for managed, that usually refers to whether a switch supports a network management protocol such as SNMP. Net management stuff is nice to have but isn't necessary for configuring VLANs and/or subnets. So, bottom line: One pfSense box *could* be enough if there are different VLANs/IP subnets defined on each interface and only one physical device per VLAN/subnet. OTOH if you want to have multiple devices in each VLAN, a switch hanging off each VLAN interface would be necessary. dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] which image?
Greetings. I'd welcome recommendations for which pfSense image to install on this system, which currently runs OpenBSD: Nexcom 1563 VIA 667-MHz CPU 512 Mbytes RAM 512-Mbyte disk-on-chip (not CF) storage 3 x 100Base-T Ethernet OpenBSD sees the DOC storage as a regular IDE drive. For pfSense, I *think* I want the 512-Mbyte embedded image, but am unsure about what changes, if any, the installation requires. (The docs for installing/upgrading the embedded images seem oriented toward CF cards and I don't know if installing to them differs from disks.) Thanks in advance. dn - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] which image?
On 1/5/10 8:59 AM, Scott Ullrich wrote: On Tue, Jan 5, 2010 at 11:02 AM, David Newman dnew...@networktest.com wrote: Greetings. I'd welcome recommendations for which pfSense image to install on this system, which currently runs OpenBSD: Nexcom 1563 VIA 667-MHz CPU 512 Mbytes RAM 512-Mbyte disk-on-chip (not CF) storage 3 x 100Base-T Ethernet OpenBSD sees the DOC storage as a regular IDE drive. For pfSense, I *think* I want the 512-Mbyte embedded image, but am unsure about what changes, if any, the installation requires. (The docs for installing/upgrading the embedded images seem oriented toward CF cards and I don't know if installing to them differs from disks.) It depends on if you have VGA or not. If you have VGA you will want the Full Installation ISO. If not then you will want the NanoBSD image. This system has VGA out, yes. The hardware requirements doc says pfSense needs a minimum 1 Gbyte of disk for the full version: http://www.pfsense.org/index.php?option=com_contenttask=viewid=45Itemid=48 Is this right, or am I OK with 512 Mbytes storage? thanks again dn Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] which image?
On 1/5/10 9:11 AM, Bao Ha wrote: On Tue, Jan 5, 2010 at 8:59 AM, Scott Ullrich sullr...@gmail.com mailto:sullr...@gmail.com wrote: On Tue, Jan 5, 2010 at 11:02 AM, David Newman dnew...@networktest.com mailto:dnew...@networktest.com wrote: Greetings. I'd welcome recommendations for which pfSense image to install on this system, which currently runs OpenBSD: Nexcom 1563 VIA 667-MHz CPU 512 Mbytes RAM 512-Mbyte disk-on-chip (not CF) storage 3 x 100Base-T Ethernet OpenBSD sees the DOC storage as a regular IDE drive. For pfSense, I *think* I want the 512-Mbyte embedded image, but am unsure about what changes, if any, the installation requires. (The docs for installing/upgrading the embedded images seem oriented toward CF cards and I don't know if installing to them differs from disks.) It depends on if you have VGA or not. If you have VGA you will want the Full Installation ISO. If not then you will want the NanoBSD image. We have the NanoBSD images that support both VGA and serial console on our website. http://www.hacom.net/catalog/pub/pfsense/ His problem is the 512MB size of DOC. I don't think there is any embedded images built for that small size in current version 1.2.3. It may not be a bad idea to install the full version of pfSense on DOC. Unlike CF, I believe DOC has built-in wear leveling. It would not be a problem to use it as a regular hard disk. Thanks, Bao. There is a 512-Mbyte build of embedded 1.2.3. However, I'm unsure what alterations (if any) are needed to install this on a disk-on-chip system. Thanks again for any clues on this. dn -- Best Regards. Bao C. Ha Hacom OpenBrick Distributor USA ethttp://www.hacom.n voice: (714) 564-9932 8D66 6672 7A9B 6879 85CD 42E0 9F6C 7908 ED95 6B38 - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org