Re: [pfSense Support] pfsense using 4 nics?
I've run with as many as 7 interfaces - one SIS, one dual fxp, and one quad fxp; no issues there. However, I've not done that on 1.0 On 10/24/06, Rudi Potgieter [EMAIL PROTECTED] wrote: Hi All Does pfsense have a problem using 4 nics? Whenever I install a fourth in the machine, one of the nics (usually opt1 or opt2) conflict with the LAN interface. When starting up pfsense, there is an asterisk next to LAN* and OPT1(OPT1)* ? And if LAN interface is up, then OPT1 interface is up as well even though no cable plugged in. When the pc starts up each network controller is using its own irq. Any help. Thanx Rudi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] SSH direct shell access
Coming from having participated in design authoring automated systems that telnet/ssh to tens of thousands of devices and manage them automatically, any such script worth it's salt is going to use Expect and be able to handle multiple levels of indirection before a shell prompt. Contact me off-list if you need more explanation of Expect. RB On 7/18/06, Alastair Stevens [EMAIL PROTECTED] wrote: Hi - I've seen that you can disable the *console* menu, but is it possible to disable the menu for remote SSH connections, so that we get straight to a shell? We'd like to be able to run a remote command from a script, for testing and failure simulation purposes. Or does anyone know another trick for getting through the menu and reaching a shell automagically? Cheers Alastair SysAdmins Ltd Cambridge, UK - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: [m0n0wall] Re: per-interface rulebases: why?
No. I think you are thinking in the wrong direction if you want rules from one rulebase to magically expand into four rulebases. That's not something I've ever wanted, I'm unsure how you ended down that train of thought. I think I started that [explicit] train of thought, simply because no matter how your GUI presents it, rules will always end up interface-based at some level - networks are just that way. A GUI is just going to provide pretty indirection. I'm not going to deny that interface-based rulesets are complex - they are intentionally so, because it's the only way to account for 100% of all edge cases. If you want a GUI to hide that complexity for you and be right 90% of the time, that's up to you. For 99% of the population, 90% is more than enough; for the typical audience of power tools like pfSense, it's a failure. *But* - if someone wants to offer and maintain a patch to provide that, more power to them. I will absolutely disable it myself (after toying with it and seeing what I'm missing). Yes, I pulled those numbers from the same place the flying monkeys came from. Even though I've ooohed and aaahed over the niceness of pfSense, I've honestly been considering going back to a raw iptables firewall/router again, simply because there are some very specific tweaks and idiosyncrasies I want that pfSense can't or isn't designed to do. To each their own. Boogity boogity! RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: [m0n0wall] Re: per-interface rulebases: why?
You provide no concrete reasoning for your speculations, and I think that you're wrong. What speculation? That the basis of networking is how specific machines' interfaces are linked, be it at layer 2 or layer 7? This kind of hand-waving really makes me itch for ad-hominem attacks, but I'm going to thus far resist. You're saying that the world's largest firewall vendor only account for 90% of their customer's security? I think you're wrong here, too :-). No, I'm saying that any level of indirection is going to cover up edge cases and make them impossible to deal with - this is the reality of programming. Under the covers, regardless of what you think is happening, some poor sod at CheckPoint has programmed some arguably intelligent code that does it's best to translate your your intent from the GUI into an interface-based ruleset. If you don't think that's true... well, I can't help you there. I'd impolitely suggest a hike, but we need all types, be they assembly warriors or PHBs. Ick. Maybe not the latter. I officially consider you slightly insane now, hehe. Or at the least, you have way too much free time on your hands :-). Clinically insane - I have the papers and take the medicine. It's [iptables] what I know and what I like, and has all the edge cases I can possibly think of covered. If for some reason it doesn't, I go download the latest patch-o-matic tarball and insert what I need. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: [m0n0wall] Re: per-interface rulebases: why?
Eric better covers things below than what I had written. What are those edge cases, exactly? To enumerate all edges I have ever discovered would be more taxing than my time allows. To name a few: repeated subnets, interface balancing, source-based routing, traffic mirroring, TTL mangling, physdev matching on transparent (L2) bridging... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: per-interface rulebases: why?
Any kernel experts out there? Whoa, waitaminit - you're telling us you expect this to be implemented at the kernel level? As in trying to change the way the most trusted, respected, and audited group of networking-centric OSes views and handles networks? The same OS family that's regarded as having _the_ reference network implementation? Are you on the management track? This reminds me of the manager I had try to make me re-write 'rm' to make it more like windows - ask you if you *really really* want to delete it, then move it off to some recovery location. I, too, have tired. You're obviously not going to change the overwhelming majority's opinion (even [EMAIL PROTECTED] seems to just espouse a GUI change), but neither are we going to change yours - maybe you see something radically wonderful that the rest of us don't, but until I see a reference implementation (that doesn't *glow* over the majick of anti-spoofing rules) that works I won't. RB Scott/et. al. - I'm done feeding the trolls; sorry for drawing it out so long. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: [m0n0wall] Re: per-interface rulebases: why?
I find it irrelevant to the discussion what others are doing, though :-). Simply that this concept is alien to me, and I'm trying to grasp context - the more outside examples the better. It seems that what you're looking for is somewhat similar to some of the higher-level shiny bits on Cisco's PDM - just assign the rules and it'll figure out where they go. It's all added complexity to me - the interface information is implicit in the network or host that's already defined for each rule anyway. Having to stuff specific rules into specific interfaces is just completely superfluous, it seems to me. So it's the presentation that gets you - you could know that under the covers it's interface-based (and will always be, since networks are interface-focused), and would probably want a hook that you could set an explicit interface if need be, but otherwise don't want to be bothered with it. DWIM-ery (Do What I Mean) - a constant companion to our friend from mac.com. I'd be willing to bet that this discussion mirrors the GUI/CLI zealots' lines. I fall in the latter group, but find UI discussions fascinating. Not that it's what you're asking for, but at one point when I put a rule into the wrong interface on pfSense (been a long time ago), it actually set it on the right one. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] openssh vpn support
I've done this myself (full tun/tap setup), replete with DHCP - I just port-forwarded it through pfSense to an internal host. It's pretty neat, but lacks repeatability; I had to script some sudo commands both server and client-side to set up the interfaces routing. RB On 5/29/06, Scott Ullrich [EMAIL PROTECTED] wrote: This may not be what your looking for but works pretty well now: http://forum.pfsense.org/index.php?topic=1298.0 On 5/29/06, Darren Spruell [EMAIL PROTECTED] wrote: Has there been discussion around the feasibility of bringing OpenSSH 4.3 VPN tunneling support in somehow? It would be another welcome addition to simple tunneling capabilities in pfSense. -- Darren Spruell [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] We need some testing help if you are reading this on Sunday!
Picky bit (a bit late, and package-related). SpamD hides the Outlook tab when the SpamD Database tab is clicked. I've run through most of the UI on my [not fresh install] system, and not found any problems so far other than that. RB On 4/16/06, Scott Ullrich [EMAIL PROTECTED] wrote: Please help us test! http://forum.pfsense.org/index.php?topic=1043.0 I plan on releasing Beta 3 sometime around 7-9PM EST. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Raid disks
Day late, dollar short, and only an opinion:I'll spare you the boring details, but I know understand enterprise redundancy. Software RAID has it's place, but at the enterprise level it's ridiculous to waste valuable CPU cycles on something a $300 add-on card can do much more efficiently and with much more of a guarantee. That even extends to firewalls routers, an attitude I'm working on changing, but we have yet to find a system based on general-purpose hardware that can handle our throughput. RBOn 4/13/06, Scott Ullrich [EMAIL PROTECTED] wrote: Good deal.Let me know if anything is missing and I'll fix it up.This will be our standard solution for people wanting above and beyondnormal items in pfSense :)ScottOn 4/13/06, Guilherme Oliveira [EMAIL PROTECTED] wrote: That's it !!! Thanks :-) On 4/13/06, Scott Ullrich [EMAIL PROTECTED] wrote: One thing that I just noticed is that software raid tools are included in the developer edition.You could use this to get up and running but of course this is not supported from our end.Hope this helps, Scott On 4/13/06, Bill Marquette [EMAIL PROTECTED] wrote: On 4/13/06, Guilherme Oliveira [EMAIL PROTECTED] wrote:Well, I'll do it but I don't know how can pfSense be used in corporateenvironments if it can't do RAID. And I don't know a better place of a firewall other than a corporation. I would expect the decision to utilize RAID to be followed with a quote for RAID capable hardware. This raid support was simply erased from the FreeBSD code base. Correct, it's not needed for pfSense, we recommend hardware RAID, it's more reliable. It's only a suggestion. Understood. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Re: ntp startup question
On 4/5/06, Vivek Khera [EMAIL PROTECTED] wrote: ISC's ntp is well known and understood and considered very accurate. I see no other choice. After Running OpenNTP for a while now, I feel less uncomfortable with it - after the first 12 hours or so, the clock swings (+/-12ms) evened out, and it's staying quite comfortably within +/- 2-3ms with very little jitter. In the following output of'ntpq -c peers', the system in question is 'balrog-priv'; note the odd reference clock - I think that's an artifact of the minimal implementation that doesn't allow that level of querying. In fact, for the most part it seems to stay well within 1ms (it refers to no-such-system, dies-irae, and the local system I'm querying from). remote refidst t when poll reach delay offsetjitter==localhost .INIT.16 l- 10240 0..000 4000.00+balrog-priv 17.4.247.255 5 u125 10243770.182 -0.056 0.040-no-such-system192.168.225.1013 u129 1024377 0.5272.654 0.171-dies-irae 192.168.225.1024 u129 10243771.359 -1.548 0.216-helmsdeep 192.168.225.1013 u 69 1024377 0.312 -1.994 0.200-barad-dur 192.168.132.2494 u115 10243770.243 -1.300 0.401-orthanc 192.168.225.1013 u114 1024377 4.2820.208 0.017*bo-peep 192.168.225.1013 u 49 10243770.887 -0.048 0.046-sheep 192.168.192.60 3 u 75 1024377 0.657 -0.695 0.073-sparky192.168.225.1024 u113 10243770.992 -1.055 1.515-trogdor 192.168.252.1914 u 14 1024377 0.960 -4.816 0.671+pudge 192.168.225.1013 u128 10243770.489 -0.214 0.132
Re: [pfSense Support] Re: ntp startup question
Joshua, privately I've had interest on this from one other person, hopefully they'll contact you to coordinate efforts That would be me - I'm no BSD developer, but am certainly willing to muck about with setting up configs for it and such. OpenNTP's only redeeming factors ATM seem to be it's size and simplicity; I'm not an NTP hero either, but in my short experiments today, I find it only good enough as far as time quality. You can't run ntptrace against it, and it has a lot of jitter when compared to my other peers. It becomes a peer candidate early on, but then gets discarded as an outlier pretty quickly and stays there. May be my system, since I intentionally chose one with a poor clock, but... RB
Re: [pfSense Support] ntp startup question
And yes, we are open to replacing it with something else if someone wants to do the plubming. If given the choice between ntp.org (http://ntp.isc.org/bin/view/Main/NTPcopyrightStatement) and OpenNTP (OpenBSD), which would you prefer?
Re: [pfSense Support] seperation of network
That's the way I do it - IIRC, you may have to set up the 'allow' for that subnet to go out, but you will definitely need to set one up to deny from them to LAN (or some subset thereof). The nice thing is that I have my own ISC DHCP/BIND setup on my LAN, but I can just let pfSense take care of that other subnet so they're completely isolated. On 3/13/06, Jason [EMAIL PROTECTED] wrote: Hi Holger, Thank you for quick reply. So do I have to actually add a physical NIC, and assign another internal ip and subnet for it, and then put rules to allow in firewall? Jason - Original Message - From: Holger Bauer [EMAIL PROTECTED] To: support@pfsense.com Sent: Monday, March 13, 2006 2:24 PM Subject: RE: [pfSense Support] seperation of network Yes, add an OPT1 interface and create one pass rule to allow all traffic to destination not lansubnet. Holger -Original Message- From: Jason [mailto:[EMAIL PROTECTED] Sent: Monday, March 13, 2006 7:05 AM To: support@pfsense.com Subject: [pfSense Support] seperation of network Hi, I need to let some of our guests to use our broadband, but I'm concerned about security. Can I force them to use a different subnet other than my Lan? It seems that vlan is doing such a function, but buying an expensive switch is not an option for me. What else can I try? Can I add another cheap NIC and another cheap hub for the job? Thanks for help. Jason Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bitten by the cleanup bug...
1.0-BETA1-TESTING-SNAPSHOT-1-28-06-pfSense It wasn't the end of the world, I'd just put it together anyway so everything was fresh. I saw something like /tmp/mypf/boot/rc.boot: permission denied and /tmp/mypf/boot: directory not empty, saw my HD running away and just groaned. ;-) I let it finish itself off before I started recovering, since there really was no telling how far the deletion had already gotten. Scott Ullrich wrote: Great, what version where you running? On 2/2/06, Randy B [EMAIL PROTECTED] wrote: Not a submitted bug, but just wanted to let you guys know (for historical purposes): If you boot your system to the pfSense LiveCD to fsck disks or the like, _DO NOT_ assume that mounted partitions will be automagically and safely unmounted upon reboot - especially if they're mounted somewhere unfortunate like a subdirectory of /tmp. That's right. I had some trouble and used the LiveCD to boot fsck the partitions; not a bad deal, but I mounted the root partition under /tmp/mypf (just to verify) and *luckily* copied off config.xml and dyndns.cache to another server. Upon reboot, some cleanup script happily and recursively deleted everything under /tmp. I just spent 1.5 hours recovering... RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Bitten by the cleanup bug...
Scott Ullrich wrote: On 2/3/06, Rainer Duffner [EMAIL PROTECTED] wrote: If so, don't do this! I always use /mnt... Yes, use /mnt instead of /tmp/ so that you do not whipe you're data. Scott Indeed; I always use /mnt as well, but it was readonly (0555), and I didn't even think to chmod it and then make my mount - I just happily bounced down over to /tmp and went my way... *sigh* Even when it happened, I had to chuckle at myself. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Bitten by the cleanup bug...
Not a submitted bug, but just wanted to let you guys know (for historical purposes): If you boot your system to the pfSense LiveCD to fsck disks or the like, _DO NOT_ assume that mounted partitions will be automagically and safely unmounted upon reboot - especially if they're mounted somewhere unfortunate like a subdirectory of /tmp. That's right. I had some trouble and used the LiveCD to boot fsck the partitions; not a bad deal, but I mounted the root partition under /tmp/mypf (just to verify) and *luckily* copied off config.xml and dyndns.cache to another server. Upon reboot, some cleanup script happily and recursively deleted everything under /tmp. I just spent 1.5 hours recovering... RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSec enhancements ??s
Long time listener, first time caller. Bearded, black-wearing, anti-social, White Zombie Otep-listening security professional. I'm not going to quote the precise statement because it's not worth repeating, but it's rather obvious that you're not making much headway with your suggestion because of your rather abrasive response to being at least temporarily shot down. Good example of how not to approach getting other people to do something you want done. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: [pfSense Support] beeps gone?
I've loosed a monster... ;-) FWIW, I think there's a wrong note in the version I sent out to the list. Jonathan Woodard wrote: Thanks for fixing this from me as well, I enjoy the beeps as well. On a side note, I would again like to throw my vote for Star Wars Imperial March. :-) Holger Bauer wrote: They'll work again with 1.0beta2 which isn't released yet. Holger -Ursprüngliche Nachricht- Von: Vinc Duran [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 4. Januar 2006 08:14 An: support@pfsense.com Betreff: [pfSense Support] beeps gone? Hi, I'm trying out the beta and I don't hear the very helpful startup beeps anymore. I don't see an option in the gui. Did the beeps get taken out or is it some problem on my machine only? Thanks, Vinc - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Virus checked by G DATA AntiVirusKit - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Does anybody have more than 2GB RAM?
Rainer Duffner wrote: Hi, I tried installing the 0.90 that was on the mirrors this morning on a Dual 1.2 GHz Tualation (a Supermicro P3TDE6) with 4 GB RAM. Both FreeBSD6 and that 0.90 snapshot paniced relatively early in the boot-sequence. I've run 0.7x-series pfSense successfully on a Dell 2550 with 4GB RAM. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Dump states featue
I got to this point just running about 500 requests/sec in apache benchmark. No keepalive. Strike me as inexperienced here, but wouldn't you want to tweak PF a bit for your environment? Did you try the Firewall Optimization Options and set it to aggressive? Methinks one would have a firewall set up differently when putting it in front of a large webserver as opposed to fronting a SOHO network, which is what most of us have RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense 0.88
Hm. Strange. As I understand DHCP relay should be run in addition to Pass-through mode if DHCP is used. But I'm not sure how to set one up. 1:1 NAT is an option but I'd like to keep private IPs internally. I of course could set pfsense to router mode but I guess kind of bridging is what I'd like the most. Basically I'm concerned about what if it fails? - keeping same as external IPs would allow me to simply take of pfSense and temporary use local firewalls. It is not great but better than having it down. After thinking further, I think I'd recommend the NAT, myself - that way, should one of your internal hosts fail, it would be a rather simple operation to map it's external IP to another internal host's internal IP. You'd either set up a mapping between, say, 192.168.0.1/29 and your external block. pfSense would then map 192.168.0.1 to your first external up through 192.168.0.8 to your last; you could also do that mapping manually, it's really up to you. You'd still maintain the internal private IPs, and would probably want to set up your internal DNS to point to them instead of your external ones, but (depending on what firewall rules you set up) will have access to each one of them via their independent external IPs. That, and I too recommend putting up two firewalls and CARPing between them - even with reasonably cheap hardware, you're going to get far greater reliability and easier maintenance than with one really expensive, really good piece of hardware. If your concern is availability, that, by far, is the way to go. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] pfsense on mac mini?
Kinda OT, but good info for someone possibly :) Well, since we're sharing hardware platforms, here are two of my favorites: http://www.advantech.com/products/Model_Detail.asp?model_id=1-U89QYBU=NCGPD= http://www.mbx.com/oem/reference_platforms/RP-1013.cfm Both have space for a Soekris 1411 or 1401, both have CF on the motherboard... If any of you can get old Symbol WS-5000 chassis (I HATE the OS) from someone, you should be able to get them pretty cheap, and they're just perfect - already have one P-III 1GHz in them and have space for another, plus typically 256MB of RAM and a 256MB DOM - lots of fun you can have with that. Dual standard IDE controllers, 2x USB, 2x fxp, a serial port. Contact me if you need help getting past the headless BIOS. :-D Heck, I'd buy one myself if they were cheap. Don't care about the AXPs or software, though. RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] iperf question
Fleming, John (ZeroChaos) wrote: I'd also like to know which rl cards these are. Can you send the output of pciconf -lv? Glad to oblige [EMAIL PROTECTED]:9:0: class=0x02 card=0x13011186 chip=0x13001186 rev=0x10 hdr=0x00 vendor = 'D-Link System Inc' device = 'DL 10038C or 10038D (Remark of Realtek RTL-8139) Fast Ethernet Adapter' class= network subclass = ethernet [EMAIL PROTECTED]:10:0: class=0x02 card=0xf3111385 chip=0x0020100b rev=0x00 hdr=0x00 vendor = 'National Semiconductor' device = 'DP83815/16 Fast Ethernet Adapter (MacPhyter/MacPhyter-II)' class= network subclass = ethernet [EMAIL PROTECTED]:11:0: class=0x02 card=0x13011186 chip=0x13001186 rev=0x10 hdr=0x00 vendor = 'D-Link System Inc' device = 'DL 10038C or 10038D (Remark of Realtek RTL-8139) Fast Ethernet Adapter' class= network subclass = ethernet Chris Buechler wrote: Yes it is. iperf doesn't test full duplex, it's one direction only (with one connection, run a server and a client on each side and you can test full duplex). You'll never get more than 100 Mb on a 100Mb link or 10 Mb on a 10 Mb link, even if it's full duplex, with a single iperf server and client. The specific command I ran was iperf -i 1 -N -d -P3 -c 192.168.0.1 - from the options on my Gentoo box, -d says it does a bidirectional test simultaneously, testing (I presumed) duplex. rl's are known for poor performance, but should be better than that unless you're only running a 100-200 MHz machine or so. I just barely miss that category... ;-) CPU: AMD-K6(tm) 3D processor (300.68-MHz 586-class CPU) You should be seeing: media: Ethernet autoselect (100baseTX full-duplex) in your ifconfig output. Exactly what are you seeing on that line? rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 inet6 fe80::211:95ff:fe28:ab2f%rl0 prefixlen 64 scopeid 0x1 ether 00:11:95:28:ab:2f media: Ethernet autoselect (100baseTX full-duplex) status: active - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] iperf question
Chris Buechler wrote: hah Well...that's probably the best you can get on that. :) With rl NIC's at least, since they're interrupt happy. Wow. That was certainly it. Ran top and showed 0% idle CPU with over 70% interrupt dedicated to interrupts and ~25% system. I knew the RL NICs were poor, just never knew how poor they really were until I started playing around with BSD - I guess my Linux machines have always been powerful enough to overcome the danged things. Funny this - the 93Mb was between a desktop Athlon XP-1800 and a laptop AMD-64 3000+, both with RTL-8139 NICs. I guess I'll stop buying the crappy RTL cards now, eh? Hey, anyone interested in a couple of top-quality NICs? I'll sell 'em to you cheap! RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Alert about pf rules syntax errors... again...
Scott Ullrich wrote: I just tested the latest vpn.inc with my home firewall that has 4+ ipsec links and it works fine.I'll be releasing a new version soon. Please be on the lookout for it and give it a try. Scott I'm still showing this issue in 0.77. My last fix was to comment out a large swath of /etc/inc/filter.inc, but I tried to be a bit more pragmatic about it this time, and realized that I came to the precise same conclusions that M. Kohn came to. There needs to be some catch, some hook in vpn_ipsec.php (line 36 where the empty definition is created), filter.inc (see previously submitted patch), or vpn.inc. Something somewhere either has to stop making the empty tunnel or everything else has to be changed to be able to deal with it. Scott - you said a change to filter.inc is not the correct fix, and to make it in /etc/inc/vpn.inc. Why would that be? AFAICT, vpn.inc just sets up defined tunnels - very little error control in it. The specified code chunk in filter.inc (starting ~2093) seems to be the flawed one - it just happily chews right over definitions, uncaring whether they're empty or not. Shouldn't a process that's generating system commands be a bit more concerned about whether or not it's putting out proper syntax? RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]