RE: [pfSense Support] DMZ bridges with WAN
I currently have my WAN and an OPT interface bridged, rules then govern traffic originating from both the LAN and WAN interfaces. Servers connected to the OPT interface use addresses from our public IP block. I have had no trouble whatsoever with this config running pfSense 65.3->70.4 in a production environment. In my setup, servers on this DMZ can be accessed from both the LAN and WAN. Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Monday, August 15, 2005 10:10 AM Cc: support@pfsense.com Subject: Re: [pfSense Support] DMZ bridges with WAN On 8/15/05, Heiko Weber <[EMAIL PROTECTED]> wrote: > Hi All, > > for now I use a m0n0wall as Firewall, but I have the problem that I > want to use official IP Addresses in the DMZ. For that I had to bridge > the DMZ with WAN. If I do this there is no traffic posible between LAN and DMZ. > My question: Does this work with pfsense or had I the same problem? > we don't yet know, as we haven't had a chance to test that yet. Try it and let us know. -cmb - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] DMZ bridges with WAN
Yes, they are. I couldn't do this with my old firewall either. It's basically a classic DMZ, at least the way I always thought they should work. Took me a bit to figure out what I was doing with this, but my bridge method works great. Private | Public IP Space | IP Space | LAN <-|-X---> WAN | | | V |DMZ | I started out just using 1:1 NAT for my public access hosts, but chose this route after realizing I would end up with a kludged Citrix installation. My poster boy, the Citrix server, currently sits in both the DMZ and LAN, but only accepts inbound ICA connections via the DMZ-connected interface, which saves me from having to fiddle with "alt_addr" and having different firewall settings on my clients depending on their location. (I have Citrix users both inside and outside the protected network, many who can't use VPNs.) Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Monday, August 15, 2005 11:11 AM To: Ted Crow Cc: support@pfsense.com Subject: Re: [pfSense Support] DMZ bridges with WAN Cool! And your LAN hosts are behind NAT? On 8/15/05, Ted Crow <[EMAIL PROTECTED]> wrote: > I currently have my WAN and an OPT interface bridged, rules then > govern traffic originating from both the LAN and WAN interfaces. > Servers connected to the OPT interface use addresses from our public IP block. > > I have had no trouble whatsoever with this config running pfSense > 65.3->70.4 in a production environment. In my setup, servers on this > DMZ can be accessed from both the LAN and WAN. > > Ted Crow > MCP/W2K > Information Technology Manager > Tuttle Services, Inc. > (419) 228-6262 x 247 > -Original Message- > From: Chris Buechler [mailto:[EMAIL PROTECTED] > Sent: Monday, August 15, 2005 10:10 AM > Cc: support@pfsense.com > Subject: Re: [pfSense Support] DMZ bridges with WAN > > On 8/15/05, Heiko Weber <[EMAIL PROTECTED]> wrote: > > Hi All, > > > > for now I use a m0n0wall as Firewall, but I have the problem that I > > want to use official IP Addresses in the DMZ. For that I had to > > bridge > > > the DMZ with WAN. If I do this there is no traffic posible between > > LAN > and DMZ. > > My question: Does this work with pfsense or had I the same problem? > > > > we don't yet know, as we haven't had a chance to test that yet. Try > it and let us know. > > -cmb > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Re: [pfSense Support] pfSense on complex Network
For my production unit, I have a SuperMicro 5013 server with 2 LOB Intel Gigabit LAN/WAN interfaces and a PCI/64 Intel Quad Fast Ethernet for my OPT interfaces. Works great with top notch throughput. (IIRC, I've been using this hw since 0.49) I pretty much gave up on Realtek a couple years ago, and now avoid systems with built in Realtek NICs. A while back I did a test with 11 Intel NICs in one pfSense box and it worked flawlessly. So, probably needless to say, I highly recommend Intel NICs. In general practice, I put 3Com NICs third on my list right behind Broadcom. Ted CrowMCP/W2KInformation Technology ManagerTuttle Services, Inc.(419) 228-6262 x 247 From: David Strout [mailto:[EMAIL PROTECTED] Sent: Monday, August 15, 2005 1:54 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]; support@pfsense.comSubject: Re: Re: [pfSense Support] pfSense on complex Network I have an old Dell Precission w/ PCI-X slots and use the Intel (PCI/PCI-X) quad 10/100/1000 card (I have two working flawlessly w/ 0.74.8) that's my reccomendation - stick w/ intel on many/multi homed (more than 2-3 NICs) boxes.--David L. StroutEngineering Systems Plus, LLC - Original Message -Subject: Re: [pfSense Support] pfSense on complex NetworkFrom: [EMAIL PROTECTED]To: [EMAIL PROTECTED]Date: 08-15-2005 1:43 pmOn 8/15/05, Scott Ullrich <[EMAIL PROTECTED]> wrote:> On 8/15/05, Paulus Edwin Prasetya <[EMAIL PROTECTED]> wrote:> > Hi,> >>! > I'm new to this list, any one can help me?> >> > I am setup a quite complex gateway using pfSense> > the box contain 6 NIC all using RealTek (rl0-rl5)> > Are you sure that all 6 Realtek NICS function correctly in the> machine? That's a lot of NICS and RealTeks at that (read: I would> use better nics such as intel/3com).I wouldn't even recommend 3Com - I've had more tons of problems withthem. Absolutely agreed though that Realtek suck *ss. Expect poorperformance.--Bill-To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Running multiple routed subnets on LAN interface
I am (still) running pfSense 70.4 and I am in the process of adding a routed subnet to my LAN. I don't have any trouble seeing the remote LAN from my core LAN, nor any trouble seeing the core LAN from the remote LAN. But, my remote LAN gets no responses from devices on any other interface on the firewall. The routing appears to be correct as far as I can tell using traceroute/ping. I can ping machines on the remote LAN from the firewall, and the firewall from the remote network. The firewall appears to be black-holing the remote LAN traffic. -- From REMOTE LAN -- Tracing the route to xx.xx.xx.xx (public) 1 1 ms1 ms1 ms172.16.11.1 <--- New Remote (172.16.11/24) 2 4 ms4 ms4 ms172.16.0.2 <--- Internal Router (172.16.0/23) 3 5 ms5 ms5 ms172.16.0.1 <--- pfSense Firewall (172.16.0/23) 4 * * * <--- should be Gateway Router (public) 5 * * * <--- should be ISP Router (public) ... <--- on to oblivion I do have a LAN rule explicitly allowing the remote subnet to have full access to "any^3". Any ideas? Or do I just need to get the latest version of pfSense on the box? Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Running multiple routed subnets on LAN interface
I'll try to bump up to the latest version tonight and see what happens. Hopefully no crash this time... Anyway, here is a rough diagram, if you *really* want a Visio drawing I can do that too: +-+ | Internet Router | | Public Block | +-+ ^ | v <-WAN +--+ | pfSense Firewall |<---> OPT1 (172.16.2.1/24) |172.16.0.1|<---> OPT2 (Public, Bridged with WAN) | |<---> OPT3 (172.16.3.1/24) | |<---> OPT4 (172.16.4.1/24) +--+ ^ <-LAN | v +---+ +---+++ | Core Switch |-| core-side |->[T1]<-| remote-side | | 172.16.0.x/23 | | 172.16.0.2/23 || 172.16.11.1/24 | +---+ +---+++ | | | | | | ++ ++ |Core Network| | Remote Network | | 172.16.0.x /23 | | 172.16.11.x/24 | ++ ++ The firewall has the static route: Interface: LAN, NW:172.16.11.0/24, GW:172.16.0.2 There is a pass rule on LAN: 172.16.11.0/24 -> any Core gateway of last resort is 172.16.0.1 Remote gateway of last resort is 172.16.0.1 (Also tried 172.16.0.2) The Serial (T1) interface of each router is unnumbered to Ethernet. All routers are running IOS 12.3+ Core network default gateway: 172.16.0.1 Remote network default gateway: 172.16.11.1 Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Thursday, August 25, 2005 4:06 PM To: Ted Crow Cc: support@pfsense.com Subject: Re: [pfSense Support] Running multiple routed subnets on LAN interface iy yi yi...I can't ever begin to remember what bugs lurked back that far. Any chance you can upgrade to current? We're fixing stuff left and right, I'm not going to go back through the last three months changelogs to see if we've already fixed whatever might be affecting you (if anything). If it's still affecting you on something recent (preferably .80 at a minimum) we can take a look. --Bill PS. I agree with John, we need a network diagram. If you don't have Visio, please use Dia (http://www.gnome.org/projects/dia/) On 8/25/05, Ted Crow <[EMAIL PROTECTED]> wrote: > I am (still) running pfSense 70.4 and I am in the process of adding a > routed subnet to my LAN. > > I don't have any trouble seeing the remote LAN from my core LAN, nor > any trouble seeing the core LAN from the remote LAN. But, my remote > LAN gets no responses from devices on any other interface on the firewall. > > The routing appears to be correct as far as I can tell using > traceroute/ping. I can ping machines on the remote LAN from the > firewall, and the firewall from the remote network. The firewall > appears to be black-holing the remote LAN traffic. > > -- From REMOTE LAN -- > Tracing the route to xx.xx.xx.xx (public) > > 1 1 ms1 ms1 ms172.16.11.1 <--- New Remote (172.16.11/24) > 2 4 ms4 ms4 ms172.16.0.2 <--- Internal Router > (172.16.0/23) > 3 5 ms5 ms5 ms172.16.0.1 <--- pfSense Firewall > (172.16.0/23) > 4 * * * <--- should be Gateway Router > (public) > 5 * * * <--- should be ISP Router > (public) > ... <--- on to oblivion > > I do have a LAN rule explicitly allowing the remote subnet to have > full access to "any^3". > > Any ideas? Or do I just need to get the latest version of pfSense on > the box? > > Ted Crow > MCP/W2K > Information Technology Manager > Tuttle Services, Inc. > (419) 228-6262 x 247 > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Slow Boot - Hanging on OPT interfaces.
Ok, versions 0.80->0.80.2 installed without *too* much trouble, and my remote network can now see the WAN and OPT interfaces. One thing I did notice with 0.80 and 0.80.2 is that my firewall hangs for about 5 minutes during boot on the following: Configuring LAN interface... done. Configuring WAN interface... done. Configuring OPT interfaces... The server just sits there winking LAN and WAN lights at me for about 5 minutes and then zips through everything else and comes online. It's probably a good thing that I won't need to reboot the server until I do my next firmware upgrade. (which might not be for another 30 days...) Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] FYI: VPNs dropping off after a month
I'm still running 80.2 and thought I would mention my issue - in the unlikely event that the VPN code has not been updated since that release. So, If this hasn't already been spotted and resolved, keep this in mind when you are working on VPN components. I have 2 IPSEC VPN tunnels which run continuously and several others purely on demand. I had no problems at all until about the 24 day uptime mark, when I noticed all the tunnels had dropped for no apparent reason. Basically, the SA lifetime would expire and there would be no attempt to reconnect. I could bring them back up by simply reconfiguring them (which I'm guessing forces a restart of the IPsec daemon), but would only stay up for one "lifetime" and would only reconnect if the daemon was restarted. I screwed with it for a couple days, but after actually restarting the firewall, they have been running fine now for a few days. I'm not sure if this is a problem with the IPsec server, related to system uptime counters or something else entirely. Previously, I have had pfSense running on the same box for longer than 45 days with no issues. I'm due for an upgrade anyway... Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] PPTP Server Questions
They're in /etc/inc/globals.inc, not the config.xml. They're about
halfway down the big "$g = array(" block.
Make sure your hardware can handle the load...
Ted Crow
MCP/W2K
Information Technology Manager
Tuttle Services, Inc.
(419) 228-6262 x 247
-Original Message-
From: Ben Ruset [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 29, 2005 6:15 AM
To: support@pfsense.com
Subject: [pfSense Support] PPTP Server Questions
I've just setup my pfSense box more or less as a PPTP server only and it
seems to be working pretty well.
I want to increase my max connections from 16. I took a look in the FAQ,
and attemped to find the values
n_pptp_units 16
pptp_subnet 28
in my config.xml -- where they don't exist. Any ideas?
Also - I'd like to get PPTP authenticating against Active Directory with
IAS. I've seen the tutorial to do this, but does anybody know how to
enable Active Directory to specify the IP address that the client gets?
I am creating some PPTP users that have limited access to our network,
and hence they need special rules setup based on what IP they're
given...
-
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] PPTP Server Questions
Dang it, you people keep making things more convenient - when did that
get added?
Ted Crow
MCP/W2K
Information Technology Manager
Tuttle Services, Inc.
(419) 228-6262 x 247
-Original Message-
From: Scott Ullrich [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 29, 2005 11:50 AM
To: support@pfsense.com
Subject: Re: [pfSense Support] PPTP Server Questions
Actually these values can be overridden like Ben stated.
Put something like this in
16
28
On 11/29/05, Ted Crow <[EMAIL PROTECTED]> wrote:
> They're in /etc/inc/globals.inc, not the config.xml. They're about
> halfway down the big "$g = array(" block.
>
> Make sure your hardware can handle the load...
>
> Ted Crow
> MCP/W2K
> Information Technology Manager
> Tuttle Services, Inc.
> (419) 228-6262 x 247
>
>
> -Original Message-
> From: Ben Ruset [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, November 29, 2005 6:15 AM
> To: support@pfsense.com
> Subject: [pfSense Support] PPTP Server Questions
>
> I've just setup my pfSense box more or less as a PPTP server only and
> it seems to be working pretty well.
>
> I want to increase my max connections from 16. I took a look in the
> FAQ, and attemped to find the values
>
> n_pptp_units 16
> pptp_subnet 28
>
> in my config.xml -- where they don't exist. Any ideas?
>
> Also - I'd like to get PPTP authenticating against Active Directory
> with IAS. I've seen the tutorial to do this, but does anybody know how
> to enable Active Directory to specify the IP address that the client
gets?
> I am creating some PPTP users that have limited access to our network,
> and hence they need special rules setup based on what IP they're
> given...
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
> commands, e-mail: [EMAIL PROTECTED]
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
> commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Problem with a rule under 0.96.4
This rule used to work just fine under v0.80, but when I (finally) upgraded to 0.96.4 today, it now causes a syntax error. Any Ideas? block in quick on $lan proto tcp from ! $IntMAIL to any port = 25 label "USER_RULE: SMTP NOT from Authorized Mail Hosts" When I disabled the rule, everything else took right off, but I would rather have it (or a suitable replacement) in place. If you can't guess, $IntMAIL is an alias for all of our internal mail servers. I have several other working rules referencing it, but this is the only rule that uses it inverted. From the Log php: : There were error(s) loading the rules: /tmp/rules.debug:217: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [217]: block in quick on $lan proto tcp from ! $IntMAIL to any port = 25 label "USER_RULE: SMTP NOT from Authorized Mail Hosts" ====== Thanks, Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Problem with a rule under 0.96.4
Rather than wait for a release, I thought I would try patching the file to 1.575.2.47. The blocking rule appeared to work, now there a pass rule is freaking out. I dropped filter.inc back to v1.575.2.43. === php: : There were error(s) loading the rules: /tmp/rules.debug:181: syntax error /tmp/rules.debug:182: syntax error /tmp/rules.debug:183: syntax error /tmp/rules.debug:184: syntax error /tmp/rules.debug:216: syntax error /tmp/rules.debug:217: syntax error pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [181]: pass in quick on $wan proto tcp from any to xx.xx.xx.40 xx.xx.xx.42 port = 25 flags S/SA keep state label "USER_RULE: SMTP to Mail Hosts" === Did fixing the original bug break something else? Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Friday, December 16, 2005 7:52 PM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with a rule under 0.96.4 Thanks, this is now fixed. http://cvstrac.pfsense.com/chngview?cn=8487 Scott On 12/16/05, Ted Crow <[EMAIL PROTECTED]> wrote: > This rule used to work just fine under v0.80, but when I (finally) > upgraded to 0.96.4 today, it now causes a syntax error. Any Ideas? > > block in quick on $lan proto tcp from ! $IntMAIL to any port = 25 > label > "USER_RULE: SMTP NOT from Authorized Mail Hosts" > > When I disabled the rule, everything else took right off, but I would > rather have it (or a suitable replacement) in place. > > If you can't guess, $IntMAIL is an alias for all of our internal mail > servers. I have several other working rules referencing it, but this > is the only rule that uses it inverted. > > From the Log > php: : There were error(s) loading the rules: /tmp/rules.debug:217: > syntax error pfctl: Syntax error in config file: pf rules not loaded - > The line in question reads [217]: block in quick on $lan proto tcp > from ! $IntMAIL to any port = 25 label "USER_RULE: SMTP NOT from > Authorized Mail Hosts" > == > > Thanks, > > Ted Crow > MCP/W2K > Information Technology Manager > Tuttle Services, Inc. > (419) 228-6262 x 247 > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Problem with a rule under 0.96.4
Looks like we're cooking now! All rules configured correctly using filter.inc v1.575.2.48. Thanks Scott! Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 -Original Message- From: Scott Ullrich [mailto:[EMAIL PROTECTED] Sent: Monday, December 19, 2005 5:04 PM To: support@pfsense.com Subject: Re: [pfSense Support] Problem with a rule under 0.96.4 On 12/19/05, Ted Crow <[EMAIL PROTECTED]> wrote: > Rather than wait for a release, I thought I would try patching the > file to 1.575.2.47. The blocking rule appeared to work, now there a > pass rule is freaking out. I dropped filter.inc back to v1.575.2.43. > > === > php: : There were error(s) loading the rules: /tmp/rules.debug:181: > syntax error /tmp/rules.debug:182: syntax error /tmp/rules.debug:183: > syntax error /tmp/rules.debug:184: syntax error /tmp/rules.debug:216: > syntax error /tmp/rules.debug:217: syntax error pfctl: Syntax error in > config file: pf rules not loaded - The line in question reads [181]: > pass in quick on $wan proto tcp from any to xx.xx.xx.40 xx.xx.xx.42 > port = 25 flags S/SA keep state label "USER_RULE: SMTP to Mail Hosts" > === > > Did fixing the original bug break something else? Yup. Please try http://cvstrac.pfsense.com/chngview?cn=8550 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] IPSec VPN with FortiGate 60 v3.00MR2 ?
I had an IPSec tunnel working with a Fortigate 100 (v2.8 I think) a few months back (I was running pfSense 0.96.4). A little weird to configure on the Fortigate side, but it worked just fine. Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 -Original Message- From: Xavier Beaudouin [mailto:[EMAIL PROTECTED] Sent: Monday, July 24, 2006 10:13 AM To: support@pfsense.com Subject: [pfSense Support] IPSec VPN with FortiGate 60 v3.00MR2 ? Hello, I am trying to setup a VPN tunnel between a pfSense 1.0RC1 and a Fortigate 60... Do anybody have any idea if this is working ? /Xavier - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfsense using 4 nics?
Title: Message I have been running 6 nics for quite some time in a a production environment. I performed a successful experiment running 11 nics a while back in the early alpha days to see if pfSense could handle it, and it passed with flying colors. I'd also recommend sticking with a single brand of nic. For the moment, I prefer Intel nics (vlan & polling support, yay!). I seem to remember having an issue with a test box running an oddball LOM in combination with an Intel quad card. Ted Crow MCP/W2K Information Technology Manager Tuttle Services, Inc. (419) 228-6262 x 247 From: Rudi Potgieter [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 24, 2006 7:09 AMTo: support@pfsense.comSubject: [pfSense Support] pfsense using 4 nics? Hi All Does pfsense have a problem using 4 nics? Whenever I install a fourth in the machine, one of the nics (usually opt1 or opt2) conflict with the LAN interface. When starting up pfsense, there is an asterisk next to LAN* and OPT1(OPT1)* ? And if LAN interface is up, then OPT1 interface is up as well even though no cable plugged in. When the pc starts up each network controller is using its own irq. Any help. Thanx Rudi
[pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
I'm running 1.2-RELEASE and we recently upgraded from 10mbps DSL to a metro fiber link and we were seeing a pretty significant performance hit across the firewall, especially outbound. In troubleshooting this, my provider has disabled all limiting on their end and the connection is basically a wide open FDX 100Mbps link. This *really* made the performance drop noticeable. Simple Diagram: -- | Fiber Switch |---| Cisco 2801 |---| Firewall |--> Multiple LANs -- | -- | DMZ Switch |--> DMZ Hosts -- A laptop directly connected to the fiber switch can pump >80Mbps to many points on the Internet. Behind my router it only hits 45-60Mbps probably because the router was never intended to be used at this speed (before the speed was bumped to 100mbps there was no significant performance drop). Behind the pfSense box, however, averages around 20-25Mbps to the Internet. LAN to DMZ Hosts are around 55-60Mbps. The box is pretty beefy - a SuperServer 5015M-MF+B, Xeon 3040 with 1GB DDR2 and six Intel 1Gbps ports. I'd be a little surprised if the hardware has anything to do with it. CPU and RAM usage have never exceeded 10%. I tried enabling polling but that made no difference. I've disabled the traffic shaper and removed most of my packages to get where I am now and I've run out of ideas. Anyone? Ted Crow Information Technology Manager Tuttle Services, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
As an additional note, I've already tried the following to no avail: - tcp/udp tweaking (no change) - duplex mismatch testing (no problems) - disabling pf to see if it's an issue with my rules (good idea Matthew, but no change) Other items of note: - FTP bandwidth from the shell on the firewall itself shows the same speed as on the LAN. - a packet sniffer has been running full time on the WAN side with no significant finds. I may add one to the LAN side as well to see what I can see. - the DMZ speed is 40-60Mbps to the Internet and 50-60Mbps to the LAN. Ted Crow Information Technology Manager Tuttle Services, Inc. -Original Message----- From: Ted Crow [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 4:03 PM To: support@pfsense.com Subject: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? I'm running 1.2-RELEASE and we recently upgraded from 10mbps DSL to a metro fiber link and we were seeing a pretty significant performance hit across the firewall, especially outbound. In troubleshooting this, my provider has disabled all limiting on their end and the connection is basically a wide open FDX 100Mbps link. This *really* made the performance drop noticeable. Simple Diagram: -- | Fiber Switch |---| Cisco 2801 |---| Firewall |--> Multiple LANs -- | -- | DMZ Switch |--> DMZ Hosts -- A laptop directly connected to the fiber switch can pump >80Mbps to many points on the Internet. Behind my router it only hits 45-60Mbps probably because the router was never intended to be used at this speed (before the speed was bumped to 100mbps there was no significant performance drop). Behind the pfSense box, however, averages around 20-25Mbps to the Internet. LAN to DMZ Hosts are around 55-60Mbps. The box is pretty beefy - a SuperServer 5015M-MF+B, Xeon 3040 with 1GB DDR2 and six Intel 1Gbps ports. I'd be a little surprised if the hardware has anything to do with it. CPU and RAM usage have never exceeded 10%. I tried enabling polling but that made no difference. I've disabled the traffic shaper and removed most of my packages to get where I am now and I've run out of ideas. Anyone? Ted Crow Information Technology Manager Tuttle Services, Inc. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
I don't see any errors on any of the Interfaces. There actually *was* a duplex mismatch on the provider's network upstream from my box, but that was resolved before I traced things back to the pfSense box. The duplex error limited us far more severely, but this problem appears to be in the pfSense box itself. My previous box, last year, running 1.0.1, push the data at wire speed with no trouble. But you are right about the hardware being new, this is all circa 2008 hardware - I'll give 1.2.1 a whirl and check back in. Ted Crow Information Technology Manager Tuttle Services, Inc. TEL: (419) 228-6262 DID: (419) 998-4874 FAX: (419) 228-1400 -Original Message- From: Chris Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2008 9:30 PM To: support@pfsense.com Subject: Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? On Wed, Jul 30, 2008 at 7:30 PM, Ted Crow <[EMAIL PROTECTED]> wrote: > > As an additional note, I've already tried the following to no avail: > > - tcp/udp tweaking (no change) Shouldn't be necessary anyway. Most of those settings are only relevant when the firewall is the endpoint of the connection. > - duplex mismatch testing (no problems) No errors on Status -> Interfaces? What speed and duplex is the WAN port showing as? In my experience with metro Ethernet, the endpoints are set inconsistently by providers (at least by AT&T). Some are forced speed/duplex and some are set to auto. In the former case you'll need to force your end, in the latter, leave it to auto. > what I can see. > - the DMZ speed is 40-60Mbps to the Internet and 50-60Mbps to the LAN. > How are you testing? I've pushed more than that through a 500 MHz box, something of the spec you're running with Intel NICs is capable of multi-Gbps. Since it's slow from DMZ to LAN it's likely not WAN port related. Since you're running relatively new hardware, the first thing I'd recommend is trying 1.2.1. The NICs you have in a box that new probably didn't exist at the time the em driver in FreeBSD 6.2 was written, so you may be hitting some glitch there. Ditto for any number of other components in that box. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
I don't consider myself a Cisco expert either, I've just been using their hardware for the better part of 15 years. I have access to a fair number of good Cisco resources to aid me in selecting and configuring the hardware. I've never liked Cisco firewalls though, go figure. I actually sized the router based on an estimated max traffic flow of 25Mbps. It does have a very small ACL set running on it, mainly to keep weird stuff from molesting my DMZ hosts (spoofing, etc.) From the DMZ, the speeds are pretty respectable considering the router was only designed to handle a max of 46Mbps. This one is the baby of the 2800 series and will probably be fine when the speed is dropped back down below 25Mbps. Ted Crow Information Technology Manager Tuttle Services, Inc. -Original Message- From: Paul Mansfield [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2008 5:56 AM To: support@pfsense.com Subject: Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? It's not clear exactly what the cisco 2801 is doing... does it have access control lists which can make a big difference in speed... AIUI access lists can have two different execution paths and if you write them wrongly they're much more CPU intensive. Sorry, I am not a cisco expert in this instance. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue?
Good thought, but I did check my MTU - it appears to be solid at 1500 all the way to several test sites. LAN to DMZ gets 55-60Mbps (Would expect ~100Mbps) DMZ to DMZ is wire speed (100Mbps) DMZ to Internet is 45-60Mbps The DMZ is a basically the switch connecting the router and firewall. Everything off WAN interface is running 100MBps FDX, connected to the 1G Intel card which appears to be happily running at 100Mbps. WAN - em5: Adapter hardware address = 0xc4ffe948 em5: CTRL = 0x8140248 RCTL = 0x8002 em5: Packet buffer = Tx=20k Rx=12k em5: Flow control watermarks high = 10240 low = 8740 em5: tx_int_delay = 66, tx_abs_int_delay = 66 em5: rx_int_delay = 0, rx_abs_int_delay = 66 em5: fifo workaround = 0, fifo_reset_count = 0 em5: hw tdh = 174, hw tdt = 174 em5: Num Tx descriptors avail = 256 em5: Tx Descriptors not avail1 = 0 em5: Tx Descriptors not avail2 = 0 em5: Std mbuf failed = 0 em5: Std mbuf cluster failed = 0 em5: Driver dropped packets = 0 em5: Driver tx dma failure in encap = 0 em5: Excessive collisions = 0 em5: Sequence errors = 0 em5: Defer count = 0 em5: Missed Packets = 0 em5: Receive No Buffers = 0 em5: Receive Length Errors = 0 em5: Receive errors = 0 em5: Crc errors = 0 em5: Alignment errors = 0 em5: Carrier extension errors = 0 em5: RX overruns = 0 em5: watchdog timeouts = 0 em5: XON Rcvd = 0 em5: XON Xmtd = 0 em5: XOFF Rcvd = 0 em5: XOFF Xmtd = 0 em5: Good Packets Rcvd = 3240309 em5: Good Packets Xmtd = 5577784 LAN - em4: Adapter hardware address = 0xc4ffa148 em4: CTRL = 0x8140248 RCTL = 0x801a em4: Packet buffer = Tx=20k Rx=12k em4: Flow control watermarks high = 10240 low = 8740 em4: tx_int_delay = 66, tx_abs_int_delay = 66 em4: rx_int_delay = 0, rx_abs_int_delay = 66 em4: fifo workaround = 0, fifo_reset_count = 0 em4: hw tdh = 158, hw tdt = 158 em4: Num Tx descriptors avail = 256 em4: Tx Descriptors not avail1 = 0 em4: Tx Descriptors not avail2 = 0 em4: Std mbuf failed = 0 em4: Std mbuf cluster failed = 0 em4: Driver dropped packets = 0 em4: Driver tx dma failure in encap = 0 em4: Excessive collisions = 0 em4: Sequence errors = 0 em4: Defer count = 0 em4: Missed Packets = 0 em4: Receive No Buffers = 0 em4: Receive Length Errors = 0 em4: Receive errors = 0 em4: Crc errors = 0 em4: Alignment errors = 0 em4: Carrier extension errors = 0 em4: RX overruns = 0 em4: watchdog timeouts = 0 em4: XON Rcvd = 0 em4: XON Xmtd = 0 em4: XOFF Rcvd = 0 em4: XOFF Xmtd = 0 em4: Good Packets Rcvd = 4071915 em4: Good Packets Xmtd = 3425928 Ted Crow Information Technology Manager Tuttle Services, Inc. -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2008 10:00 AM To: support@pfsense.com Subject: Re: [pfSense Support] pfSense 1.2-RELEASE: Performance Issue? Here's a suggestion somewhat out of left field. What about MTU? Any chance the provider changed it on you? A machine right on the edge would handle fragmentation somewhat more gracefully than a firewall that might decide to drop certain inappropriately fragmented frames. This would also cause potential slowdown in general. One thing I didn't see (although I'm likely just missing it), is what your transfer speeds between DMZ and LAN are. Also, any chance for a test, you can remove the router? And again test LAN to DMZ and LAN to Internet. Based on your equipment specs I'm highly skeptical of this being a hardware capacity issue (a number of us have outperformed your numbers on _much_ lower end hardware - consider that a Soekris 4801 @266Mhz can easily hit 16Mbit of "normal" traffic, and iperf tests can get it upwards of 35Mbit). It might however be a hardware issue. Also, there are some sysctl's available for troubleshooting the Intel driver. Substitute '0' for whichever interface you are trying to debug sysctl -w dev.em.0.debug=1 sysctl -w dev.em.0.stats=1 The Intel driver will reset these sysctl to their default value on it's own, it's a one time use type thing. The results will be available in dmesg and look like: << SNIP >> - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Is this proposed configuration feasible?
This is similar to how I had our box configured before our recent ISP change. It was tricky to set up, but pfSense worked where a PIX/ASA box basically melted down. We had Dual WANs, multiple 1:1 NAT entries (w/Proxy ARP across both WAN subnets), DMZ port and 6 VLANs across 3 physical LAN ports, and everything seemed to work fine, so long as traffic shaping wasn't involved. PPTP and IPSEC both worked well. The setup is greatly simplified now... One WAN, two LAN ports, 4 VLANs, DMZ outside the internal firewall. Ted Crow Information Technology Manager Tuttle Services, Inc. -Original Message- From: Joshua Galvez [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2008 2:28 PM To: support@pfsense.com Subject: [pfSense Support] Is this proposed configuration feasible? I'd like to configure my pfSense box with 5 NICS 1- WAN1 - x.x.x.169 2- LAN - 192.168.15.1/24 - internal secure network 3- PUBLIC - 192.168.1.1/24 - public wireless network 4- WAN2 - transparent 5- DMZ - transparent - webserver I have been assigned two blocks of IP's on two separate incoming connections: x.x.x.168/29 x.x.x.168 is my network address x.x.x.174 is my DSL router/gateway x.x.x.175 is my broadcast address x.x.x.176/29 x.x.x.176 is my network address x.x.x.182 is my DSL router/gateway x.x.x.183 is my broadcast address I want to do the following. I want the LAN and PUBLIC networks to be completely severed by firewall from each other. I want the both to have access to the internet through NAT on WAN1. I want connections on PPTP-VPN (gre, tcp1723)to be forwarded from WAN1 to LAN:192.168.15.216. I want also to be able to connect to that VPN using the WAN1 IP address from PUBLIC. I want WAN2 and DMZ to be bridged and transparently firewalled. I'm going to host a webserver on x.x.x.177. I want LAN and PUBLIC to be able to access that webserver. At some point, though not necessary to begin with I would like to enable traffic shaping on LAN and PUBLIC to give priority to LAN traffic going out WAN, and then other general shaping rules. Is this feasible and doable configuration with pfSense? Am I making it too complicated by trying to use one box to handle the NAT for one connection, and the firewall for the other? Any insight, guide, suggestions, would be appreciated. Thanks Josh Galvez - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Inbound RTSP Problems
I've already searched through the forums and email-archives and cannot see anything that really applies directly to my situation. Ever since I reinstalled my firewall (1.2-Release), I've had issues with RTSP inbound (Internet radio stations, etc.) through the firewall. Prior to the reinstall, I had no problems with RTSP at all. I'm running behind NAT, I've even got a 1:1 setup with a rule to explicitly pass RTSP and it's still choked by the firewall. Oddly enough, it allows a small burst (6-10 packets) of RTSP packets every 3-5 seconds. Traffic shaping is NOT enabled because it has problems with multiple LANs. Outside the firewall, there are no issues. Other streaming protocols don't seem to have any trouble. What am I missing here? Has anyone seen this before? Thanks, Ted Crow DISCLAIMER: This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not a named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not necessarily represent those of Tuttle Services, Inc.. WARNING: Although numerous precautions have been taken to ensure the contents of this email are free of viruses and other malware, Tuttle Services, Inc. cannot accept responsibility for any loss or damage that arises from the use of this email or any attachments. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
