[pfSense Support] Sizing for Throughput up to 6Gbit/s
Hi all, we're searching for a reliable hardware basis to use as a pfSense firewall with a maximum concurrent throughput of 6 Gigabits / second. We were thinking of something like this hardware configuration: - 2x Intel Xeon QuadCore Processors - 4 or 8 GB of RAM - QuadPort Intel Pro 1000 Ethernet NICs (PCIe x4) - RAID 1 of SAS or SATA HDDs via 3Ware RAID Controller What would you advise? Regards, Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Facing Problems with IPSec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Wade, I'm not using static routes, just allowing the HQ's pfSense to forward all traffic on the IPSec interfaces... Meshing would be too complex due to dynamic IPs at each branch. Tim Wade Blackwell schrieb: > Good morning Tim, > So to be clear (I read some of the other replies) you desire a hub and > spoke, not a full mesh, because a full mesh with very specific prefixes > in the IPsec config resolves the routing issues. So hub-n-spoke deploy > with HQ as hub? Are you doing any static routing with regard to the > tunnels or just allowing the kernel to route over the ENC0 interface as > directly connected? Thanks Tim. > > -W > - > Wade Blackwell > > "Integrity is often more painful and always more profitable than > perception management" > > > On Tue, 2007-12-18 at 08:19 +0100, Tim Korves wrote: > Hey Wade, hey all, > > Subnets are: > > HQ: 212.14.xx.64/26 > Branch 1: 10.3.3.0/28 > Branch 2: 10.3.3.16/28 > Branch 3: 10.3.3.32/28 > > E.g. at Branch 1 I've added a static route for 10.3.3.0/28 via > 212.14.xx.65 . At the HQ's pfSense, all traffic from and to IPSec is > permitted by only one rule. > > As others said, I should mesh all branches together, wouldn't be > possible so easy. Only the HQ has a static IP on it's WAN interface, all > the Branches don't have a static IP on WAN. > > Regards, Tim > > Wade Blackwell schrieb: >>>> Hey Tim Good evening, >>>> Can you add in some hypothetical subnetting with prefixes that >>>> match the real thing? I know there is wierdness with how IPsec was >>>> shoved into the PF stack but if the source/dest IPsec proxies are >>>> correct the hub IPsec box should re-encrypt and send seeing the >>>> destination networks as directly connected through the ENC0 interface >>>> (PF team jump in if I am mis-speaking). >>>> >>>> Wade B >>>> >>>> On Dec 16, 2007 6:14 AM, Tim Korves <[EMAIL PROTECTED]> wrote: >>>> Hi there, >>>> >>>> I'm facing problems while routing traffic trough an IPSec tunnel. >>>> >>>> This is my configuration: >>>> >>>> Branch 1 pfSense IPSec server (HQ) Branch 2 >>>> | >>>> | >>>> Branch 3 >>>> >>>> All branches are running pfsense. All branches are able to "talk" to the >>>> HQ. But the communication between the branches is not possible. I >>>> created static routes on each branch pfsense which point to the other >>>> branches' subnet via the HQ. But instead of using the tunnel to route >>>> the packets, the branch routers trying to use their PPPoE connection >>>> which fails on their ISPs first router (what a wonder ;-))... Anyone has >>>> an idea how to realize this? Firewall rules permit every traffic via the >>>> IPSec tunnels. Nothing's blocked. >>>> >>>> Regards, Tim > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] >>>>> >> - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] >> > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHaNwRB5sXJ5cmuvMRAgQkAJ4x5Eq//pjammo7iDFfQVEzBD+ZrQCgnmWV aMZsgNjg3lyIzS798Clbb1k= =qiqR -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Facing Problems with IPSec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey Wade, hey all, Subnets are: HQ: 212.14.xx.64/26 Branch 1: 10.3.3.0/28 Branch 2: 10.3.3.16/28 Branch 3: 10.3.3.32/28 E.g. at Branch 1 I've added a static route for 10.3.3.0/28 via 212.14.xx.65 . At the HQ's pfSense, all traffic from and to IPSec is permitted by only one rule. As others said, I should mesh all branches together, wouldn't be possible so easy. Only the HQ has a static IP on it's WAN interface, all the Branches don't have a static IP on WAN. Regards, Tim Wade Blackwell schrieb: > Hey Tim Good evening, > Can you add in some hypothetical subnetting with prefixes that > match the real thing? I know there is wierdness with how IPsec was > shoved into the PF stack but if the source/dest IPsec proxies are > correct the hub IPsec box should re-encrypt and send seeing the > destination networks as directly connected through the ENC0 interface > (PF team jump in if I am mis-speaking). > > Wade B > > On Dec 16, 2007 6:14 AM, Tim Korves <[EMAIL PROTECTED]> wrote: > Hi there, > > I'm facing problems while routing traffic trough an IPSec tunnel. > > This is my configuration: > > Branch 1 pfSense IPSec server (HQ) Branch 2 > | > | > Branch 3 > > All branches are running pfsense. All branches are able to "talk" to the > HQ. But the communication between the branches is not possible. I > created static routes on each branch pfsense which point to the other > branches' subnet via the HQ. But instead of using the tunnel to route > the packets, the branch routers trying to use their PPPoE connection > which fails on their ISPs first router (what a wonder ;-))... Anyone has > an idea how to realize this? Firewall rules permit every traffic via the > IPSec tunnels. Nothing's blocked. > > Regards, Tim >> - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] >> >> -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHZ3SYB5sXJ5cmuvMRAlDMAJ49vNsXzlopkzULnhg8S2BWvxExjgCg3NL5 4GCo121jl8NL6l21e54wsxo= =7xkZ -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Facing Problems with IPSec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there, I'm facing problems while routing traffic trough an IPSec tunnel. This is my configuration: Branch 1 pfSense IPSec server (HQ) Branch 2 | | Branch 3 All branches are running pfsense. All branches are able to "talk" to the HQ. But the communication between the branches is not possible. I created static routes on each branch pfsense which point to the other branches' subnet via the HQ. But instead of using the tunnel to route the packets, the branch routers trying to use their PPPoE connection which fails on their ISPs first router (what a wonder ;-))... Anyone has an idea how to realize this? Firewall rules permit every traffic via the IPSec tunnels. Nothing's blocked. Regards, Tim -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHZTLhB5sXJ5cmuvMRApBLAJ4uyP7zHaUJiNCKC3G4fuNqHLWQPQCfTIgP qEDmSFczhwcEKUEtG3TaFEE= =wBe2 -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Strange Static Routes Issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I'm facing a strange issue concerning the "Static Route" function and the PPTPd-Server. A clients router connects using PPTP. The router is aware of the subnet on my side. The router connects and I can ping it's PPTP-IP from any client on my side. After that, I created a static route entry for the clients subnet to be routed via the clients router's PPTP-IP. This works fine, but if the connection brakes down and comes up again, the static route seems to be "out of order" and then tries to route the packets via my WAN-IF, which doesn't make sense as we're using internal IPs on the clients side. Any ideas? Regards, Tim -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHAiaAB5sXJ5cmuvMRAmLYAKC6o6jx448i0IQ6YcsIAYKArCPf7QCfTgTr Y5PaNOsEJRKa9W5zcvwOlcY= =yjkF -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Snort whitelist
Hi there, I want to whitelist my WAN address in snort, is it correct if I put my IP xxx.xxx.xxx.xxx/32 my WAN subnet is 255.255.255.0 and my WAN IP is assigned by DHCP only 1 IP address. if you try to list an IP address with it's subnet, you might fail also, as we did. We whitelisted our subnet in snort, but snort wasn't interested in the whitelist entry if a subnet was mentioned too... So it blocked some of our hosts, which had been on the whitelist... The host IPs without any subnet declaration worked all just fine... Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: [pfSense Support] Installing Packages on WRAP - Error
Hi Holger, why was it kicked from the image? It would be very nice to get it back to the image. Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Installing Packages on WRAP - Error
Hi, I tried to install packages on my WRAP (1E-2), but it failed. I searched for help and found, that the system is mounted read-only... Ok, so far, I got it. If I remount it read-write, it should do. But I can't remount it rw, or I'm too silly... I don't know... Anyone can help me? Version of pfsense is 0.82.4. Thanks, Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]