Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - databeestje

Pages: [1] 2
1
Because I recently added the IPv4/IPv6 drop down on the gateway settings the backend code was changed to reflect this.

If your gateway says "Gathering Data" you need to Edit and save your IPv6 gateway. That should resolve it.

For people coming from 2.0 we will be adding upgrade code that adds the tag to the existing IPv4 gateways.
If you add a new gateway it will set the tag and it will work.

2
Hi,

I've just merged a bunch of changes that make the 3G internet stick experience a bit better. I've managed to tackle various gateway related issues over the weekend as well, related to this.

We now log statistics for the Huawei sticks. I've tested with a Huawei E173u device, and as-is, the data port is on cuaU0.0 and the statistics port is cuaU0.3. I'm pretty sure there are plenty of other devices out there with different ports, maybe others could chime in.

For those that had graphs previously, I'm pretty sure I broke this. Let me know.

The RRD graphs for cellular are changed as well, these are now listed per interface, instead of 1 global.

3
IPv6 / IPv6 access to github.com
« on: April 15, 2012, 12:12:34 pm »
Hi,

Because github.com has no IPv6 access and I've just gotten a IPv6 only install online I could not gitsync.

So i've setup a (HAproxy) proxy at github.iserv.nl which has both a A and AAAA record to gitsync against.

Because of the SSL certificate and header rewrites http and https are difficult, but ssh and git should work fine. I could successfully clone with git://github.iserv.nl/bsdperimeter/pfsense.git over IPv6.

If any others are having issues reaching github.com over IPv6, this mayb be your fix.

I've corresponded with the Tech Support at GitHub.com over IPv6 access, and although they are working on, they can not promise anything, or when.

4
IPv6 / 6rd support added
« on: April 08, 2012, 09:11:38 am »
6rd support has been added over the past week and I'm searching for pfSense users that have access to such a connection.

The current limitations of our 6rd support is that it will only work with ISPs that embed the entire IPv4 address in the 6rd address. So if the ISP uses a 6rd prefix longer then 32 bits I would like to know.

I'm also looking for a list of various ISPs that employ 6rd and their respective settings.

France: Free.fr 2a01:0e3::/28 ->64.98.1.1 ? = delegated /60
Switzerland: Swisscom. 2a02:1200::/28 -> 6rd.swisscom.com (193.5.122.254) = delegated /60
America: Charter 2602:100::/32 -> 68.114.165.1 = delegated /64
Japan: Sakura 2001:e41::/32 -> 61.211.224.125 = delegated /64
America: ATT Uverse 2602:300::/28 -> 12.83.49.81 = delegated /60
Japan: Softbank ---
Netherlands: Telfort Pilot ---- 2a00:cd8::/32 ? = delegated /64
Netherlands: Lijbrandt Unsupported 2A02:80C0:FF00::/41 -> 188.142.72.5 IPv4 masklength 17 = delegated /56
Canada: Videotron Unsupported 2607:fa48:6dc0::/42 -> 74.59.126.1 IPv4 masklength 18 = delegated /60
Italy: FastWeb ---- 2001:b07::/32 = delegated /64

If others can add to this list, please.

5
IPv6 / 6to4 support added
« on: April 01, 2012, 02:09:31 am »
6to4 support for the WAN has been added.

When selecting that you need to set the LAN interface to "track" the WAN interface.

That will automatically setup RA on the LAN for your IPv6 prefix based on your IPv4 WAN address.

This will work the same for DHCP6 and 6rd.

6
IPv6 / Binary changes on rtadvd router announcements daemon
« on: September 04, 2011, 02:41:55 pm »
Hi,

There has been a patch included since our weekend builds that make it possible for RFC5006 DNS fields in router advertisements. This means that if you just gitsync the rtadvd will fail to start.

You will want to upgrade to a new 2.0 RC3 snapshot and then gitsync.

Alternatively pull the newer image from http://files.pfsense.org/jimp/ipv6/

7
IPv6 / DHCP-PD available
« on: August 22, 2011, 02:37:06 pm »
Hi,

I've just added DHCP-PD "Prefix Delegation" support to the pfsense 2.1 tree. I've tested basic functionality for both PPPoE and ethernet setups and it appears to work as it should.

I would like some feedback with regards to the dhcp6 support. Ideally people that have a PPPoE with IPv6 support or cable ISPs that have also do IPv6 by DHCP6.

8
IPv6 / git repository change
« on: May 13, 2011, 06:49:19 am »
Hi,

We've moved our git to github.com.

v6 repo here:
git://github.com/smos/pfsense-ipv6.git

9
IPv6 / IPv6 RRD graphs broken
« on: May 11, 2011, 04:38:40 am »
I've noticed that the RRD graphs for the IPv6 branch broke somewhere around week 13

10
IPv6 / dhcp v6 server out of memory
« on: April 30, 2011, 03:13:02 am »
Is anybody else seeing issues with out of memory warnings with regards to the DHCP v6 server?

12
IPv6 / Welcome to the IPv6 board
« on: January 23, 2011, 11:42:46 am »
Welcome to the IPv6 board. You can find instructions here for both old (1.2.3) and the development of the IPv6 support in the 2.1 version of pfSense which is not released yet.

You can find some information to get ipv6 working on 1.2.3 installs here http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/ another link is this one http://tuts4tech.net/2010/07/18/ipv6-tunnel-on-pfsense/

We already have a feature request in redmine for IPv6 support that is scheduled for 2.1
http://redmine.pfsense.org/issues/show/177

There is a quick, almost complete, howto to get the current IPv6 development branch onto a existing 2.0 full install on the doc wiki here: http://doc.pfsense.org/index.php/Using_IPv6_on_2.0 - this was adapted from the previous howto here: http://iserv.nl/files/pfsense/ipv6/

2.1-DEVELOPMENT Releases are also available: http://files.pfsense.org/jimp/ipv6/

13
2.0-RC Snapshot Feedback and Problems - RETIRED / MOVED: Request: ipv6
« on: January 23, 2011, 11:34:06 am »
Because of Future increased interest the topic has been moved.

This topic has been moved to IPv6.

http://forum.pfsense.org/index.php?topic=26469.0

14
IPv6 / IPv6 testing
« on: October 26, 2010, 03:47:10 am »
YOU SHOULD NOT EXPECT A WORKING IPv6 INSTALL AT THIS POINT.

I started working on IPv6 support last week and I've got so far as to get a Static IPv6 address and gateway assigned.

There is no doubt a lot of work left. None of the autoconfiguration options at this point work. So statesless autoconfig and dhcpv6 are not working.
This means that you can currently only use it with a native statically assigned ipv6 at this point.

If you install a pfSense 2.0 BETA4 from today (oct 26th) or later you can gitsync against my repo to get some ipv6 bits. This is very much a work in progress and so far I've managed to break a whole lot of pfSense in the process.

The git repo is located here.
http://rcs.pfsense.org/projects/pfsense/repos/pfSense-smos

The existing ipv6 ticket will be updated every once in a bit where I fix something. It's partly a todo list.
http://redmine.pfsense.org/issues/177

YOU SHOULD NOT EXPECT A WORKING IPv6 INSTALL AT THIS POINT.

All other are free to leave comments in this thread.

Regards,

Seth

15
Hardware / Lanner Inc. FW7535D
« on: August 24, 2010, 07:50:37 am »
Hi,

We just purchased the Lanner Inc. FW7535 to replace a Alix 2C3. The VPN throughput was lacking severly and the internet connection will also be upgraded to 120mbit which requires gigabit ports. The box is a bit empty, although they do supply a power cord and the sata drive connector and the drive screws. There is no manual, quick start guide or cd provided with the system.

Front:
http://iserv.nl/files/pics/lanner-fw7535/fw7535-above-front.jpg

The FW7535 has 6 Intel Gigabit ports, the 1st is a older type Intel which works in 1.2.3. The others are a bit newer which are only supported in 2.0.
It has a Intel Atom D510 processor coupled with a single 1GB DDR2 SO DIMM from Kingston. There is 1 free memory slot available and 1 free miniPCI-e slot for a wireless card or hardware crypto card. We are finally ditching the mini-pci cards, Yay. There are 2 sata ports available on the motherboard and a breakout cable for VGA and PS2 are provided for legacy software that doesn't speak USB keyboard.

Inside:
http://iserv.nl/files/pics/lanner-fw7535/fw7535-underside-open.jpg

I wrote the nanoBSD version of pfSense 2.0 BETA4 to a Sandisk Extreme 3 CF card. For some reason the system refused to boot with the Sandisk Extreme 4 card I have here.


A note on the BIOS of this system, by default the console redirection is enabled. This causes the pfSense 2.0 boot loader to stop. You can enter the bios by connecting a serial cable to the device with the supplied cable.

Set the serial speed to 115200 and when you see the BIOS screen press TAB to enter it. Here you can set the "remote access console redirect option" to "disabled after post". This because the FreeBSD bootloader already uses the serial port for the console in the nanoBSD images.





After assigning the first port as the LAN and the 2nd as the WAN port I've setup a iperf server and did a few performance tests with a standard NAT setup and a port forward on WAN. This to facilitate bidirectional performance testing.

Wonderful website sponsored by the US government:
http://nces.ed.gov/nceskids/createagraph/default.aspx?ID=e92dd120c4324894b8ee2feaf8139511



dual stream via port forward.
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec    252 MBytes    211 Mbits/sec
[  5]  0.0-10.0 sec    257 MBytes    215 Mbits/sec
Single stream lan to wan
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec    579 MBytes    485 Mbits/sec

Dividing the 200mbit throughput by the 1500byte frame size gives roughly 140k pps in a bidirectional setup.

Considering my issue was the lackluster IPsec throughput on the Alix 2C3, even with glxsb loaded. (roughly 10mbit) I hoped for a good performance leap.
For this I connected the FW7535 to the external 100mbit switch (HP Procurve 2650) where the production external CARP cluster lives. I added a IPsec tunnel between the FW7535 (2.0 BETA4) and this system (1.2.3 RELEASE). I proceeded testing the single stream and bidirectional throughput for the various cyphers that are provided by racoon.

IPsec:


First up is a tunnel with AES 128bit
duplex stream
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.2 sec  33.7 MBytes  27.6 Mbits/sec
[  4]  0.0-10.2 sec  32.0 MBytes  26.2 Mbits/sec
single stream
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  65.8 MBytes  55.1 Mbits/sec

And ofcourse AES 256 bit
duplex stream
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec  29.9 MBytes  25.1 Mbits/sec
[  5]  0.0-10.3 sec  29.6 MBytes  24.1 Mbits/sec
single stream
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  59.6 MBytes  50.0 Mbits/sec

That is a rather small difference between the 128 bit and 256 bit cyphers. I omitted the results for AES 192 bit as these were smack in the middle.

I then tested blowfish, I left the bits on the 2.0 system set to "auto". This produced a rather awkard result in the bidirectional test.
duplex stream
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.0 sec  29.2 MBytes  24.4 Mbits/sec
[  4]  0.0-10.2 sec  41.2 MBytes  33.8 Mbits/sec
single stream
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  72.8 MBytes  60.9 Mbits/sec

I then set blowfish to 128 bit on the 2.0 system. This produced a bit more predictable result.
duplex stream
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.0 sec  34.7 MBytes  29.1 Mbits/sec
[  4]  0.0-10.2 sec  36.5 MBytes  29.9 Mbits/sec
single stream
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  73.6 MBytes  61.7 Mbits/sec

And ofcourse no IPsec tunnel can be forgotten without the almost standard 3DES encyrption. And it is as almost always the slowest of them.
duplex stream
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.1 sec  21.3 MBytes  17.7 Mbits/sec
[  5]  0.0-10.4 sec  26.4 MBytes  21.4 Mbits/sec
single stream
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  48.2 MBytes  40.5 Mbits/sec

I tested the legacy single DES encryption as well, it's faster but it's not recommended since good alternatives like blowfish exist.
duplex stream des
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.1 sec  33.9 MBytes  28.0 Mbits/sec
[  5]  0.0-10.3 sec  33.5 MBytes  27.3 Mbits/sec
single stream
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  68.1 MBytes  57.1 Mbits/sec

The uncommon CAST128 is similar in performance to single DES and still slower over blowfish.
duplex stream cast128
[ ID] Interval       Transfer     Bandwidth
[  5]  0.0-10.1 sec  34.7 MBytes  28.8 Mbits/sec
[  4]  0.0-10.2 sec  34.1 MBytes  27.9 Mbits/sec
single stream
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  69.4 MBytes  58.1 Mbits/sec

Good performance numbers across the board atleast. It doesn't compare to the throughput of a Core 2 Duo system though. But it is atleast on par with a P3 1Ghz, say, a Dell Optiplex GX150.

Pages: [1] 2