Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Ofloo

Pages: [1] 2 3 4 5 ... 8
2.4 Development Snapshots / Re: WiFi accesspoint bridged to a vlan
« on: February 01, 2018, 07:55:43 am »
uplink, however at this point it's not "krack" that I'm concerned with, .. it's future problems, .. at this point krack has been fixed by numerous vendors like ubiquiti and yes an actual accesspoint is cheaper then apu2 that's true.

2.4 Development Snapshots / Re: WiFi accesspoint bridged to a vlan
« on: February 01, 2018, 07:40:34 am »
The issue i have with these type of devices is that often they do not fix security issues, .. ubiquiti has done a good job so far though I must admit.

It's not some computer with a card though I bought APU2 to create a real AP point out of this. With real pcie cards. But maybe FreeBSD isn't the best choice, .. you might be right there.

2.4 Development Snapshots / Re: WiFi accesspoint bridged to a vlan
« on: February 01, 2018, 05:25:03 am »
What i'm doing is separating some devices from the regular network. Devices like fire alarms .. I don't want things like that in the same network as laptops or mobile phones for me should also be in a different network. So I thought I can create a new wlan and bridge it to the vlan where it's actually supposed to connect/exist.

I assume the wireless card does support it because when I use openwrt/lede it does work. But to be honest I'd prefer a freebsd AP over an linux one.

2.4 Development Snapshots / WiFi accesspoint bridged to a vlan
« on: January 29, 2018, 06:31:27 pm »
I've added vlan interface under vlans, added wlan ap to wlan interface enabled both and made bridge, ..

when i tcpdump i can see dhcp request and dhcpoffer, .. but for some reason the client doesn't get an IP or it doesn't set it, I've added IPv4 and IPv6 rules to allow any...

Tried disabling firewall pfctl -d on console, .. checked if vlanpcp was enabled in sysctl. Anyone any ideas?

IPv6 / Re: IPv6 dhcpd/slaac
« on: January 29, 2018, 01:38:08 am »
never mind spoke to soon :/

The port has vlan tags of several vlans enabled so not quite sure what you're refering to when you're talking about retagging the traffic, .. but i think what you're saying i already did.

IPv6 / Re: IPv6 dhcpd/slaac
« on: January 25, 2018, 01:16:35 am »
Yes, indeed it was a switch problem, .. i did find out why however, .. it doesn't really solve my problem. For mac vlans to work i need to set the port configuration to "GENERAL", and for some reason if the port is not configured as "TRUNK" but "GENERAL" as required for mac vlan the vlans multicasts flow into eachother.

* Yes I've got a T2600G-28TS TP-link

Code: [Select]
ACCESS: The ACCESS port can be added in a single VLAN, and the egress rule of the port is UNTAG. The PVID is same as the current VLAN ID. If the current VLAN is deleted, the PVID will be set to 1 by default.

TRUNK: The TRUNK port can be added in multiple VLANs. The egress rule of the port is UNTAG if the arriving packet’s VLAN tag is the same as the port’s PVID, otherwise the egress rule is TAG. The PVID can be set as the VID number of any valid VLAN.

GENERAL: The GENERAL port can be added in multiple VLANs and set various egress rules according to the different VLANs. The default egress rule is UNTAG. The PVID can be set as the VID

The drivers were not in 11.1 release which is what we build on so until they are included in our base we may not get them.

You can build the kernel module yourself as explained by EditioN above. To load it at boot time just create the file /boot/loader.conf.local and then put in that file:
Code: [Select]

or just i beleve it was 
Code: [Select]
if_ix_updated_load=yes into /boot/loader.conf.local

IPv6 / IPv6 dhcpd/slaac
« on: January 24, 2018, 01:46:08 am »
I've got multiple dhcp servers on different vlans for IPv6 but for some reason the dhcp/routeradvertisments of other vlans flow into each other.   vlan100 gets an IPv6 assigned from vlan200 and visa versa.

How do I prevent this from happening?

I've tried various router advertisement modes and even tried turning of the dhcpv6, either it doesn't give me an IP at all or it gives me multiple. To me beats the point of separating networks then I can rater put everthing in one network.

Don't mind if anyone gets the same issue at least they might benefit from what i did, ..

Did pci passthrough basicly the same result, ..
Tried to see if it was related to only pfsense installed opnsense same result, ..
Made lagg0 of 4 pci gbit nic same result, .. not tested this senario on opnsense though.

I've got the impression there's some sort of bottleneck, .. not quite sure if it's vtnet related.

I've noticed that the webinterface doesn't apply the values diable lro,tso,csum to the vnet interfaces, .. not that it makes that much of a difference though.

Code: [Select]
sysctl hw.vtnet
hw.vtnet.rx_process_limit: 512
hw.vtnet.mq_max_pairs: 8
hw.vtnet.mq_disable: 0
hw.vtnet.lro_disable: 1
hw.vtnet.tso_disable: 1
hw.vtnet.csum_disable: 1

Had to manually enter it in /boot/loader.conf.local in order for it to apply.

Virtualization installations and techniques / network performance vtnet
« on: January 13, 2018, 05:51:35 am »
Pfsense has bad performance compared to vanilla freebsd when it comes to vtnet inside bhyve, what could the reason be?

On or off doesn't really make a performance difference and yes I've rebooted each time when I changed a checkbox. However I don't see real changes on the interface flags so not sure if it applies to vtnet.

Disable hardware checksum offload
Disable hardware TCP segmentation offload
Disable hardware large receive offload

Tests performed with iperf

Freebsd 11.1 Vanilla:
1.28 Gbits/sec
pfSense 2.4.2p1:
613 Mbits/sec
pfSense 2.4.2p1 (pfctl -d):
616 Mbits/sec

I've checked both vtnet on the vanilla freebsd and pfsense have the same interface flags.

Oh right and the vanilla freebsd has 1 core 2.4ghz and 256mb ram, the pfsense has 4 cores 2.4ghz and 4gb ram, just tested the development release 2.4.3 has the same bad results.

And there using the exact same bridge interface.

edit: added version numbers

Hardware / Re: PC Engines apu2 experiences
« on: April 07, 2017, 05:36:17 am »
apu1d4: throughput was arround 700mbit/s ~ 900mbit/s, when i first bought it pfsense did 500mbit/s later on that changed
apu3a4: throughput is 250mbit/s ~ 300mbit/s

What i do notice is that apu1d4 uses realtek(re) drivers and the apu3 uses intel(igb)
for the igb driver: TSO LRO .. checksum offload turned on or off makes no difference

strange thing is when I run iperf through vlan but not hosted on the router but on a server on a different subnet which is routed though the router i get

[  3] local port 44774 connected with port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   715 MBytes   600 Mbits/sec

when i turn on tso lro checksum offload, cpu rather then hiadapt to maximum

Code: [Select]
Client connecting to loki, TCP port 5001
TCP window size: 85.0 KByte (default)
[  3] local port 45468 connected with port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   757 MBytes   635 Mbits/sec

Client connecting to loki, TCP port 5001
TCP window size: 85.0 KByte (default)
[  3] local port 45462 connected with port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   742 MBytes   622 Mbits/sec

Hardware / Re: pfSense on a 2 NIC NUC
« on: April 07, 2017, 05:24:22 am »
wrong topic

2.4 Development Snapshots / ntop probing alerts
« on: April 06, 2017, 04:31:02 am »
I get a lot of these messages:

Code: [Select]
1491471007|1|3|10|Probing or server down: <A HREF='/lua/host_details.lua?host='> .......
Anyone any idea's what could be wrong?

Français / Re: Messages alertes ntop
« on: April 06, 2017, 04:24:00 am »
Sorry my frensh writing isn't that great, ..

I do have the exact same problem, .. I think you can turn it off, when you're logged on, in ntop you have a choise alerts in your right side menu. Probing alers should turn it off, however I wonder why it is I get these errors.

Je suis désolé, mon écriture français n'est pas génial, ..

J'ai exactement le même problème ... Je pense que vous pouvez l'éteindre, lorsque vous êtes connecté, dans ntop, vous avez une alerte de sélection dans votre menu à droite. Les correcteurs d'alésage devraient l'éteindre, mais je me demande pourquoi c'est que je reçois ces erreurs.


Enable Probing Alerts

Enable alerts generated when probing attempts are detected.
Alerts On Syslog

Enable alerts logging on system syslog.

J'ai deja essayer a reinstaller le paquet.

Pages: [1] 2 3 4 5 ... 8