Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Harvy66

Pages: [1] 2 3 4 5 ... 156
Traffic Shaping / Re: Guaranteed Bandwith to a VLAN
« on: March 16, 2018, 09:23:48 am »
1) There is no way for pfSense to know if the Internet is "getting slow"
2) Probably need to use limiters on your WAN interface. I am not familiar with them, but I think you can have them share a pool of bandwidth, then you just need to figure out how to match the traffic to apply the correct limiter.

Traffic Shaping / Re: Bandwidth Split
« on: March 13, 2018, 12:52:11 pm »
I personally like HFSC. It won't scale to many users using it the way you want it, but it will work for a hand full. I think limiters can also do something of this, but I'm not familiar with them. I'm sure other people will give some other ideas.

General Questions / Re: CPU - higher single Core Speed vs Multi Core
« on: March 09, 2018, 09:27:18 pm »
Without benchmarks for your specific use case, it's hard to say which is best, but my guess would be the quad core 4.2ghz. pfSense does make decent use of multi-core in many cases, but diminishing returns after 2-4 cores short of CPU bound work loads like many VPN tunnels.

Cache/Proxy / Re: squid + squidguard web filtering problem
« on: March 09, 2018, 12:37:49 pm »
Read what KOM said, you're asking in the wrong place.

General Questions / Re: User hogging internet. How to stop it?
« on: March 06, 2018, 11:56:56 am »
Try enabling FairQ shaper on your WAN and check the "codel" box in the default queue. See if that help. Of course make sure your WAN bandwidth is 80%-90% of your REAL bandwidth.

Firewalling / Re: datagram re-assembly fails
« on: March 05, 2018, 11:59:57 am »
Internet or intranet traffic? Could the data be arriving as jumbo frames from an internal source?

Traffic Shaping / Re: Traffic shaper decimates my WAN speed...
« on: March 04, 2018, 11:58:16 am »
Since you're not sure, just go under each queue and check "Codel Active Queue". See if that helps.

Personally, my recommendation is to just use FairQ as the sharper for both up and down, just have a single Default queue, and check "Codel Active Queue". It might be good enough for you or least get you by while you learn how traffic shaping works.

General Questions / Re: Auto UFS or ZFS?
« on: March 04, 2018, 11:52:41 am »
ZFS has checksums to validate the data. Hardware RAID does not. If a block of data got corrupted with hardware RAID1, the controller could not tell which device has the correct data, ZFS can. But if you place ZFS on top of hardware RAID1, the hardware RAID will lie to ZFS and may destroy the good data since it has no way of telling which one is correct.

ZFS was made because hardware RAID is so bad, and everyone implements hardware RAID in an arbitrary way that meets the abstract basic definition of whichever RAID level it claims to support. If you don't mind having arbitrary processes protecting your data, sure.

And don't take my word for it. Do your own research on the topic. Read how ZFS works, how the data structures are designed. If all you do is ask people for their opinions, you're not really making a decision, you're letting others make decisions for you. The internet is full of echo chambers, don't believe anything just because the professional majority agrees.

To point you in a good direction, ZFS is based on the concept of the Merkle tree, and strictly adheres to it.

Traffic Shaping / Re: Traffic shaper decimates my WAN speed...
« on: March 03, 2018, 01:23:34 pm »
did you increase your queue size or enable codel?

General Questions / Re: pfSense not replying to UDP traceroute on WAN
« on: March 02, 2018, 05:21:56 pm »
Probably the "destination set to WAN address" part. The destination is probably not your firewall but something behind it. You could set it to destination of your LAN network.

Traffic Shaping / Re: Traffic Shaping for YouTube, Netflix and Vimeo
« on: March 02, 2018, 12:22:09 pm »
I would highly recommend just enabling FairQ on you WAN(upload) and LAN(download) interfaces, and check the "codel active queue" box in the default queue. Set your bandwidths to 80%-90% of your actual bandwidth.

If that isn't good enough, then go further down the infinite rabbit hole of QoS.

When pfSense 2.4.4 comes out, look into just using fq_Codel limiter. The above tries to simulate fq_Codel.

Firewalling / Re: Blocking RFC 1918 traffic not working
« on: March 02, 2018, 12:15:22 pm »
Thank y'all guys more than clear that it is not possible to do it, I'm still open if there's any idea on how to do it. Thanx.

Not possible via pfSense or any other firewall unless it somehow integrates into your switch/AP. There are APs or switches that can support some forms of client isolation within a broadcast domain. I've never used one, but I know they exist.

None of which is relevant to OP's problem. The subnets are on separate NICs as they should be.

I totally misread the second paragraph. I saw his current setup was seperate interfaces, but I thought they were trying to combine them.

Hi Jon

... IPv6 was designed to allow things that were never considered or unlikely to be done on IPv4.  ...

Having multiple subnets in the same broadcast domain has nothing to do with IPv4 vs IPv6. IPv6 may make certain aspects of it better or take advantage of certain aspects, but many of the downsides are exactly the same due to fundamental issues that are orthogonal to the Layer 3 protocol.

Could be memory pressure and swapping. Check your page file usage when it's slow?

General Questions / Re: NTP DDoS
« on: February 28, 2018, 03:07:02 pm »
DDOS protection requires a certain level of expertise and specialization. You're going to need more info on the topic that what a general internet forum can provide. Unless you're working at my State Uni, which has over 1Tb/s of backbone connection, there's not much you can do.

My ISP has handled DDOS attacks by purchasing more bandwidth temporarily. I am not sure how large the attacks are, but even low end DDOS attacks are quire large these days.

Traffic Shaping / Re: Priority up to 1Mbit/s, is it possible?
« on: February 28, 2018, 11:29:24 am »
You can either shape via bandwidth or shape via priority. They are two logically incompatible ways to shape. My personal opinion is that HFSC is the best and simplest way to shape via bandwidth.

The real question is why do you want to shape via bandwidth in the first place. fq_codel is quite turn-key, excluding the currently kludgy way you have to set it up, and it does fairly good flow isolation and fair bandwidth distribution. While you lose the ability to micro-manage, it "just works" like freaking magic.

Pages: [1] 2 3 4 5 ... 156