Best to use a span port on your switch or a network tap. You can use the span feature of bridges to accomplish the same.

is there a place to measure it? cuz by visual confirmation… youtube for example is streaming from cache (i can clearly see that) but the speed is as it's from the internet... maybe there's a fine tune?

Regards

Thanks for replying guys. I have a maximum of 600 global connections in my uTorrent settings.

Look at the following screenshots, it just plummets when adding more torrents… You see the dip in the first screenshot? I accidentially added then removed another torrent.

EDIT: Installed the latest beta of m0n0wall (freeBSD 8.2), same problem there =/ Also tried exchanging the DLINK (acting like a switch) for a 24 port Netgear rack mounted switch, same problem. So it's either my ISP/connection or the firewall. Gonna reinstall the DLINK as a router now and test.

EDIT2: Ok, connected my laptop straight to the WAN connection. 4 torrents = 9.7MB/s.

So clearly, it's the firewall messing it up.

EDIT3: The plot thickens… Installed ClearOS, same problem from my torrent machine. Laptop speeds @ almost 10MB/s!? There must be some very weird setting on the uTorrent machine that bogs down my whole connection?

EDIT4: Complete reinstall uTorrent, cleared registry from entries and did some tweaks. All is well now, running at 10MB/S which is the limit I put in uTorrent.

Thanks for trying to help!

A well-supported Atheros-based AP with OpenWrt on it can satisfy those requirements when you need something cheap (possibly other device/OS combinations will work, too, but I have no experience with others for those types of devices, as OpenWrt is the only third-party firmware that supports mine).

I have test the pfsense RFC2136 for simple plus 5.2.120. but it is can't normal work. I don't know how do it.  ???

@jimp:

Yes but in the shell, which he did, that wouldn't reset.

Sorry, my bad. Rememberd the server hanged itself and it needed a reboot. =/

:-[

Not sure if you got what I was saying.  During your setup of email notification did you create a firewall rule that allowed access to 25 so you could send the notification?

If so that would explain why during your setup of email notification you started getting the stuff from the wap.  Because you then opened up rules to allow talking to a smtp server?

Help me, please….

@stephenw10:

I get stuck beacons but it never actually causes a problem.
You can try setting hw.ath.bstuck to a higher value, I use 8.

Steve

I have it set to 8.  I usually have several successful resets after stuck beacons before it gets the card into an inconsistent state.  I went through numerous iterations of settings and tweaks but I still end up having to restart 2-3x a week.

My AP is in an environment with very little other activity (no other Wifi, bluetooth, microwave, etc.) which, as I understand it, lends itself to the overshooting problem that causes the stuck beacon resets.  You have less likelihood of going from a very low noise floor to a high one and interpolating to an out of range value if you're in an environment with one or more other radios within range.  When my neighbor turns on their wifi printer (acts as an AP in ad-hoc mode) it normally causes my wifi to go down.  Sometimes Wii controllers (bluetooth) will cause it to go down too.

I've never successfully logged it happening.  As soon as it happens hostapd goes into an infinite loop trying to reset the HW and floods the log.  By the time I'm able to either kill hostapd or restart it has filled and rolled over my system log.  I have noticed (as I mention above) that it can/will successfully reset sometimes though.

If I understood BSD better (I'm of a Linux background) then I might try to fix the code that causes this.

I have seen desktop NICs that can do this but not all of them.  So I think it comes down to hardware support then drivers that can use it.

I figured out the wireless problem.  It turns out that the automatic channel feature is not working.  I was getting tons of stuck beacons and it would eventually stop working.  The solution was to look at the channels used and force a channel (in this case channel 3 was open).  802.11b was working fine because it wasn't being used by my neighbors.

Thanks everyone for the help.  My general setup is working.  Now I'm working on setting up packages and firewall rules, NAT, etc.

ok, my mistake
everything fine after squid -z and reboot
disk usage 0%

thanks

Hi Steve,

Strange that it doesn't work. It's currently the only rule I have under the wireless interface.

Cheers

it just ran after installing to hard drive.

@cmb:

@dannjr:

Actually I think theres a issue between the FreeBSD 4.4 on the 2Wire and the FreeBSD 8

No, has nothing whatsoever to do with what you're running, it blocks the replies necessary for traceroute to function on the public IPs, and does so for everyone regardless of OS. The reason the last hop works is because it actually replies, it doesn't send back the TTL expired message that the 2wire drops, which is what traceroute times on intermediate hops.

All you're doing by dropping the TTL to 1 is ensuring the traceroute never traverses the modem. The modem's internal IP responds with TTL expired, it's just when something upstream of it responds, it blocks it. You'll see it in your firewall log on the modem.

Reverse DNS lookups have no relation to traceroute.

Thanks for that answer.. I looked in the 2wire logs before but didn't notice it right away cause it only writes one small line about it..
As for setting TTL to 1 in the long run that will work out with our resident goof here so we're not waisting additional time.. It's just gonna advirt a ping TTL of 254 and that could be insain since 90% of all ATT is about a TTL of 116 New meaning..

I think its time for me to see IF I CAN do a work around with TOS
We use to lie in Windows for the TOS to 92 which bypassed some of the ISP info with TOS 254 and some other settings would be would be proper..
Best explanation for TOS I can think of is here
http://www.dslnuts.com/discussion/index.php/topic,1878.msg9712.html#msg9712
Anything is possible till they catch it.. and that depends on if it can work..

In any event
If nothing else no matter how many routes we setup with the2wire in front it can't respond to the Traceroute because someone at AT&T thinks its a security risk..
There's allot of things I like about the 2wire when they left it be.. But now I guess they want to make sure QoS for the TV and the phones don't get put in the same layer..
I tested that with our Satilite dich(directv) and did a speedtest while using the DVR to download and it cut the download speed by 5Mb.. Since directv has its own way of doing things.. Even though I set it up to have a static IP for the 2wire it was also getting an assigned IP (DHCP) from the 2wire as well.. I decided to put the Directv behind the pfSense and its still working well without the second IP..

Latency threw the 2wire threw the Pfsense has an average 18ms So I cant complain about the speed..
I'm also using STATIC IP's threw the 2wire not what some people think are sticky IPs.. It was just getting the MAC tables to take.. Which I've cleared out of the 2wire several times and they're listed re-immediately

So other then this trace issue all is well.. All that's really left is to get a hold of ATT to set our rDNS records which is a pain and dont even mention that to Teir 1 they'll ask what email client your using. You have to ask for the Static IP dept after several transfers you might get through

SO after all this we need to get a few thousand people together and bust ATT on trace routes…..

cmb Thank you for that Quick reply and info… I can't say what I'm thinking about the AT&T engineers right now!

Some browsers can be pretty bad about caching those things. The initial error indicated your /tmp slice was full. If it was on NanoBSD that's not terribly hard to do since it's a RAM disk.

Quite a stupid mistake!  But indeed, it's working now!
Thanks a lot!

@Wasca:

I've got my problem sorted but it was a little strange.

I was connecting to the SIP server (Switchvox server) via an OPENVPN tunnel. The tunnel was using UDP. I changed it to a TCP tunnel and now I can make inbound and out bound calls over the tunnel.

After doing some packet capture it looked like my UDP SIP/SDP Invite packets being sent by my SIP phone was getting dropped some where so they were never hitting back at the Switchvox PBX while the tunnel was using UDP. As soon as I switched the tunnel to TCP all was good.

I vaguely remember reading something about SIP and UDP in PFsense being a problem, can anyone enlighten me?

No such problems. Sometimes you have to change NAT settings depending on your provider and your specific circumstances but that's not relevant in this scenario.

The only way changing it from TCP to UDP would make any difference is if the tunnel wasn't functional at all over UDP (something blocking it somewhere most commonly why) and worked with TCP.

Do you have a big problem with arp spoofing then? What sort of network are you using this in?

@http://en.wikipedia.org/wiki/Network_switch#Configuration_options:

Managed switches — These switches have one or more methods to modify the operation of the switch

You can connect to the switch configure it for your network. Typically you might use VLANs or QoS options.
Some such switched have:

MAC filtering and other types of "port security" features which prevent MAC flooding

In order to prevent an arp spoofing attack you need to stop a malicious client machine sending out arp packets announcing that the gateway IP has changed MAC address. Or at least prevent those packets reaching your other clients. The only way to do this is at layer 2, typically the switch. You set the switch to filter and arp announcements for the gateway IP other than the correct MAC which you have set.

I'm still not sure what you mean by MAC Vulnerability. Do you have a link to the Mikrotik forum explaining it? It sounds like possibly you are referring to a paid access captive portal arrangement. Clients spoof their MAC address in order to get access that someone alse has paid for. Is that it?

Steve