@xparanoik:

Just out of curiosity, did you keep track of cpu utilization during those tests?

Not really.  It wasn't at 100%.

We pushed data at it from the 10G test network today, only unidirectional udp traffic, but that's the tough case.
Still didn't fall over.

When the 2.2 snapshots servers are back on-line, we'll test 2.2.

https://forum.pfsense.org/index.php?topic=70400.msg402623#msg402623

This is a cable connection, so no PPPoE luckily.

Honestly I believe swapping out the nics is what resolve the whole WAN interface flapping bit.  I did hard-set 100mb/Full Duplex on both nics just in case though.  Also, and I cannot figure out why this changed, but under Routing the GW_WAN did not have Default gateway checked.

However now I'm having a throughput issue.  I'll start another thread about it.

What traffic are you pushing during that time?

Steve

@podilarius:

There has been talk about upgrading to the newer pf, but I don't know much about it or even when. Perhaps 2.2 or 2.3.

I missed this earlier. I'm not associated with ESF either.
The smp friendly pf is in FreeBSD 10 so pfSense 2.2, which will be built on that, should inlude it.

http://svnweb.freebsd.org/base?view=revision&revision=240233

Steve

No

Thank you - I may just get a SATA to IDE bridge board and try it that way instead of going with the IDE bus adapter you linked. I'll report back if it's successful.

Recommend E-lins M300 Modem.

I don't totally understand your question. Where are devices A and B and servers A and B?

If you have only two interfaces in the firewall, WAN and LAN, then traffic between devices in the internal network does not flow through the firewall at all. Only traffic that flows in or out of the WAN goes through the firewall and with your 30/30 Mbps connection that means the total firewall throughput, in both directions simultaneously, can be 60Mbps.

If you have multiple internal networks separated by multiple interfaces on the firewall then traffic between those networks obviously has to go through the firewall. That traffic could be at Gigabit wirespeed in both directions and you could have many connections between many interfaces so firewall hardware requirements are significantly higher.

So really it depends how many interfaces you're planning to have.

Steve

@Sifter:

sis0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500         options=83808 <vlan_mtu,wol_ucast,wol_mcast,wol_magic,linkstate>ether 02:63:c0:d6:7b:7e         inet6 fe80::7422:d7c0:c46:842%sis0 prefixlen 64 scopeid 0x1         inet 10.0.0.169 netmask 0xffffff00 broadcast 10.0.0.255         nd6 options=1 <performnud>media: Ethernet autoselect (none)         status: no carrier</performnud></vlan_mtu,wol_ucast,wol_mcast,wol_magic,linkstate></up,broadcast,running,simplex,multicast>

Hmm, well that doesn't look good. I would expect that sis0 is always connected to the switch. The switch may have autonegotiation disabled on that port. You could try setting sis0 to 100Mbps FD and see if shows carrier. Though even if auto was disabled it should still fall back to 10Mb HD if a connection is detected.  :-\

You might be able to port (if someone else hasn't done it already some roboswitch code from, for example, OpenWRT.

Steve

PERC 6 is probably supported by the mfi(4) driver.

Steve

Why is your RAM usage so erratic? Are you using Snort or Squid by any chance?

The patterns look like some RAM consuming package stops and restarts… when it stops the usage falls and when it starts backup it either shooting up the usage or gradually comes to a point where it needs to restart again.

Please post your installed packages and hardware config for the box.

@stephenw10:

The always on VPN scenario seems like, often at least, it gives a false sense of security.
Where are you terminating your VPN/exiting your traffic?
The only way it seems likely to help is either you are terminating it somewhere genuinely trustworthy (don't know where that mught be  ;)) or you have many VPNs terminating on one machine such that traffic from the terminating machine cannot be eaily tied to any particular VPN.

Anyway that's enough thread hi-jacking. Apologies to the OP.

Steve

I route all my traffic at home through a server in a near-by data center (consistent 8ms ping).  It gets me away from Verizon's crappy routing (read: my Netflix works) and I can do interesting things like run all my web traffic through mod_pagespeed.

Yep that's the 32bit version. Easily done, I've piles of DVDRs here on my desk. Some of them are labelled….  ::)

Steve

Here's the new Alix board.. the price shoots up with all the bells and whistles..

| Board | apu1c4 | $165 | http://www.pcengines.ch/apu1c4.htm | |
| Enclosure | case1d2redu | $9.3 | http://www.pcengines.ch/case1d2redu.htm | |
| US Plug | ac12vus | $4.5 | http://www.pcengines.ch/ac12vus.htm | |
| M-SATA SSD | msata16a | $20 | http://www.pcengines.ch/msata16a.htm | |
| Wireless Card | wle200nx | $18.7 | http://www.pcengines.ch/wle200nx.htm | |
| VPN Card | ?? | $ | | |
| CPU Info | | $ | http://www.cpu-world.com/CPUs/Bobcat/AMD-G%20Series%20G-T40E%20-%20GET40EFQB22GVE.html | |
| Order Page | | $ | http://www.pcengines.ch/order1.php?c=63124 | |
| | | $217.5 | | |
| | Shipping | $44 | | |
| | | $261.5 | | |

About the write/read actions on the cf/usb memory you can see that in the hypervisor , i can confirm for citrix xen server and esxi , you have graphs that will show your activity on the device.

I've been looking for something like that for a while too. URL?

@stephenw10:

The reasons you might use an appliance like this do not include having recent hardware.  ;)
They include the nice rack-mount enclosure, LCD and cursor controls, large number of interfaces, very cheap!

Exactly the point im after…
Most of which can be re-used even with a new motherboard / processor combo which in one way or another increases the "muscle"

There are still significant people using the Firebox X-Core boxes and those have a Celeron from the Pentium 3 era for the above reasons.

Steve

Fair enough Steve, but im pretty sure this is a viable ( $$$ ) option even after and upgrade as it has multiple slots available at the back which comes down to what you want to throw into it and what pfSense supports as far as hardware.

@bryan.paradis:

Expandability is one thing. You only have 1 x 16 and a mini-pci on the mitx board I mentioned. Impossible to squeeze in much more. Still that is a quad port pci-e + 2 additional gig ports off a mini pcie to low pro slot.

Full ip kvm, serial over lan and other features are nothing to sneeze at. Especially when the i5-2520m could run pfSense in a VM and still beat the snot out of older hardware. There is also power consumption to look at thought maybe that isn't a concern for you.

I have a dedicated 16port IP KVM in the rack, but for what is worth i rarely ever use it as most of the servers have RDC or ILO present which i can log into and view it what way. The way i look at it is the case and power supply is probably the only thing that is going to remain untouched ( maybe not even the case ) as for what im looking at even a single 3GHz Duo Core Xeon will do more than i will ever need it. And then i can still add in a 10GBe Myricom card as well as 2 quad port HP NICs.

For $100-150 you cant even find a decent rackmount case as Steve has mentioned it…

Thanks for following up.
That's odd that they misbehave even with a jumper to disable the bypass.  I could understand if the BIOS code was somewhat buggy but a jumper?  :-
One possible cause, and this is purely speculation, is that there is significantly more exposed conductor and potential bad contacts due to the relays and jumpers. This might mean the connection quality is lower on those ports. It shouldn't be though. If that is the case you may find them perfectly stable at 100Mbps if you force that.

Steve