At my wits end with my hardware request advice on new!
-
Guys
I'm at my wits end with my hardware it woks fine under ipcop and windows but, I have tried for months to stop it locking up under pfSense to no avail. I have tried switching from embedded to a full install. I have tried turning off ACPI. I have tried increasing states from 1000 to 40000. I have tried everything but after about two weeks usually while downloading a torrent the thing will lock up and require a power cycle to bring it back. Before people go all righteous on me you can download legal software via torrent too, and it doesn't matter what the traffic is it shouldn't bring down a corporate grade firewall!Here is my current hardware,
Jetway J7F4K 1.2GHz + 1 Gb RAM
D-Link DFE-580TX Quad NIC PCI Card
And here is what I would like to swap it with but I would like advice from you guy's before I take the plunge,
ALIX 1C Mini-ITX System Board - LX800 / 256MB RAM (Keeping my Quad port NIC)
Or this Jetway J7F2 1.2Ghz Eden
With this 3 pot expansion - Jetway Triple 10/100 LAN,
Can anyone PLEASE confirm that this kit WORKS before I spend any more money?
Or does anyone have any other suggestions? I need at least 4 interfaces.
Cheers
-
I would stay far away from the Jetway hardware for a firewall. We have about 10 Jetway motherboards that we had to pull out of clients firewalls because there were so many glitches, higher latency, and just plain weirdness. Do yourself a favor and stick to Intel-based chipsets. You will be much happier.
-
I hear ya! What about the ALIX 1C Mini-ITX board, I hear they (ALIX) are quite good bits of kit, I just don't like the limited amount of RAM - is 256MB realy enough?
-
Well its eairly days for me as im currently testing the embedded version to be rolled out as client firewalls but running it here at home with traffic shaping turned on ( thought it may load it a bit more) at 20meg download i am using approx 30% proccessor, most of that inturrept so id say these boards are good for up to 80meg, say 50 to be safe.
the php process eats up more processing when your on the webgui than the traffic often if you sit and look on top in a shell.
This is on a: ALIX 2C1 - LX700 / 128MB RAM / 3 LAN / 1 mini-PCI
memory is on 50% used.
Any reason you need more? if its only firewalling / VPN i dont see why it should need tons.
My VPN traffic is not going to get that heavy on these things so that shouldnt become a factor for me.
I was originally going to do a microdrive install but after speaking to hitachi and hearing they have discontinued production of their microdrives ( according to memeber of staff i work with) i decided it was better to keep it simple and use the embedded.
The shell based pftop command actually has enough traffic interrogation abilitys to find suspect machines eating bandwith anyway so my engineers can put up with that.
Im going to keep on testing this board for a month or so to be sure but so far im quite impressed by it.
Depending what your going to use it for i dont see it being a problem.
Going to be whacking a wireless card in it soon and testing that out :)
-
Hi,
Thanks for the info. Yeh I understand that architecture is more important than speed or head room. A Cisco router may not have the fastest CPU or the most amount of RAM but thanks to its proprietary hardware architecture and IOS tailored for known hardware they are where they are. In the same vain years ago when Compaq took over digital and MS dropped support for NT4 on ALPHA architecture Compaq upgraded all our customers DEC Alphas running NT to ML370’s free of charge. Although the CPU’s where four times as fast our customer was very disappointed in the performance of the new Intel boxes. We then had to explain to them how the architecture in an Alpha was far superior to an Intel box and that just because it was newer and had a quicker processor doesn’t mean it will give them the performance benefit they where expecting.
This is why I’m curious about these AMD Geode LX (LX800) chips and the ALIX kit in general. I can’t seem to find out what chipset these boards use. I don’t think its Intel or VIA so I am presuming it uses some sort of AMD chipset. I would like some feed back from other AMD Geode LX owners to see if they are generally happy.
Failing that I think I might hold out for this MSI board,
MSI MS-9830 - Fanless, Industrial
It’s a full Intel board both CPU and chipset and as its not on sale yet I can only imagine they are holding out for the dual core Atom.
Cheers
-
Are these problems not just related to your quad port nic adapter?
Have you tested another card just to be safe? might save you a whole new setup..
-
Yeh - it has crossed my mind but the only other quad port PCI card (not PCI-E or PCI-X) I can find is this one,
http://linitx.com/viewproduct.php?prodid=11149
Either way it is going to cost me about £100 to find out which one it is.
-
Realtek NICs likely aren't going to help (that's the card you were looking at buying). They have a reputation for being flaky. The DFE-580TX you're using is a Sundance Technologies chipset - the ste(4) driver in FreeBSD, which is not a mainstream NIC.
Why not a PCI-X NIC? So long as you have enough room in your case, it will work in a PCI slot - albeit with a 32 bit PCI interface. However, most PCI-X quad cards will be quad Gigabit - with prices to match.
You may not need a quad NIC - another way would be to use VLANs and a VLAN capable switch, With VLANs you could use a single NIC if you so wished, including an inexpensive Intel Gigabit desktop adapter - though server adapters are recommended if possible as FreeBSD and therefore pfSense will use the offloading features. There's at least one inexpensive fanless 24 10/100 plus 2 Gigabit L2 managed switch that would do the job (Netgear FSM726 v2 - you must get a v2 switch as the v1 has a noisy fan). That's just one switch I'm aware of; Netgear is not my preferred switch vendor.
The usual recommendation for the highest stability is to use Intel Gigabit NICs. Close behind are Broadcom Gigabit NICs - this comes to you via a bge(4) device in my Dell PowerEdge R200 pfSense box. All the NICs I've bought recently are Intel Gigabit, though my modern Dell servers use Broadcom NICs (bge(4) or bce(4) in the more upmarket servers).
Unfortunately most of the mini-ITX boards out there use fairly nasty NICs that are specified on the basis of the lowest cost, power consumption, pin count and board real estate used (Realtek and similar). These NICs are not ideal for server tasks such as running a firewall. The VIA Rhine devices on ALIX boards don't seem to be too bad, if an ALIX would do - though I have no direct experience of them.
There are some mini-ITX boards that use Intel Gigabit NICs, but they're not very common. If you are going to buy new hardware, I suggest checking the NICs used carefully. It's worth checking that there's ALTQ support in FreeBSD 6 or 7 (for 1.2.1 and upwards) for the NICs you intend to buy, otherwise you can't use traffic shaping in pfSense.
-
This is why I’m curious about these AMD Geode LX (LX800) chips and the ALIX kit in general. I can’t seem to find out what chipset these boards use. I don’t think its Intel or VIA so I am presuming it uses some sort of AMD chipset. I would like some feed back from other AMD Geode LX owners to see if they are generally happy.
Hi,
I have been using an ALIX 2C1 board since November 2007. This is the version with 3 LAN / 1 miniPCI / 433 MHz AMD Geode LX700 / 128 MB. It runs with a 1GB Industrial Compact Flash card, and OpenBSD installed on it and serves as my home firewall + spamd filter (+ a couple of other daemons).
Sitting behind this ALIX firewall, in addition to my laptop, I have a home server which serves 10-15 GB of web+mail data per month, including one web site with around 400'000 pageviews per month. RAM usage on the ALIX firewall has never gone beyond 48-50 MB. Processor load has never been an issue, and power consumption is ridiculous.
–-----------------------------------------------------------------------------------------------------
Here is the dmesg for my ALIX board if you need some info on the hardware of this board:OpenBSD 4.2-stable (ALIX2) #0: Mon Nov 19 20:44:38 UTC 2007
root@localhost:/usr/src/sys/arch/i386/compile/ALIX2
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 432 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem = 133791744 (127MB)
avail mem = 126832640 (120MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 10/31/07, BIOS32 rev. 0 @ 0xfcdda
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe0000/0xb000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x31
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 00:0d:b9:12:a0:3c
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:0d:b9:12:a0:3d
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address 00:0d:b9:12:a0:3e
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034
pcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03
pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <transcend>wd0: 1-sector PIO, LBA, 976MB, 2000880 sectors
wd0(pciide0:0:0): using PIO mode 4
pciide0: channel 1 ignored (disabled)
"AMD CS5536 Audio" rev 0x01 at pci0 dev 15 function 3 not configured
ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0, legacy support
ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: AMD EHCI root hub, rev 2.00/1.00, addr 1
isa0 at pcib0
isadma0 at isa0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
usb1 at ohci0: USB revision 1.0
uhub1 at usb1: AMD OHCI root hub, rev 1.00/1.00, addr 1
biomask e3ef netmask ffef ttymask ffef
pctr: user-level cycle counter enabled
mtrr: K6-family MTRR support (2 registers)
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a swap on wd0b dump on wd0b
clock: unknown CMOS layoutI am VERY happy with this board.</transcend>
-
Yeh - it has crossed my mind but the only other quad port PCI card (not PCI-E or PCI-X) I can find is this one,
http://linitx.com/viewproduct.php?prodid=11149You may wish to add the Soekris lan1641 adapter to the list of cards which you investigate (I have no experience with it):
http://www.soekris.com/lan16x1.htm -
Hi,
Thank you both for your comments. The VLAN idea is one option but it does mean an extra box at some extra £180 plus I have tried implementing VLAN's between my 7760 access point and my router but the pfsense DHCP daemon doesn't seem to support VLAN's.
The motherboard I mentioned above has now got a proper name IM-945GSE http://global.msi.eu/index.php?func=proddesc&prod_no=1602&maincat_no=388 and I must say I am VERY interested indeed!
Not only does it have an Intel CPU and chipset, and no fan but it comes with Dual Intel Gig LAN to boot. -
There's no need to spend £180 on a VLAN capable switch, especially if all you want is a device to break out VLANs from your pfSense box to ports.
A little bit of hunting found an HP ProCurve 1700-8 for £50.01. This is an 8 port VLAN capable switch - one port is Gigabit, the other seven are 10/100. If you want 8 Gigabit ports, there's the HP ProCurve 1800-8G for £101.81. Both these switches are fanless. If you're going to buy, I'd Google for the cheapest price including shipping - the HP part number is J9079A for the 1700-8 and J9029A for the 1800-8G.
There's no problem using pfSense's DHCP server with VLANs; I'm doing so with, amongst other things, 3Com 8760 access points. I suspect that the problem is that you're not connecting your 7760 directly to your pfSense machine - 802.1q tagged packets usually will not pass through switch that doesn't support 802.1q VLANs. If your switch does support VLANs, you hadn't got things configured correctly.
-
Re: switches thanks for info, I had no idea you could get procurve switches so cheep! This might be one way forward.
Re: vlan DHCP, I am connecting the 7760 in a spare NIC that's why I need 4 interfaces. But I don't get the vlan interface tab under DHCP server. So I dropped back to 1.2-Release from 1.2.1-Beta and what do you know it is now there.
Thanks for your input - I now have even more ideas going around in my head :)
-
David,
Have found the 1800-8G for £67.00 fantastic! http://www.stuff-uk.net/?s=ST-J9029A one question before I buy it, If I plug both my cable modems in to say port one and port two on the switch and put them in separate vlans. Which mac will be used to bind to the the modem IP's? See at the moment each modem has its own NIC and there fore will bridge to the MAC of that NIC. But if vlaned will they not share the same physical NIC mac? or does putting it in a separate vlan generate a sudo mac.
Please excuse my misunderstanding if I have overlooked the obvious.
-
The problem with 1.2.1-BETA may be part of the VLAN problems that are known with the release at the moment, or it may be a separate issue. It's worth checking the beta forum and adding it to the VLAN thread if necessary.
Getting VLANs working with your 7760 should be well worthwhile. Though the 7760 is quite different in many ways to the 8760 (it's a completely different firmware and user interface), it should be possible to have different VAPs running with different VLANs, also you can have your RADIUS server handing out different VLANs to different users on the same VAP. My wireless networks default to an unprivileged VLAN, but if you authenticate with suitably privileged credentials, you're connected to the main LAN. FreeRADIUS can do the necessary - but I'm not sure whether the pfSense FreeRADIUS package has the necessary functionality.
I'd trust the inexpensive ProCurve switches to do the right thing much more than I would trust some of the cheaper multi-port NICs mentioned in this thread. My personal choice would be the ProCurve 1800-8G and a single port Intel Gigabit server NIC - that will cost you somewhere around £140 (taking your price for the 1800-8G and allowing around £70 for the NIC). However, a less expensive solution is possible - a single port Intel Gigabit desktop NIC costs less than £20 and may be all that you need. If you upgrade to a server NIC later, you've got a good NIC to upgrade a desktop machine with or to keep as a spare.
With these inexpensive 8 port fanless VLAN capable switches available, you can probably see why I'm a fan of using VLANs and increasingly see no point for expensive multi-port NICs in a pfSense box. The muti-port NICs have their place when you need the bandwidth or for redundancy (such as a CARP based setup, where you can have different ports that can do the same job wired to different switches, which gives you diversity).
I believe that VLANs are the more flexible solution when it comes to sorting out your internal networks, not least because you can reprogram them from your computer instead of messing around repatching, which I believe is potentially more error-prone.
The price you've found on the 1800-8G is fantastic indeed - an 8 port Gigabit switch that is VLAN capable for £67 can't be bad.
This should help in understanding how a VLAN setup works:
bge0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500 options=1b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging>inet6 fe80::219:b9ff:fefa:2206%bge0 prefixlen 64 scopeid 0x1 ether 00:19:b9:fa:22:06 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active vlan3: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500 inet 192.168.128.254 netmask 0xffffff00 broadcast 192.168.128.255 inet6 fe80::219:b9ff:fefa:2206%vlan3 prefixlen 64 scopeid 0xa ether 00:19:b9:fa:22:06 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active vlan: 1 parent interface: bge0</full-duplex></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging></up,broadcast,running,simplex,multicast>
As you can see, VLANs take the MAC of their parent NIC, so that's what your cable modems will bridge to. You correctly describe the way to deal with WAN links in a VLAN scenario - you give the WAN link a dedicated VLAN. You set the cable modem's switch port to:
-
untagged operation on the dedicated VLAN (without needing 802.1x)
-
forbidden on all other VLANs
-
the PVID set to that of the dedicated VLAN
That's how you set an untagged port to a particular VLAN in general - if necessary I'll read the ProCurve's manual and give you specific instructions. The mention of 802.1x is that on some switches you can require successful authentication by a RADIUS server before the port gets access to the network. That is added complexity that you don't need.
On the switch port of the pfSense NIC you're using for the VLAN, you set the port to operate on the dedicated VLAN with tagging enabled. As has been said already in the thread, it's best not to mix tagged and untagged traffic on the same port. Tag everything on a tagged capable port.
In case you're wondering, the PVID on a switch port only has meaning when there's untagged traffic - it's the VLAN that this untagged traffic should be allocated to (PVID = Primary VLAN ID). Usually, if an untagged port doesn't work when you've allocated it to a VLAN, you've forgotten to set the PVID. So long as you remember the three steps in my bullet points above - however your particular switch handles them - you'll be fine.
It doesn't matter that you have several cable modems bridging to the same MAC, as switching in a VLAN scenario uses the MAC and the VLAN ID. Traffic can only cross from one VLAN to another via something operating at higher than the Level 2 of the sort of switches we are talking about here - such as your pfSense box. Switches with Level 3 features exist, which have some routing functionality, but let's not worry about those here as they're a rather more expensive and specialist piece of kit than you're likely to encounter.
-
-
Cheers David,
The problem with 1.2.1-BETA may be part of the VLAN problems that are known with the release at the moment, or it may be a separate issue. It's worth checking the beta forum and adding it to the VLAN thread if necessary.
Together with some other issues I have I plan to downgrade at the weekend.
Getting VLANs working with your 7760 should be well worthwhile. Though the 7760 is quite different in many ways to the 8760 (it's a completely different firmware and user interface), it should be possible to have different VAPs running with different VLANs, also you can have your RADIUS server handing out different VLANs to different users on the same VAP. My wireless networks default to an unprivileged VLAN, but if you authenticate with suitably privileged credentials, you're connected to the main LAN. FreeRADIUS can do the necessary - but I'm not sure whether the pfSense FreeRADIUS package has the necessary functionality.
This is exactly what I'm planning to do as I now have a new wireless device that just will not authenticate with WPA so I intend to put it in its own VAP running on the same AP.
if necessary I'll read the ProCurve's manual and give you specific instructions.
RTFM - now that is something I can do when I get mine ;)
Traffic can only cross from one VLAN to another via something operating at higher than the Level 2 of the sort of switches we are talking about here - such as your pfSense box. Switches with Level 3 features exist, which have some routing functionality, but let's not worry about those here as they're a rather more expensive and specialist piece of kit than you're likely to encounter.
I already have a good working knowledge of how layer 2 and layer 3 devices work. at work we are using 3COM 5500's which as I'm sure you know are layer 3 switches I've just not personally had much real world exposure to vlan'ing. This is why this will be a good exorcise for me.
Cheers for your posts David, your instructions are clear and sound I will take heed of them. I still haven't ruled out a new router m/board more money than sense but with this advice at least I won't be throwing good money after bad.
Cheers
-
Yes they will share the same mac. How ISP's uses that information is hard to say imo, is both modem connected to the same ISP?. As it goes for my isp i need to register my nic first.
I directly connect the modem to my pfSense pc, then I use the ubuntu livecd so i can walk though there web page.
HP1800-8G vlan guide http://pfsense.site88.net/mysetup/index.html -
if necessary I'll read the ProCurve's manual and give you specific instructions.
RTFM - now that is something I can do when I get mine ;)
There's no need to buy to get the manuals - the ProCurve 1800 series manuals are here. The VLAN stuff can be found here.
I often download and look through manuals of equipment before buying - it helps a lot to have the documentation available to read. Increasingly, manuals for IT gear are supplied in electronic form only.
-
Hi David, Perry,
I now have my switch (yey) and without going too off topic and rubbing a mod up the wrong way could you offer me some guidance.
I have read the manual and would like some help understanding tagged & untagged / 'All'
VLAN Per Port Configuration
• Port/Trunk – The port number or the ID of a trunk.
• VLAN Aware Enabled – VLAN aware ports are able to use VLAN
tagged frames to determine the destination of the frame. Click to
enable or disable VLAN awareness mode for this port.
(Default: Enabled)• Ingress Filtering Enabled – If enabled, incoming frames for VLANs
which do not include this ingress port in their member set will be
discarded. (Default: Disabled)• Packet Type – Users can set the interface to accept all frame types,
or only tagged frames.
If the Packet Type is set to “All,” the port can accept incoming tagged
and untagged packets. Untagged packets will be associated with the
VLAN identified by the PVID. Tagged packets will be dropped unless
the port is a member of the VLAN identified by the VLAN tag in the
packet.
If the Packet Type is set to “Tagged,” the port will only send tagged
packets. (Default: All)• PVID – From a drop down menu, choose the VLAN ID that will be
assigned to untagged frames received on this port. You cannot choose
“None” for the VLAN ID unless the packet type is set to “Tagged Only.”
Choosing “None” will not assign any VLAN ID to untagged frames
received on this port. It is not possible to remove a port from VLAN
1 unless its PVID has been changed to something other than 1. The
PVID has no effect on ports that have Packet Type set to Tagged.
(Default: 1)To keep things simple and get my setup working I will use one port on my router configured as LAN (re0) (vlan 1 I think) + two vlans 11 & 22 attached to it.
One modem connected to port 8 on my switch (in vlan 11)
My 7760 connected to port 7 on the swithch (in vlan 22)
And my router connected to port 1 on the switch (in vlan 1, pvid 11 & pvid 22)Is the physical NIC on the router in vlan 1 by default?
Will the physical interface on the 7760 be in vlan 1 and need access to it of management?
For this reason won't all ports need setting to untagged / all?
what does Ingress Filtering mean?Its quite clear I have allot of learning to do.
-
I don't think explaining all those things to you in a forum would make much sense. A good networking book, google search or taking a course would be better for you IMHO. As you say let's KISS instead ;)
To keep things simple and get my setup working I will use one port on my router configured as LAN (re0) (vlan 1 I think) + two vlans 11 & 22 attached to it.
One modem connected to port 8 on my switch (in vlan 11)
My 7760 connected to port 7 on the swithch (in vlan 22)
And my router connected to port 1 on the switch (in vlan 1, pvid 11 & pvid 22)Is the physical NIC on the router in vlan 1 by default?
Will the physical interface on the 7760 be in vlan 1 and need access to it of management?
For this reason won't all ports need setting to untagged / all?As i showed in the wink guide, it's a good idea for first time user of vlan switches to leave vlan 1 and port 1 alone.
Let's assume some things (so it will be more like my guide):
To config the switch connect a pc to port 1
Use port 8 as the only tagged port. This is the port that will be connected to re0 on your pfSense firewall, re0 will be parent of your vlans never a vlan.
So basically follow my guides and learn by doing….....Latest firmware ftp://ftp.hp.com/pub/networking/software/1800-8G-Software-PA0300.zip