Need help with hardware setup please.
-
That's what I thought too and I mentioned it (at least I think I did) but nothing ever got brought up about it.
-
Its pretty much this easy…
-
How about SLPPP connections like he has? There wouldn't be a second interface to select to bond.
-
I believe you either make one up such as a VLAN or install a second interface that just goes unused…
Hopefully someone who knows for sure will chime in otherwise some experimentation may be in order...
-
JoelC707: Thank you for all your help. I got really busy this week and was not able to work on it. I started working on it again tonight.
chpalmer: Thank you for your help activating MLPPP within pfSense 2.0. You can't imagine the hours of research that I found. The best that I found was a guide to get it installed by following a guide. I saw the settings for MLPPP within pfSense, but I assumed that because it didn't say Single Link (like Tomato does) that it didn't work. On top of which, I couldn't get it to connect, but that must of been because I didn't select a second network interface. In addition, I read that getting MLPPP working on 2.0 resulted in very back Port 80 surfing/traffic. This was unacceptable as I needed it for work.
MLPPP seems to be working okay now from pfSense.
No I just need to figure out what my cousin did again to try and get it all working the way it was. ARGH!
Thanks for the help guys! It looks like I can cancel the /30 subnet from TekSavvy as I'm not in need of it.
-
Awesome glad you got it working, and even more so in a undoubtedly better setup. There's nothing like getting rid of unnecessary hardware inline like that. And yeah dump the /30, def not needed anymore.
-
I guess that only leaves one question. During this process you mentioned something about snort or something else. Is there something else that I should be running on the pfSense box?
Does pfSense use iptables?
-
No, it uses pf which is a BSD licensed version of iptables: http://en.wikipedia.org/wiki/PF_%28firewall%29.
Snort is an IDS/IPS package. It detects irregular traffic usually indicative of hacking attempts and blocks it. Sure with proper firewall rules in place they shouldn't get in anyway but this basically bans their IP(s) from even communicating with your system for a set period of time (ie, no more traffic to worry about). Snort can also be a resource hog, you need a gig or two at least to leave room for the rest of the system but it also depends on how many rules you have in place. I actually went looking yesterday for snort memory requirements and one person said his system with 23K rules was taking up just under 6 GB of RAM for snort alone.
There are other packages, best bet is to go to System > Packages then Available Packages and just see what's available. The other one I like most is HAVP which is basically a transparent, inline virus scanner. You don't need to configure proxy settings on the clients (of course you can set it up that way if you want). It will scan more than just file downloads too, pictures and media streams can have a virus too and it will scan those as well if you tell it to.
There's also thresholds as to how large of a file it will scan and set at max can sometimes cause issues, especially with a slow connection. The file has to be downloaded to your pfsense box, scanned then transparently sent to your desktop as if it came from the source. Sometimes it will look like the download is just sitting there and not even starting but in the background it's being downloaded and scanned, then it transfers at LAN speeds from your pfsense box. This can also affect media streams like Youtube, they will seem like they take forever to buffer but are infact just being scanned. Usually you would have a RAM disk to speed this up so a beefier machine and a faster connection will help offset it (it's a virus scan after all, it's not going to be fast).
-
And what would one do if the machine isn't that beefy and needs to be used for other things too?
I have BFD setup on a VPS that I have running CentOS. It sounds like it does the same thing. If there are x number of connections within x seconds then it will ban their IP for x number of minutes.
-
That's basically how Snort works but it has to match a certain rule that says "this is a hacking attempt" for it to block the IP(s).
Are you referring to the beefiness needed for Snort or HAVP? Snort has low memory options in it's config though I don't know how well they work compared to the "full memory" standard options. Generally Snort isn't needed/used in a residential setting, it would only be needed in a business setting and chances are you would have a decent machine for running pfsense (even a bottom of the barrel machine such as an old decommissioned server or even a new server such as a Dell R210 are WAY overkill for pfsense even with a package like Snort). As for HAVP, the max file size scanned is 10 MB IIRC. The RAM drive is set to the max file size setting plus a small buffer so you'd only need maybe 20 MB extra beyond whatever else you need for pfsense. It gives you the actual formula it uses but I'm not running it anywhere right now so I can't check.
-
Well because I run a SOHO I would rather that things be pretty secure.
I'm running:
VMware ESXi 4.1
pfSense - within the VMwareDell PowerEdge 840
Xeon 2.4 ghz dual core
4GB ram (I'm probably going to upgrade this but I think the max is 8GB's for my system
500GBx2 HDD (Raid-1)In addition to pfSense, I'm planning on running:
1. Enkive - Mail archiving solution
2. Funombol - Mail, Contacts & Calendar syncronization
3. Small webhost - This is not going to be used to sell space to customers but instead used to run instances of SugarCRM. Maybe multiple instances.Originally I wanted to run something like Trixbox on it too, but I don't think there is enough resources for that.
What's your opinion?
-
Similar to mine actually.
Dell Precision 690 (basically a desktop with server class hardware, even takes the expensive FB-DIMMs my PE 2950's at the office do).
ESXi 4.1
Single Xeon 5110 (dual core 1.6 GHz), has two sockets though
8 GB RAM
4 TB of raw storage inside itIt runs pfsense, a DC, Exchange, and my file server.
I previously had all these in individual systems and while it worked fine they sucked up power like there was no tomorrow. I was having issues with my file server hardware anyway so I figured the best course would be to virtualize everything. It works just the same if not better and it uses less power. A win win for me. I've got an old PowerVault 220S and TONS of old 18GB - 72GB drives. I just ran thorough testing on all of them and only 3 18's were showing any problems so I'm dumping the largest drives all in the PV and gonna attach that to my server (actually won't have any 18's in the array, will have eight 72's and five 36's). I'll use it for OS drives and the 4 TB internal will get reconfigured and used entirely for my file server's data.
ESXi is good at managing memory, I have 8 GB of RAM configured among my machines but total host memory used is just under 7 GB (was 5-6 GB after a reboot). Trixbox or similar (I prefer PBX in a Flash but I've used Trixbox too) shouldn't take too much memory. What do you have configured for memory on the existing VMs? I don't know how much SugarCRM consumes but it would likely be your biggest resource hog. What does your ESXi host summary screen show in vSphere? That will tell you how much of your resources you are currently consuming. Edit: The VM Summary screen will also tell you a lot of info.
 -
Zimbra is falling short of my needs
Being something of a Zimbra 'evangelist' I'd just like to know where it fell short, and invite you over to the Zimbra forums to see if we can't change your mind…
