PFSense

From: Bret McHone 
------------------------------------------------------
Does anyone have a pfSense 2.0-RC1 running in a production environment? 
If so, how do you like it and has it been stable for you?

Thanks,
Bret

=============================================================== From: Jason Brown ------------------------------------------------------ I hadn't realized that RC1 was available yet I will be upgrading at home first to try it out. I too am quite curious as to how it does. --Jason

=============================================================== From: Bret McHone ------------------------------------------------------ I guess I should ask if anyone is using pfSense (any version) in a production environment and how you like it. What functions do you like most? I am in need of a firewall and have a spare server or 15 lying around and figured it might fit the need. Thanks, Bret

=============================================================== From: Aaron welch ------------------------------------------------------ We use it exclusively. I used to be a PIX/ASA fan, but pfsense is more flexible and easier on the wallet. -AW

=============================================================== From: Dustin Salter ------------------------------------------------------ I installed RC1 for AMD64 last night. It seems very stable and working well with 1 IP address. I hope to have multiple IPs moved over with the Snort instance running tonight. ds

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Single core early P4, 1GBish RAM, 3 PCI Nics, WAN/LAN/DMZ, all active. ~50 nodes behind it, including servers, clients, etc. Multiple forwarding/NAT rules (subnet .100 gets Public IP .10, subnet .110 gets Public IP .11, etc). Solid as a rock for almost 3 months (I check for updates every couple of weeks). Just have a few add-ons installed, mostly graphing related. QOS is enabled and appears to work as intended. I plan on moving most of my 1.x PFSense on over over the next few months, I'm suitably impressed. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3yaX4ACgkQABP1RO+tr2RpqgCguRir7UcTKVolV9OnVklcIPN1 1FMAoJ1OQ12gV8xtDaUfr3jF9ltUwAXQ =7cUk -----END PGP SIGNATURE-----

=============================================================== From: Jason Brown ------------------------------------------------------ Absolutely, 1.2.3 has worked great, and we use many of the features. Multi WAN, multi lan, load balancing , traffic shaping, static VPN, etc. Have some nice layer 7 stuff going on with snort integrated to the firewall for auto blocking of malicious content. Very flexible. Biggest things for me are "It just works", and a good web interface that is not difficult to navigate or figure out (most of the time). But when I really need it, I can get to a shell and do whatever is necessary. CARP failover is cool too. (have redundant routers here just in case, but have not had a non test failure yet). I also use it for my home router on some old dumb terminal hardware. (production hardware is a little beefier). --Jason

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ I don't run it in production, mainly because they won't let me, but I do = have it running on a few lab boxes that mimic production operations. = Works fine, especially if you don't need to put gigs of throughput = through it environment? If so, how do you like it and has it been stable for you?

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 environment? If so, how do you like it and has it been stable for you? As a note - be careful upgrading RC1. I did so recently, and hit a fun = bug - I could set rules in the webgui all day long. None of them would = actually go live until I rebooted.=20 Thank god for vmware snapshots.=20 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJN9S/vAAoJEDSV5GS4KsJ4V/EIAJwnnz+TqV9VKawmixx8oylk 1ztiAIolRtT376dg4pbUgwi8hYiAOx+PM4EzIoyrz1ydyfFMRfparc0bdt+IGEmp LlJIeGjNRlGVYinyECZkd3K+pNjxPo8wUJ2H5ty90qTYFxCW29DAtnzS8hdT2mQf q/XyUgLcssPxdrgbT8uc6t4h4KLKyEHS4kP8w684AqmbF2SONXhPIePTFIhM5VKY /hxEh6FFGbdVh4VbE6cQmnS4eJQDbK8exlA3zdSSRq7jxEm88cLmB2Ai+8dHPeTf 4a0LVIL5d/McYYcnC12Ye1+C3eQQyS/5EqEiZT1mnP8MnwhcNrVLsNMB6WnnOCY=3D =3DnwgP -----END PGP SIGNATURE-----

=============================================================== From: Bret McHone ------------------------------------------------------ oh crap. Thanks for the update. That's DEFINITELY a good reason not to go for an RC version for anything production.

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RC1 is fine. I've been using it for awhile, and the only problem I've = had with it is that not all of the packages were correct. In particular, = for awhile, some of the dependancies for open-vmtools weren't on the = mirror, so you had to get nasty with the console to get them installed. = They've since fixed that. Updating beyond RC1, otoh, is a bad idea until RC2 becomes stable. I'd = also not recommend installing 1.2.3 and then planning to upgrade to v2.0 = at some point on a production box, I've had more than a couple issues = upgrading 1.2.3 boxes to 2.0 (again, thank god for snapshots) go for an RC version for anything production. environment? If so, how do you like it and has it been stable for you? fun bug - I could set rules in the webgui all day long. None of them = would actually go live until I rebooted.

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And I should say, I would have absolutely no problem running RC1 in = production. We used to run 1.2.3 in production for the corporate = network, until we hit a critical mass and the hardware could no longer = keep up with the load of what we were asking it to do. Growing pains, = and all. Because of previously bad network design, those firewalls were = forced to participate in our OSPF routing, and when they got loaded, it = caused route flaps, which in turned caused instability in other parts of = the network. Once this started causing monthly issues, and once management saw what = we wanted to spend on new hardware to get them upgraded, they decided to = just go ahead and pop for ASAs to replace them. I would have no problem = deploying pfsense in production again, as long as the hardware was = properly sized for the expected traffic load. All I'm saying is be careful of the upgrades, which is something that = should be done on any production device. I wouldn't upgrade to any = version that wasn't considered stable, and I'd make damn sure I = validated the upgrade in a pilot or lab environment before I ever = considered the upgrade in production. This is all SOP, though, and = should be for everyone :) had with it is that not all of the packages were correct. In particular, = for awhile, some of the dependancies for open-vmtools weren't on the = mirror, so you had to get nasty with the console to get them installed. = They've since fixed that. also not recommend installing 1.2.3 and then planning to upgrade to v2.0 = at some point on a production box, I've had more than a couple issues = upgrading 1.2.3 boxes to 2.0 (again, thank god for snapshots) to go for an RC version for anything production. environment? If so, how do you like it and has it been stable for you? fun bug - I could set rules in the webgui all day long. None of them = would actually go live until I rebooted.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just chiming in and re-visiting this topic because of a little fun this weekend. I've been running the 2.0RC series for several months, and aside from waiting a couple of weeks after each new RC was released, and it has been stable as a rock for me. Weekly or bi-weekly update checks. This weekend I was playing with my recently installed RC3 VM, and apparently the devs were busy this weekend, because I installed three updates... or maybe four on 7/3 and 7/4. None of them caused me any problems in between, and all the upgrades seemed to go w/o a hitch... until the last one. No errors, everything booted up normally, but two bits of strangeness I noticed and was unable to solve (quickly, step 3 in my troubleshooting was to reload, we're talking about a total of 5 rules at this point).... 1) Default gateway didn't get set at boot. I have a secondary gateway for additional routes, which is not the default, on a different interface, which was applied. Editing and re-applying the default gateway entry fixed that until a reboot. Secondly, the damn thing just wouldn't NAT any traffic from the LAN interface any more. Oh, I guess a third symptom, the filter reload/monitor screen would never complete. So, I'm back and happy and everything's kicking chicken, but do keep in mind common SOP upgrade procedures -- always make sure you have a backup of your config, even if it's in pseudo-code. Just in case you need to recreate it :) Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4VDtAACgkQABP1RO+tr2QHTwCdEIcS1D9A6R4l08FZr+lDGBvs bJsAmwRsTuZaAIsA3o9KvYFn5+J6WvoY =LT6g -----END PGP SIGNATURE-----

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ Oh thanks for the reminder, I forgot all about the RC3 upgrade I meant to do this weekend.

=============================================================== From: Aaron welch ------------------------------------------------------ Any of you run pfsense with BGP as a gateway? I need to have a box (or CARP cluster) to run some IP blocks in my datacenter. I would spring for a Cisco or Foundry box, but right now the load just does not warrant the expense. I need to be able to peer with 2 providers at a Gbit each, but traffic load is usually less than 100Mbit/s. Any experience would be great as we are seriously looking to use this in production. -AW

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ Haven't used openBGPD, but I have used quagga. it can be... flaky. Do you have a need to take full routes from each provider, or will you just be accepting a defaut, and you just need to announce? If you're not taking full routes, I'd honestly just pop for something like a 3560 and use the GBIC interfaces to establish your uplinks. If you do need to take full routes along with gigabit interfaces... yeah, that's going to get pricey.

=============================================================== From: Jason Brown ------------------------------------------------------ We will be trying it very soon. Have a second connection coming in to the building finally and the plan is to use PfSense and OpenBGPD on PfSense 1.2.3. We expect to be running in 3 weeks or so. --Jason

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yeah, didn't see any BGP add-ins for 2.0. You guys aren't taking full routes from either of those connections are you? Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4WJpcACgkQABP1RO+tr2SOTQCgjLthSwP6MH3cKnf3RjUHerkq PzgAn3x05cVgJVS9kEgS+azb+TKsWEXb =L3Ed -----END PGP SIGNATURE-----

=============================================================== From: Cynicalgeek ------------------------------------------------------ Does anybody have anything to say for or against these pfSense appliances? http://store.netgate.com/Desktop-Kits-C82.aspx

=============================================================== From: Aaron welch ------------------------------------------------------ Just that a 1U or 2U box on eBay is about half the cost. -AW

=============================================================== From: Cynicalgeek ------------------------------------------------------ Ya know. I really should try that eBay thing sometime. Thx Aaron.

=============================================================== From: Aaron welch ------------------------------------------------------ Or you could just ask if I have anything as I more than likely will. -AW

=============================================================== From: Cynicalgeek ------------------------------------------------------ Aaron, do you have any pfsense appliances, either rackable or non-rackable that are for sale?

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ You didn't look hard enough ;) There is indeed an openbgpd package for 2.0

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 My packages list it as available for v1.3, not 2.0. /shrug Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4XfvMACgkQABP1RO+tr2SoiACfaYIHWoSUJu9d3bZciG7DXXt+ YksAn31zvOiFEOJZ+3rZLUpOQrqs3I71 =p+pp -----END PGP SIGNATURE-----

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ click on System, go down to Packages, then click on Available Packages, scroll down to the O's. It'll be there hehe If it's not, check the Installed Packages tab! If it's not in either place, consider a reinstall, because you be fubar'd!

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenBGPD NET STABLE 0.5.2 platform: 1.3 This particular instance started with 2.0RC2, is fully up to date, and the openBGPD package is still at 1.3, not 2.0. Not saying it won't run, but it's not listed as compatible w/ 2.0. I learned the hard way with squid that if it doesn't say it works with 2.0, don't install it. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4XhcYACgkQABP1RO+tr2TC3wCgllJwVK3NCiURq5BuHF8yM2er hAoAoJxGFk2IpdSUmFka1mcmb3+xzZku =5ZVV -----END PGP SIGNATURE-----

=============================================================== From: Aaron Welch ------------------------------------------------------ Yup. 2U Rackable for $125. -AW that are for sale? : : :

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wait, wait, wait. How much bandwidth do you need to push again? I'm sure I have a non-rackable pfsense appliance I can let go for $50. (Damn, I just got rid of a garage full of P3's that would make excellent pfsense appliances) Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4XiygACgkQABP1RO+tr2ScVwCgpk17TnqqWS1ESPyeQ1kclkOj k3EAn1ovpkED38OuBB3s1o3QBrzpNYzN =TMW4 -----END PGP SIGNATURE-----

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ I just updated to RC3 and installed that package. Neighbor AS MsgRcvd MsgSent OutQ Up/Down State/PrfRcvd stark 1 9 7 0 00:02:12 4 stark#sh ip bgp summ Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.55.4 4 2 74 134 26 0 0 00:02:38 4 It works. Or at least, it did after I stopped being a dumbass and remembered to redistribute BGP back into OSPF so I could maintain external connectivity!

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since you're in a testing mood tonight :) Scenario: I have a (PA) subnet and two gateways that will route to this subnet from the provider (don't ask). Since all of this is static, and one gateway is to be used only as backup, is there a way of duplicating SLA probes/gateway fail-over from Cisco land on pfsense? (ie. use Gateway-A unless it fails the SLA probe for XX seconds, at XX+1 seconds it switches to Gateway-B) I didn't ask for any sanity checks nor logical reasoning behind the scenario, btw :) Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4Xl7UACgkQABP1RO+tr2TVvQCfS3SyZw2I173k/pEQNDfNEjPQ n5oAoLd/lh4//8iHiXRFc+5CMlxIwqbA =Wf71 -----END PGP SIGNATURE-----

=============================================================== From: cynicalgeek@gmail.com ------------------------------------------------------ It will just be for two users doing mild Internet traffic. Sent from my iPhone

=============================================================== From: Kenneth Ratliff ------------------------------------------------------ http://forum.pfsense.org/index.php?topic=28121.0 Specifically, you're looking for the sections on WAN failover, not load-balacing. Short answer is yes, you can define gateway groups, with each member of the group being on a different tier, and then setup some monitoring IP's to trigger a failover to the other gateway (conditions like the gateway going down, packet loss, latency, or packet loss and latency)