104 replies to this topic

[axiom00]

geek-accountant and burix,

I am planning on going down the same path as you guys and running pfSense in a virtualize environment. Based on what I've been reading, PfSense under Xenserver is limited to 100mbps due the virtual NIC that Xenserver preseent to pfSense.

@geek-accountant: Have you noticed any issue with pFsense's LAN port cannot run at gigabit? I am assuming pfSense is handling all your routing, so does that impact your LAN speed when transferring files from one server?

@burix-With your setup of pfSense and Untangle under ESXi, are the virtual NIC's running @ 1 gigabit or is still limited to 100mbps like under Xenserver?

Thanks.

[geek-accountant]

Yes, pfSense will be limited to 100mbps under Xenserver. Since my ISP connection is only 60mbps, this is not a problem. Local network traffic does not flow through pfSense and instead flows through my switch which is a gig switch. So no, pfSense is not slowing down local traffic.

Tomorrow morning, I am tearing the whole thing down and replacing the CPU with a quad core. I know I have always said my Xenserver running the Super Router will only have the Super Router on it, but it has run so rock solid that I feel comfortable giving it a bit more juice (ie CPU) and letting it do some other light weight work like testing other non-Windows systems. This and the fact I am re-purposing my second Xenserver to be a Windows Storage Server running SQL and Sharepoint (I hope).

[generious]

geek-accountant and burix,

I am planning on going down the same path as you guys and running pfSense in a virtualize environment. Based on what I've been reading, PfSense under Xenserver is limited to 100mbps due the virtual NIC that Xenserver preseent to pfSense.

@geek-accountant: Have you noticed any issue with pFsense's LAN port cannot run at gigabit? I am assuming pfSense is handling all your routing, so does that impact your LAN speed when transferring files from one server?

@burix-With your setup of pfSense and Untangle under ESXi, are the virtual NIC's running @ 1 gigabit or is still limited to 100mbps like under Xenserver?

Thanks.

depending on which virtual nic and virtual hardware version you have have either the virtual intel/amd adapters which are 10/100/1000 adapters.
or if you go with virtual hardware version 7 you can add in a vmxnet3 adapter which supports 10GB/s ( This is a great nic under windows VMs if all systems are in the same port groups and all using vmxnet3 adapters )

So no with VMware ESXi 4.1 update 1 you are not limted to 10/100 as you are with Xen.
To add to this what you can do on top of just pfsense and untangle is put a vyatta router in the mix.

Edited by generious, 29 May 2011 - 01:04 PM.

[ikon]

depending on which virtual nic and virtual hardware version you have have either the virtual intel/amd adapters which are 10/100/1000 adapters.
or if you go with virtual hardware version 7 you can add in a vmxnet3 adapter which supports 10GB/s ( This is a great nic under windows VMs if all systems are in the same port groups and all using vmxnet3 adapters )

So no with VMware ESXi 4.1 update 1 you are not limted to 10/100 as you are with Xen.
To add to this what you can do on top of just pfsense and untangle is put a vyatta router in the mix.

OK, seriously, how many routers does 1 person need on their home LAN? j/k

[geek-accountant]

Funny, I was just thinking how much I love my router last night. My PC was downloading a large file, the youngest kid and a friend were on Xbox Live playing an online game, the oldest was watching something on Youtube and the wife was watching a Netflix movie. I was playing Black Ops on Xbox Live and never once notice any connection issues or lag in the game, and neither did anyone else. Maybe I just am bad at picking pre-made routers, but non I have had in the past could handle all that and their not be issues somewhere. O, and the router had not been re-booted in a little over 100 days when all this was going on. And all this was on the Xenserver which as noted before can only do NIC's of 10/100 when Xen tools are not loaded. Since my connection is under 100mbps, it shouldn't be a problem.

[jmwills]

The 10/100 would be internal speeds, right?

[geek-accountant]

Internal to Xenserver and to the WAN address. The local traffic all flows through my switch.

[generious]

OK, seriously, how many routers does 1 person need on their home LAN? j/k

Hehe you don't want to know
I have a ton of gear at home(then again I work from home and I need a lab to work on so work has paid for most of the stuff)

You will start off with virtual utms and routers then eventually see this little thing called vlans and jumbo frames and ACLs and trunking ect then you know all about it hehe.

[ikon]

Hehe you don't want to know
I have a ton of gear at home(then again I work from home and I need a lab to work on so work has paid for most of the stuff)

You will start off with virtual utms and routers then eventually see this little thing called vlans and jumbo frames and ACLs and trunking ect then you know all about it hehe.

LOL, I work with all of those, but not at home, at least nowhere near all of them. I have Untangle as my home UTM. I have run VMs and DCs at home, but not now. I am using jumbo frames. VLANs are at work, along with ACLs. I've adopted a more KISS philosophy for home the last few years.

[ikon]

I just ran into an odd issue with Untangle that I thought I would pass along.

I was investigating the Captive Portal feature of Untangle. We have a project at work that calls for it. The trick is that it would be using ADSL rather than cable.

When I went to test the CP feature I ran into a problem. I put the ADSL modem (Actiontec GT701D) into transpartent bridging mode and set up Untangle to do PPPoE. It wouldn't work. I tried 3 different models of ADSL modems with the same results. Finally, I hit the Untangle Wiki and, guess what, they don't recommend using Untangle for PPPoE! I was shocked. I've never heard of a router that doesn't like PPPoE. And, despite everything I tried I still haven't gotten it to successfully make a DSL connection.

Untangle recommends putting the ADSL modem into bridging mode but have it do the PPPoE stuff. That seems a bit of a contradiction to me. I thought bridging meant the modem doesn't do the PPPoE stuff - it just passes the traffic back and forth and does the modulation. Anyone have any insight to what they mean?

BTW, when used in router mode, the ADSL modem does the PPPoE perfectly. I was actually just trying to simply things by not having 2 routers in the link. I would put Untangle into bridge mode but I do need to do a port forward to a device we need to administer and AFAIK Untangle has to be in router mode to do forwarding.

[no-control]

Is it because the PPPoE you're using requires authentication? Only other reason I can see is due to the packet overhead of PPPoE. unTangle may just flat out reject it due to the overhead of the Ethernet packet in large frames. It's not the lightest program so maybe they figure with the extra needed for the PPoE it would kill their minimum specs (increase them).

Just my best guess.

[ikon]

Is it because the PPPoE you're using requires authentication? Only other reason I can see is due to the packet overhead of PPPoE. unTangle may just flat out reject it due to the overhead of the Ethernet packet in large frames. It's not the lightest program so maybe they figure with the extra needed for the PPoE it would kill their minimum specs (increase them).

Just my best guess.

Like most PPPoE, a user ID and password are required. Is that what you mean by authentication, or are you talking about something else?

I have tried the user ID and password in both the ADSL modem and Untangle: it works in the modem, not in UT.

[no-control]

Yeah that's what I meant. Sorry I can't be of more help. The above is/was my best guess!

[ikon]

Yeah that's what I meant. Sorry I can't be of more help. The above is/was my best guess!

Your contributions are always appreciated, at least by me

In the end, I set up both the modem and UT as routers. The modem couldn't do port forwarding and UT couldn't do PPPoE. Between them, it now works

[no-control]

Hurray for overhead!

[Cino]

@geek-accountant Nice setup. I've have tried this in the past but the performance drop wasn't worth it. I was using ESXi instead of Xenserver. My cable connect is 50/5. With pfSense bare-bone, i was getting 50/5. Running pfSense on ESXi, 50/5. ESXI with pfSense and unTangle running but traffic not passing thru it, 40-47/4. With pfSense to unTangle, 5-10/4(ouch). Setting up pfSense and unTangle with a cross-over cable so they had physical NICs, 30-40/4. Now I was running this on a Atom D510 with Intel NICs, so i'm thinking that is the issue; not enough horse power.. I should try this using Xenserver and see if the performance gets better. I could change the HW out, but i like 20w box :-)

[geek-accountant]

I don't think you will have much more luck with Xenserver. I was having some trouble with my untangle VM and right now am running with only pfSense. Part of the problem, I think, was the virtual NIC in Xenserver. Running pfSense alone, I am getting slightly above my 60/5 plan with an average speed of around 63-65 down. The up speed is right at 5.

As soon as I get some time, I am going to re-install Untangle and try only using physical NIC's and see if that works better. Untangle does require a bit more horsepower and can't compete with the speed of pfSense, but I am not willing to take more than a 5% haircut, and my latency needs to stay pretty low for all our online gaming.

Problem for me is, I don't know when I will have time to work on this. pfSense runs so rock solid that I never even think about it. It's not unusual for it to run 50, 60, or even 100+ days and not need a reboot. There are things I like about Untangle, but if I have to chose just one, I am sticking with pfSense, that's just my personal preference.

[ikon]

ah, c'mon already; you're making me think about pfsense again, and my UT has been running so well too

[Cino]

I love pfSense... Been using it for 3+ years now. I wish my uptime was high but i'm always updating the code on my box.. I like running bleeding edge i guess.. My other half doesn't like it but she doesn't need to be on facebook all the time...lol

My hardware is overkill for pfsense but it allows me to run many packages without issues... Once pfsense 2.0 is officially release(its just about there) I'll be putting HVAP, Squid packages back on. I usually run snort but that package is broken right now as the dev is working on a nice upgrade for 2.0.

Since my ISP doesn't have IPv6 right now, I'm able to create an IPv6 tunnel with pfsense so my clients can access IPv6 enabled sites... neat stuff..

My only issue with pfsense is its HVAP and Squid/Squid Guard packages... They work well but the reporting isn't up to par i think. pfSense itself has great real-time reporting but isn't the greatest for historical data IMHO.

[geek-accountant]

I wanted to try 2.0, but it would never even install. From the research I did, it may been an issue with AMD chips. Hopefully they will have that worked out before the official release of 2.0

ikon, if you had these setup as VM's, you could switch between pfSense and Untangle at will. Just turn one off and the other on.