still need to get around to setting a new vps to run pfsense on, use as a virtual firewall to others grody: i'm building stuff on 10.1 as we speak, and it seems to have pretty normal i/o perf for me (w/virtio) m0unds, aye.. now i enabled virtio at boot, the io is considerably better so used to 8.4, it was "as is, or not at all" to be honest, the difference was only noticeable when doing a portsnap extract and it was only barely noticable i am loving ezjails though my last jail scenario was scarey still want a small pfsense VPS and i see an ideal one for $10 grody: gotcha sorry, i babble a lot :D saddened i lost a 267 day uptime though, was my most reliable MTA/Webserver - hoping my new design will be just as got a real good route from the UK to ARP nothign wrong with losing uptime to do upates :/ mercutio, indeed.. went from 8.2 when i first got the VPS, upgraded through the years and only lost uptime because of now going 10 with a new deploy strategy, the idea is again very few outages once or twice a year (i did replace the server with temps until i get this back) so overall downtime to service has been 0 plus my script works much better with pkg, so i dont have to fubar things with portupgrade anymore being overly optimistic, i may never need to shell in again i mean, im not one for cheese, but from AAISP when i was ping monitoring my servers, when i had 100% uptime on my link, i had 100% connectivity to my ARP shame UK VPS providers cant offer anything as good :/ (unless you pay WAY over the odds) yeah arp is pretty stable. i've hit a few network outages over the years, but none of them have lasted very long. the most recent was coresite having issues. never noticed any, even munin running on the VPS hasn't shown obvious signs of outage quite impressed with latency from UK to LA though (if that is where the VPS is) rtt min/avg/max/mdev = 174.954/178.944/181.934/1.732 ms on ipv4 & rtt min/avg/max/mdev = 165.530/168.279/177.425/3.382 ms on IPv6 uk latency can vary a bit that seems on the high side to me, but maybe you're on adsl/vdsl with interleaving or such vDSL, stock 8ms bs due to PPP considering it's to the other side of the US, i say thats pretty impressive i am loaded a little @home atm actually, so not a fair test http://imgur.com/DsVeCtH 8msec in each direciton? plus transit to somewhere useful? i get 9ms to 8.8.8.8 oh that's not much interleaving thnen no interleaving on this line no need that is hard to read :) im < 100m from the cabinet i'm more than that from cabinet with vdsl and i get about 5 msec first hop i synch at 79.9 and 19.9 im that close wow :) they cap it at 10 megabit upload here :( and i'm only on like 36/18 well 18 is attainable yea they have two types here 40/10 default, 80/20 is usually business vdsl is a lot better than adsl though i have 80/20 plus priority in the network there was a shift from atm to ptm at the same time. hell yea which has much lower overhead. in theory vdsl3 can do 150mbit/s, but i only read a rumour, nothing solid in theory vdsl can do gigabit :/ my ISP can offer GEA via FTTC (vDSL) which loses the latency from PPPoE it's crazy how much faster wifi is getting i'm getting over 500 megabit on 802.11ac but makes routing IP blocks (esp IPv6) difficult same room, but still.. useful for site-to-site of the same cab tho yea, a/c is sickening pppoe is very low overhead. it's an 8 byte header tag. i can only manage about 97mbit/s on 2.4 ah, i have a router with minijumbo on the PPPoE i can do faster than that on 2.4 i think 1508 payload, service supports it so get full 1500 but 2.4 gets random outages here. i have no idea what it is a lot of wifis on 2.4 here but it happened at my last house too, so i want to blame my car. 5 there is only 2 on 5 i can hit 300mbit by outage i mean short breaks in connectivity without losing sync or whatever you call it thats maxing out my fastest client but enough to be annoying if you use skype or anyhting are you using 802.11ac? i have an ac but only two clients using it most are an yeah my laptop does about the same speed as my tablet laptop is 433 megabit 802.11ac, laptop is 300 megabit i think they both do about 250 megabit my midrange phone does the best on N 2.4 but the cool thing is, my tablet still manages to do 100 megabit on the other side of the house can hit 70mbit even though in the same room 2.4 has dead spots in the room corners. but if the neighbours are on the wifi, 2.4 is useless it varies heaps by device though my phone can do 32 megabit fine. trying to force everything to 5 well from everything i heard about 5 ghz before using it, it was only meant to be for "short" range. my AP has been up 177 days, with my laptop on 'an' connect for 168 days but even with lower signal levels it's way more stable and consistent thats how blissful 5GHz is and i think people over dramaticised that. 2.4 has better permiation through matter cos at range you're more likely to be closer to neighbours too 5 is relatively short ranged although a/c is impressive over distance hmm they'll both do km's i thought line of site, easily 5 ghz can do like 10km can't it? but if there are buildings or walls in the way, 5GHz fails but if there are trees it's fine? lower frequencies penetrate matter better even trees you really don't weant to do 2.4 ghz through buildings though! microwaves bounce off everything you, me, glass yeah i understand that 5 ghz bounces al ove rthe place even 2.4 and no-one knows how to model it properly yet so it's really hard to take routers in a building and say this is what coverage is going to be like microwave ovens reap havock on some wifis thats why they put 4G/LTE on like 600-800MHz lte is higher than that here i thnk it's 900 mhz also uses 900, 1200 too lte is amazing That's what she said!! lol google maps is fast i was hittiing 56/7 on 4g the other day i was aweing like a kid in a candy shop pings were amazing too, 30ms That's what she said!! so the bot is triggered by.. amazing That's what she said!! yep is MTU generally the max size of a frame or packet? depends on the L2 type used ethernet, frame size ATM, cell size a packet usually has a prefixed length, carrying the header and payload.. they can vary in size depending on the medium used to transport it right. usually ethernet uses 1500 MTU, though in a gigabit network payloads of 9000 are often used add VLAN tags, you incrase the payload/header use tunnels like L2TP/OVPN, to keep the standard 1500, the initial medium needs to accommodate higher MTUs like my using PPPoE, usually you have to clamp to 1492, but ISP, medium & my router supports rfc4638, which allows me to use an MTU of 1508, so my actual IP packets can be sent in 1500 payloads w/o fragmenting/mss-clamping does IPv6 change things quite a bit? not allowing fragmenting etc IPv6 header is larger, so payload is smaller but even at 1500, it's a whole packet, just a smaller body but by the time IPv6 becomes mainstream, 1500 MTU will be like dialup 576 (poor analagy, sorry) im not an engineer, im a tinkerer, so dont take my word on it ;P nothing wrong with tinkering :-) grody: i've never done a speed test, but the "feeling" is good on it diffences are unoticable unless you're obsessive im just happy it works grody: 1500 mtu isn't going to increase on the itnernet it seems :( nah not in general grody: it's night and day difference ehre that said, i used a different provider that had the faster hsdpa dual carrier? i'm not sure it was, but in between. but a couple of dedis at sites peer directly with one another and with a nice email, they let you increase MTU to use tunneling protocols between them lte on my provider changes pings from like 80 msec to 20msec. oh you mean the mtu difference is unnoticable, yes. network mtus are going over 9k a little bit now so you can actually do 9k site to site over mpls etc now days. LTE here yields about 30ms, thats what i saw it at on a random test.. for on my phone in a pub as i stopped off from a meeting that was impressive considering the pub wifi was 80ms and like 6/0.3 i've never used good public wifi the best wifi i used was like 2/10 so i assuem they had a symmetric connection, and people were using the down more. HSPA+ (DC) i yield about 17/2 and 90ms it was about 50 msec for me grody. with a usb stick. the only good network in the UK for data is H3G i used my provider ina different city, and it was on hspa+ though i semeed to get much worse battery life in that other city. does hspa+ use a lot of battery? i don't get 4g at home here, but there's a bit of coverage. and wifi is fast at home :) EE and voda have a superior 4G network, but 3 have the best data service overall (and their 4G (where available) is highly impressive, better then EE and Vodafone) lte has been here only a year or less i think but all the providers seemed to hop on at once. it's also the only UK network that allows RAW IP all the others limit to TCP/UDP/ICMP oh so 6in4 tunnels are possible, also GRE and what not sweet., i only care that google maps is fast :) haha well i mean i care a little bit i prefer rawness barebones or not at all i pay stupid amounts for internet @home and out and about just so i can do all the crazy nerdy stuff when i want to be a crazy nerd why i ♥ ARP, it's what i love, but over the pond i think they should get some servers out in EU :D sounds nice hint hint, nudge nudge, digestive digestive what are some applications of using RAW IP? i think practically speaking east coast is easier than EU mnathani_: he was just saying... GRE... mnathani_, simply 6in4 mainly ok GRE, GIF, IPIP. where native IPv6 isnt available, tunnel it over IPv4 you can cat /etc/protocols the other way is using L2TP which is UDP l2tp is huge overhead. well l2tp v2 l2tpv3 is being slow to take off i dunno it's used by some ISP's here it'll come mpls is getting very popular. i've used it, but w/o the hardware to utilize it properly, it was needless for me http://grody.me.uk/blog/tech/openwrt/mpra1 dont mean to spam but thats an example of RAW IP on 3G networks I didnt see a picture of the device I see what you mean about the RAW IP now on the openwrt site there are a variety of these even seem some with 8MB flash and 64MB RAM, so would be even more useful with having a /48 allocated by ARP too, and eventually get a pfsense running on here in front of my current, i could use some IPv6 off here just to impress ideally i want all my pfsense box to be in links, and be able to utilize IP addresses more efficiently ie: my box @home flaps, openwrt detects this, uses next available tunnel you can use ip addresses better as /32s than /29s etc. ipv4 utilisation is a pita it is im trying to minimize IPv4 usage and even trying 6to4 i wouldn't be surprised if arp shifts to /31s soon. im not doing well.... 6to4 can be highly useful i just hope they don't up prices for small blocks :D its ideal having a few for when you run https sites and the prices of those licences that handle multiple domains off one IP are just shocking certificates* im confused... what d'ya mean? brycec: is it a fork? mercutio: yes is it based on openbsd? and what's wrong with pfSense? freebsd admn it;s m0n0wall derived pfsense works great i found pfsense not too bad mercutio: No, alas. But maybe someday (though it's headed by a couple of DragonFly BSD devs, so...) i really hate openwrt i use it @home and in a DC for small blade I love pfSense, and use it everywhere. it pains me greatly. mercutio, it is annoying what pains me even more is i really can't find any good alternatives. i only use it for the minijumbos on PPPoE else it;s a dumb router into pfsense i'm using it for wireless bridging so yeah it's a dumb wireless bridge But I'm not a fan of where the project leadership is slowly creeping, not to mention one of them I find personally repulsive. i use ddwrt for wifi and a ubi i was using gargoyle but it doesn't seem to work well on archer c7 :( i didn't realise how muuch nicer gargoyle was than openwrt :) https://wiki.opnsense.org/index.php/OPNsense:So_why_did_we_fork%3F is worth a read i kind of took it for granted. brycec: did you see openbsd are adding network smp support?> not something i've heard of... mercutio: I did, yes. so yeah that's the main advantage of freebsd over openbsd for firewals... brycec, interesting.. I'm not preaching opnsense yet or anything, I'm not even using it (only tinkering with). But I want to spread the word how many speedtest.net sites do you guys have in your cities? (I definitely /want/ to use it, just haven't had the time) it seems there are /six/ here indeed, not im curious and want to tinker especially if the captive potal element works f**king hate pfSenses method and that doesn't count the ookla ones not on speedtest.net and i cant say that any more politer, sorry mercutio: I have 1 speedtest.net location in my metro area. there used to be like 3 there's like two circles for my city on top of each other one of them has 1 speed test, the other has 5.. so i assume there's a limit of 5. and other regions don't seem to have more than 5 You may be right, or it may just be geography with the second circle being listed in a suburb of the other oh los angeles has the same thing with 5+1 And Miami I've been looking around the US, can't find anywhere with more than 5 on 1 dot brycec: where is pfSense leadership creeping? and the second one is glovine which is the same thing that's on auckland yeah los angeles has 5.. JC_Denton: locking it down and closing it off. Not in a "closed source" kind of way, but licensing-wise. who the hell are glovine is miami's 6th golvine? ah well, they want to make money it's tough for small FOSS projects to do that It would be nice to see code cleanup/improvement oh miami only has 5? code cleanup is always nice, buut tends to get deprioritised until necessary as backwards as pfsense can be, i much prefer them to junipers I've felt that development on pfSense has languished for awhile. Bug fixes seem to take forever to be committed when it's a simple two-line fix. Oh and when they pulled the build tools, ooooh that pissed off a lot of people. fair that a new dual core w/ 8GB RAM wasn't a fair compromise for an IDP-10, but still it was cheaper why dual core? it;s development side has slopped it was an OpenVPN server it seems you may as well go quad core these days meh well i suppose i3's are cheap and take ecc and otheriwse you have to jump to e3 im deferring to an arm project atm i just got an amd cpu, .. it's really fast at aes, faster than my i7 but most things are really slow on it a small array of pogo EO2's, load-balanced by a pfsense :P ~50 microsecnd network latency at least. the joys of realtek not supporting colaescing on linux my @home pfsense is a VIA Nehmiah with ancient Padlock aes-ni yeww i try to avoid rtl got intel and via's in the @home i have an intel card i can stick in it intel ct poor little thing can handle about 300mbit/s before it starst throwing a paddy but it doesn't have enogh pci-e slots to stick a multiport card in cripes, this thing is ancient i could get > 100 megabit out of a pentium 75 i'm surprised you're struggling with 300 megabit 800Mhz to handle an 80/20 WAN, plus a couple of wifi's and some tunnels That's what she said!! haha via's memory bandwidth really sucks doesn't it enable coalescing on transmit it copes for the most part have high transmit queue size. and do moderate coalescing on receive it does IO up on net io well actually if you have 80/20 net even with the intels onboards helping then 300 megabit is fine. the new intel g cpus are pretty amazing btw if you wnat something cheap also j1900 are really cheap too wan, two wifi's, VLANs (with an IGMP proxy) and goodness knows what else and fanless. OpenVPN too are you using wifi cards on it? it never gets hotters than 50C my i7 keeps hitting 80c :( nah, seperate wifi AP in domain with VLANs for each VAP that gets fun routing between when using internet thats when it starts loading layer3 switch :) have made some rules stateless, pure routed yea, i do need one but yeah j1900 or g series cpu are pretty cheap but even routing it puts a load up g doesn't do aes though butr it'll still do aes really fast anyway :/ yeah you can fiddle with coalescing it can make quite a significant cpu difference i probably could route between the wifies on the actual AP the newer intel cards are better htan the old ones too. but i prefer the filtering offered by pfsense yea they are it's a em though i imagine? original dual port was hell maxing out the WAB this new one seems to only take 20% CPU saturating WAN fxp you can adjust em's with sysctl dev.e.m.0 say what?! stick a gigabit card in it :) err, original fxp, new is em hah oh it has a single PCI port yeah em's are the older ones. it's proper old skewl pci-e? x4? Neoware CA10 bah just stick j1900 in instead :/ it says running power use of 28 to 35 watts compared to a PC... yeah j1900s are good http://www.techspot.com/review/806-amd-kabini-vs-intel-bay-trail-d/page8.html i am actually impressed by this thing intel pro 100 dual port in it atm plus the onboard via, which isn't as bad as many make out heh i had a via c3? or something yaers ago, it had via rhine it happily hits 160mbits (duplexing) whilst crapping the cpu out it sort of worked. i used to have an IDT Winchip Centaur Hauls technically speaking, if a device is downloading at 60mbis and is then passing out of another interface, that is twice the original speed no? sort of or do i need to lay of the ale and step away from the keyboard you don't have to do a memory copy so it's lower overhead like you read the packet into memory from one network interface then you can just give it a pointer to that memory on the other one ok i dont want to think about the 'real' bandwidthis this sweet old beast does or if it does have to do a copy for some reason, it'll at least already be inc ache with no context swithces i bet a lot of the load is from interrupts. interupts are a bitch newer stuff improved interrupt performance a lot apparently in pfsense, nics that do polling perform better you should be able to do 30k+ interrupts per cpu on modern gear. but never been able to test per second coalescing is as good as polling usuaulyl i doubt this think could handle that polling really helped with stuff that didn't support coalescing but you can disable interrupts on some devices and just read the data regulraly but coalescing means it can wake up after 30 micro seconds or such and give you all oft he packets. it also means that on intelligent nics it can have priority packets. that wake it up earlier. sounds more like a pitfa well it's automatic. there's also this thing called netmap where people are trying to get even fsater speeds http://info.iet.unipi.it/~luigi/netmap/ and there's intel ddo on linux that's freesd. and here is me with trunking 100mbit hubs because im too lazy to get gbit heh intel nuc's may be more plug and play :) and quiet/small/low power well, i only do it from the fileserver since it resides on two networks if it's a question of not wanting to put too much effort in STP is stupid fun stp is a waste of time in home networks. nah, routers/switches all do it, it works now it was done right to a degree my swithc still has it enabled heh it knows when one port is saturated.. but only when it is literally savaged to hell all my switches do full speed port port but some are crapper than others i had problems with using wireless routers as switches and wanting to do jumbo frames. tp-link stuff.. cheap, but use atheros, and atheros stuff is usually pretty good the switch c hips they use do jumbo frames :/ yheah i use tp-link stuff :/ brycec | But I'm not a fan of where the project leadership is slowly creeping, not to mention one of them I find personally repulsive. i wonder if it's the same dude i'm thinking of haha they use that 8327N switch chip thing that does hardware nat lol m0unds and that no-one seems to know how to program properly yet im guilty for that y'know if i can pass over 500 megabit with my wireless router on it, and it has a slower than 800 mhz cpu that must mean that via is slower than the cheap wirelss routers. thats why i never release my code, it's shameful i find openwrt is shyte for wifi vs. ddwrt on the same hardware but openwrt is more featureful i had to copy a firmware image scp firmware-3.bin_10.2.2.39.6-1 root@192.168.1.247:/lib/firmware/ath10k/QCA988X/hw2.0/firmware-3.bin openwrt is sofa king easy to make then it was fine. i tinker so much for my devices with it yeah i was going to build my own image there's meant to be some transmit batching for atheros these little hame clones im playing with for example and i want to see if i can raise the speed :/ not cos i need to but default tp-link firmware does 600 megabit/sec+ using a custom build i can make it a full ipv6 router, or a media server with usb storage support, or even a wireless webcam server with the usb storage method, can use a usb pendrive for storage to make it a micro-oc pc* yea the default firmware on the now ddwrt did perform better but it lacked IPv6 and VLANs it's weird, in dd the first wifi (when i force HT40) says 300mbit.. but every VAP shows as 144.44mbit but yet will accept HT40 clients at (upto) 300mbit always confused me that i want a vi that doesn't suck but vim is kind of huge like now, a VAP at 144.44 has a STA at 150 down and 75 up that's for clients to it? i'll let you into a secret... i've been using linux since 1998, freebsd since 1999... i've only recently started learning vi(m) to the 144.44 VAP i been using linux since about then too and i started with joe but swithced to vim in like 99 joe, pico, nano, edit (edit is freebsd builtin) i started with pine for email too pine, then mutt so that used pico yeah i went to mutt too :) i still use mutt. mutt is good i still have it too in '99 i screwed up my fetchmail and setn a whole lot of mail to root@ im still an mc whore too oh it was bounces. best fm ever never liked fetchmail neither, i ran my own mail server with dynamic dns :) then i got a server in 2001 i think always and still do think it's a twot pentium pro running openbsd. i had a freebsd 4.11 server for years, even when 6 was RELEASE with screen/muutt it never failed me until i went to update gallery2 it broke everything i didn't even have lights out. see i never used screen it never gave me lots of issues. i always suspend (ctrl+z), bg, do my thang, fg but as spam started piling up, i found that i started getting more into swap spamassassin etc is a memory hog and 64mb of ram only lasts so long ... secret, mail to mta, dumb stattion with a decent client with spam filters and what not, do all the trickery on that client (forwarding and all) always found that more easier than adding it all into the server nah it's nicer on the server then you can just remote in use SPF, DNSBL etc in the MTA, but apply little on what is received.. if the client filtering (offsite) sees it good, resends it to a preferrfer email address which comes to a designated address with clean SPF and DKIM sounds complicatged. i just amavis/spamassasin works well enough and i use the same host for email and irc the amount of spam and the rate limiting that google applies, it's what i've found workd with the same tmux session so i can easily see if various mail boxes get mail. i relaly hate google's spam filtering. it marks things as spam when they're not way too much. bloody annoying. i hate spam filters more than spam :) nothing worse than having to check spam folder regularly "just in case" i would ask for my money back i only use gmail for supermarkets etc that want to send me annoying html mails with specials that i may or may not feel like reaidng but that's the kind of thing that can end up in spam folder. and thre doesn't seem to be a setting to say "be leniant": working with googles spams filters, i ensure i receive all the spam i intend for testing and applying/creating my own filteres as soon as SPF/DKIM is all sound, Google will allow wtfever http://joe.siegler.net/2013/03/turning-off-spam-checking-in-gmail/ oh you can disable may work for what you receive but not for what their MTA's accept yeah gmail doesn't accept my mail sometimes i bounce normal mail to them they rate limit IP's that send bulk emails and sometimes i have to bounce twice. or appear to send bulk emails maybe it's grey listing. i should get on with thing anyway nice chat :) they post a resonse, it's to limit unsolicited mail to protect users im suppose to be rebuilding my server :P i got as far as postfix, dovecot and LAMP well, FAMP heh try nginx :) meh i like it but it doesn't i i seem to have apache where i want it brycec: do you remember what the weechat config var is for setting the character inserted when a user speaks multiple times? Remember? No, but I can dig it up real quick... weechat.look.prefix_same_nick = "⤷" (default: "") m0unds: ^ thanks! wb