pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-02-18T00:10:31ZpfSense bugtracker
Redmine pfSense - Feature #11438 (New): Allow multiple cryptographic accelerator modules to be loaded at ...https://redmine.pfsense.org/issues/114382021-02-18T00:10:31ZGrzegorz Krzystek
<p>not every service is able utilise QAT.<br />so it seems to be reasonable to do not unload AES-NI and bsdcrypto while QAT enabled, so nonQATenabled services can still offload some crypto operation on AES-NI cpu.<br />otherwise we have performanc penalty. on openVPN</p> pfSense Plus - Regression #11436 (Resolved): State matching problem with reponses to packets arri...https://redmine.pfsense.org/issues/114362021-02-17T16:28:50ZGrzegorz Krzystek
<p>I have quite specific multiwan setup<br />WAN (symmetric pppoe) port forward for ssh to lan (rpi) <br />WAN2 (symmetric commercial link over vlan) a lot port forwards to DMZ_LAN</p>
<p>LAN have clasical failover to "prefer PPPOE link over WAN2" <br />DMZ_LAN have all outgoing traffic set to go via "WAN2_GATEWAY"</p>
<p>Default gateway for pfsense is set to "prefer PPPOE link over WAN2"</p>
<p>now the problem is that after update to 21.02 all port forwards on WAN2 interface stopped working.<br />only way to make them work is to switch pfsense default gateway to wan2 , but then portforwards stops working on WAN...</p> pfSense - Bug #9242 (Resolved): MBT-4220/2220 not recognized by pfsense correctly after UEFI upgr...https://redmine.pfsense.org/issues/92422019-01-01T15:13:47ZGrzegorz Krzystek
<p>In BIOS Released by intel there were system identyfier change.<br />pfSense installer expects<br />Product Name: Minnowboard Turbot D0 PLATFORM</p>
<p>while after UEFI 1.00 it reports:<br />Product Name: Minnowboard Turbot D0/D1 PLATFORM</p>
<p>that causing HDMI fix is not being applied automagically during installation<br />/usr/libexec/bsdisntall/config need to be fixed.</p>
<p>to fix gui correctly present device i changed:</p>
<p>--- system.inc.old 2019-01-01 20:51:06.241829000 <ins>0000<br /></ins>++ system.inc 2019-01-01 20:50:10.898565000 <ins>0000<br /><code>@ -2550,6 +2550,7 </code>@<br /> return (array('name' => 'SG-5100', 'descr' => 'Netgate SG-5100'));<br /> break;<br /> case 'Minnowboard Turbot D0 PLATFORM':<br /></ins> case 'Minnowboard Turbot D0/D1 PLATFORM':<br /> $result = array();<br /> $result['name'] = 'Turbot Dual-E';<br /> /* Detect specific model */</p> pfSense - Bug #8055 (Closed): pfsense GUI accessible over tun interface address from remote networkhttps://redmine.pfsense.org/issues/80552017-11-05T02:40:23ZGrzegorz Krzystek
<p>Configuration:<br />site A pfSense:<br />lan: 10.76.175.0/24<br />OpenVPN_TUN: 172.28.10.1/30 (OpenVPN routing 192.168.1.2/32)</p>
<p>site B:<br />lan 192.168.1.0/24 <br />OpenVPN_TUN: 172.28.10.2/30 (openvpn routing 10.76.175.2/32)</p>
<p>on Site A firewal rules: <br />accept from 192.168.1.2 to 10.76.175.2<br />drop from any to any</p>
<p>all hosts on 192.168.1.0/24 are able to reach 172.28.10.1</p>
<p>firewall is blocking as expected connection form 172.28.10.2 -> 172.28.10.1<br />but don't catch 192.168.1.0/24 -> 172.28.10.1 (no log for these packages in firewall log, even with enalbed pass packets loging)</p> pfSense - Bug #8006 (Duplicate): 2.4.1 PPPoE client on vlan fails to initialise https://redmine.pfsense.org/issues/80062017-10-25T00:56:13ZGrzegorz Krzystek
<p>after upgrade to 2.4.1 i lost internet connectivity.<br />looks like after after vlan naming change something broken<br />everything looks fine, no errors in logs at all i only found error in dmesg<br />ng_ether_attach: can't name node igb1_640</p>
<p>that error doesn't exist in 2.4.0</p> pfSense - Bug #7810 (Resolved): openssl/openvpn need to have loaded booth AESNI and cryptodev to ...https://redmine.pfsense.org/issues/78102017-08-24T13:02:27ZGrzegorz Krzystek
<p>[2.4.0-RC][<a class="email" href="mailto:root@castor.ninex.info">root@castor.ninex.info</a>]/boot/kernel: kldunload cryptodev<br />[2.4.0-RC][<a class="email" href="mailto:root@castor.ninex.info">root@castor.ninex.info</a>]/boot/kernel: kldunload aesni<br />Test with no accell<br />[2.4.0-RC][<a class="email" href="mailto:root@castor.ninex.info">root@castor.ninex.info</a>]/boot/kernel: openssl speed -evp aes-256-cbc<br />Doing aes-256-cbc for 3s on 16 size blocks: 28667689 aes-256-cbc's in 3.00s<br />Doing aes-256-cbc for 3s on 64 size blocks: 10861051 aes-256-cbc's in 2.99s<br />Doing aes-256-cbc for 3s on 256 size blocks: 3253311 aes-256-cbc's in 2.98s<br />Doing aes-256-cbc for 3s on 1024 size blocks: 857208 aes-256-cbc's in 2.98s<br />Doing aes-256-cbc for 3s on 8192 size blocks: 108972 aes-256-cbc's in 3.00s<br />OpenSSL 1.0.2k-freebsd 26 Jan 2017<br />built on: date not available<br />options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)<br />compiler: clang<br />The 'numbers' are in 1000s of bytes per second processed.<br />type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes<br />aes-256-cbc 152894.34k 232307.39k 279069.36k 294125.57k 297566.21k</p>
<ol>
<li>cryptodev only<br />[2.4.0-RC][<a class="email" href="mailto:root@castor.ninex.info">root@castor.ninex.info</a>]/boot/kernel: kldload cryptodev<br />[2.4.0-RC][<a class="email" href="mailto:root@castor.ninex.info">root@castor.ninex.info</a>]/boot/kernel: openssl speed -evp aes-256-cbc<br />Doing aes-256-cbc for 3s on 16 size blocks: 29882712 aes-256-cbc's in 3.03s<br />Doing aes-256-cbc for 3s on 64 size blocks: 10840409 aes-256-cbc's in 2.98s<br />Doing aes-256-cbc for 3s on 256 size blocks: 3260969 aes-256-cbc's in 2.99s<br />Doing aes-256-cbc for 3s on 1024 size blocks: 857748 aes-256-cbc's in 2.99s<br />Doing aes-256-cbc for 3s on 8192 size blocks: 112529 aes-256-cbc's in 3.09s<br />OpenSSL 1.0.2k-freebsd 26 Jan 2017<br />built on: date not available<br />options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)<br />compiler: clang<br />The 'numbers' are in 1000s of bytes per second processed.<br />type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes<br />aes-256-cbc 157731.43k 232472.85k 278995.91k 293542.42k 298722.05k</li>
</ol>
<p>#aesni , no cryptodev<br />[2.4.0-RC][<a class="email" href="mailto:root@castor.ninex.info">root@castor.ninex.info</a>]/boot/kernel: kldunload cryptodev<br />[2.4.0-RC][<a class="email" href="mailto:root@castor.ninex.info">root@castor.ninex.info</a>]/boot/kernel: kldload aesni<br />[2.4.0-RC][<a class="email" href="mailto:root@castor.ninex.info">root@castor.ninex.info</a>]/boot/kernel: openssl speed -evp aes-256-cbc<br />Doing aes-256-cbc for 3s on 16 size blocks: 29881110 aes-256-cbc's in 3.05s<br />Doing aes-256-cbc for 3s on 64 size blocks: 11598720 aes-256-cbc's in 3.19s<br />Doing aes-256-cbc for 3s on 256 size blocks: 3341075 aes-256-cbc's in 3.05s<br />Doing aes-256-cbc for 3s on 1024 size blocks: 862423 aes-256-cbc's in 3.00s<br />Doing aes-256-cbc for 3s on 8192 size blocks: 111657 aes-256-cbc's in 3.06s<br />OpenSSL 1.0.2k-freebsd 26 Jan 2017<br />built on: date not available<br />options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)<br />compiler: clang<br />The 'numbers' are in 1000s of bytes per second processed.<br />type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes<br />aes-256-cbc 156914.14k 232884.10k 280000.88k 294373.72k 298675.64k</p>
<p>#cryptodev and aesni<br />[2.4.0-RC][<a class="email" href="mailto:root@castor.ninex.info">root@castor.ninex.info</a>]/boot/kernel: kldload cryptodev<br />[2.4.0-RC][<a class="email" href="mailto:root@castor.ninex.info">root@castor.ninex.info</a>]/boot/kernel: openssl speed -evp aes-256-cbc<br />Doing aes-256-cbc for 3s on 16 size blocks: 875922 aes-256-cbc's in 0.36s<br />Doing aes-256-cbc for 3s on 64 size blocks: 853675 aes-256-cbc's in 0.29s<br />Doing aes-256-cbc for 3s on 256 size blocks: 690695 aes-256-cbc's in 0.25s<br />Doing aes-256-cbc for 3s on 1024 size blocks: 379340 aes-256-cbc's in 0.13s<br />Doing aes-256-cbc for 3s on 8192 size blocks: 73444 aes-256-cbc's in 0.06s<br />OpenSSL 1.0.2k-freebsd 26 Jan 2017<br />built on: date not available<br />options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)<br />compiler: clang<br />The 'numbers' are in 1000s of bytes per second processed.<br />type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes<br />aes-256-cbc 38997.57k 189008.26k 707271.68k 3107553.28k 9626451.97k</p>
<p>imho we should keep loaded booth to accelerate OpenSSL and OpenVPN<br />Ipsec accelerates without Cryptodev.</p> pfSense - Bug #7777 (Duplicate): IPsec P2 - Tunnel IPv4 edition form changes remote network mask ...https://redmine.pfsense.org/issues/77772017-08-16T04:46:24ZGrzegorz Krzystek
<p>Each time i am modifying P2 settings (Tunnel IPv4), remote network mask is changed back to /32.<br />So each time user change whatever setting need to keep in mind to change from /32 to desirable value</p>