Chuck Swiger | 1 Oct 15:03 2006
Picon

Re: Scalability of a pppoe server.

Catalin Ioan CURCANU wrote:
[ ... ]
> If someone have a real experience with pppoe in a production environment
> please give me some advices about:
> 
> 1. How scalable is a pppoe server with 3000 users and how much of hardware
> resources eats in general. (CPU+physical memory)

I can recall people setting up mpd for PPPoE and handling 500-1000 users on 
moderate (1GHz P3 + 1GB RAM) hardware.  I'm not sure whether the program has a 
limit at 1024 due to the select() call, but perhaps others can give you 
insight about running ~3000 users.

> 2. All data from connected LANs would be trasported to pppoe server 
> throught VLANs. Which would be the posibility of anyone from a connected location of
> doing a man in the middle attack and gather passwords from its local area
> network using arp poisoning? if that's possible, are there any methods that
> eliminates the effects on a such attack?

The simple answer is that it depends upon your switches and setting up 
individual ports for specific VLANs properly, but in general, you should not 
rely on VLAN switches to provide complete and reliable separation of traffic.

   http://www.sans.org/resources/idfaq/vlan.php

--

-- 
-Chuck
_______________________________________________
freebsd-isp <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
(Continue reading)

Dominic Blais | 5 Oct 16:02 2006
Picon

Linksys BEFSR41 v4.0 cause big troubles with ppp(oe)


Hi!

Since some times, we noticed that one of our pppoe server running FreeBSD
had multiples tun interfaces stuck with a never stoping ppp process. The
logs clearly shows the user is logging on a new session with with the same
router... We ensured it's not a script kiddy trying to suck some ip
addresses.

Then we tried to figure out what's the link with these users and we found
it was their router. In fact, the Linksys BEFSR41 ver. 4 (maybe others
too) makes the ppp process kinda freeze and lock a tun interface with it's
IP address until you kill the ppp process. Our ppp.conf file sets a max of
1472 for the mtu. Fortunately, we can find these locked interfaces by
their MTU which is at 1500 and abnormal for our tun interfaces.

For the moment we can only monitor it and tell our clients not to use this
kind of router but we think FreeBSD's ppp should manage this threat and
release the precious and limited ressource (IP addresses).

Note that this problem can take some hours to show...  To reproduce it,
take a BEFSR41 router from Linksys, connect it to your FreeBSD server with
pppoed and wait 12 hours. It can happen anytime from 5 seconds to 12
hours..but in 12 hours, it really should happen ;)

Has anybody noticed this problem? We experienced it on release 5.x and 6.x.

--

-- 
Dominic Blais
Network Administrator
(Continue reading)

Tyrone | 6 Oct 11:46 2006
Picon

Dummynet,VLAN and CARP broken??

Hi

Running FreeBSD6.1-RC
Kernel compiled with the following 

options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
options         IPFIREWALL_FORWARD      #enable transparent proxy
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by
options         IPDIVERT                #divert sockets
options         DUMMYNET
options         BRIDGE
options	      	HZ=1000	
options         FAST_IPSEC
options         TCP_SIGNATURE
device          crypto
device          cryptodev
device		carp

Problem is with the CARP addresses staying in the "master" "master"
position when I have dummynet stripping bandwidth on that vlan. I take
the dummnet config away then the carp interfaces go to "master" and
"backup" as required.

My dummynet configs look like this

ipfw pipe 100 config bw 10500Kbit/s #setup shaping pipes 10Mbit
ipfw queue 1 config pipe 100 weight 100
ipfw queue 2 config pipe 100 weight 100
(Continue reading)

Tyrone | 6 Oct 12:37 2006
Picon

RE: Dummynet,VLAN and CARP broken??

I found out that you still need to let carp packets through even though
all you doing is traffic shaping 

So ipfw add 1 allow carp from any to any 

Did the trick for me 

Regards

tyrone

-----Original Message-----
From: owner-freebsd-isp <at> freebsd.org
[mailto:owner-freebsd-isp <at> freebsd.org] On Behalf Of
Tyrone <at> TelecityRedbus.se
Sent: den 6 oktober 2006 11:46
To: freebsd-ipfw <at> freebsd.org; freebsd-isp <at> freebsd.org
Subject: Dummynet,VLAN and CARP broken??

Hi

Running FreeBSD6.1-RC
Kernel compiled with the following 

options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
options         IPFIREWALL_FORWARD      #enable transparent proxy
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by
options         IPDIVERT                #divert sockets
(Continue reading)

up | 6 Oct 17:01 2006
Picon

Onboard or low profile RAID recommendations


Hi:

I am starting the process of replacing an older 2RU server that uses an
Intel ServerBoard and Adaptec 2110S low profile SCSI RAID card.  This
thing is several years old and much has changed since I last built one
(using 2200S).

Does FreeBSD now support any of the Intel ServerBoard on-board SCSI RAID
systems, or is it still advisable to go with a separate card?  If
separate, what's a good, current (preferably Adaptec) low-profile SCSI
RAID card that FreeBSD 6.x has suitable drivers for?

Please reply directly, as I am not subscribed.

Thanks!

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up <at> 3.am							    http://3.am
=========================================================================

_______________________________________________
freebsd-isp <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe <at> freebsd.org"

up | 9 Oct 17:12 2006
Picon

LSI SAS adapter


Can anyone verify that the LSI0100 PCI-X SAS RAID card will work with
6.X-STABLE?  The mfi driver says it supports LSI SAS MegaRAID, but this
isn't in the MegaRAID family (only does RAID 0 and 1, and I only need 1).

All experiences appreciated...please reply directly as I am not
subscribed.

Thanks!

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up <at> 3.am							    http://3.am
=========================================================================

_______________________________________________
freebsd-hardware <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hardware
To unsubscribe, send any mail to "freebsd-hardware-unsubscribe <at> freebsd.org"

up | 9 Oct 22:02 2006
Picon

Re: LSI SAS adapter

On Mon, 9 Oct 2006 up <at> 3.am wrote:
>
> Can anyone verify that the LSI0100 PCI-X SAS RAID card will work with
> 6.X-STABLE?  The mfi driver says it supports LSI SAS MegaRAID, but this
> isn't in the MegaRAID family (only does RAID 0 and 1, and I only need 1).
>
> All experiences appreciated...please reply directly as I am not
> subscribed.
>
> Thanks!

Oops, correction on the model number...the card itself is SAS3442X-R, the
part number above is for the kit.

TIA,

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up <at> 3.am							    http://3.am
=========================================================================

_______________________________________________
freebsd-hardware <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hardware
To unsubscribe, send any mail to "freebsd-hardware-unsubscribe <at> freebsd.org"

Arie Kachler | 10 Oct 22:05 2006
Picon

traffic graphing/monitoring

Hello,

We are looking for a software that will graph and save history for all 
traffic flows that go through our network.
Basically we are replacing a couple of Packeteer devices because they 
are no longer supported and we don't want to spend the huge amount of 
money they are asking for all new equipment.
I know Packeteer is mostly for bandwidth management, but we already have 
that part covered.
What we do not have a solution yet, and Packeteer does, is the 
graphing/monitoring of all traffic going through it.
We don't want to install a piece of software on each server in our 
network that would get polled by SNMP. We know solutions for this type 
of setup exist (cacti, mrtg, etc). We want to sniff all traffic coming 
in and out and graph it over time by IP address.
Does such a software exist?

Any help will be greatly appreciated.

Arie Kachler

_______________________________________________
freebsd-isp <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe <at> freebsd.org"

Ben Plimpton | 10 Oct 22:16 2006
Picon

Re: traffic graphing/monitoring

You could look at ntop if you're running devices that can do NetFlow. 

Ben

On Tue, 2006-10-10 at 16:05 -0400, Arie Kachler wrote:
> Hello,
> 
> We are looking for a software that will graph and save history for all 
> traffic flows that go through our network.
> Basically we are replacing a couple of Packeteer devices because they 
> are no longer supported and we don't want to spend the huge amount of 
> money they are asking for all new equipment.
> I know Packeteer is mostly for bandwidth management, but we already have 
> that part covered.
> What we do not have a solution yet, and Packeteer does, is the 
> graphing/monitoring of all traffic going through it.
> We don't want to install a piece of software on each server in our 
> network that would get polled by SNMP. We know solutions for this type 
> of setup exist (cacti, mrtg, etc). We want to sniff all traffic coming 
> in and out and graph it over time by IP address.
> Does such a software exist?
> 
> Any help will be greatly appreciated.
> 
> Arie Kachler
> 
> 
> _______________________________________________
> freebsd-isp <at> freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
(Continue reading)

Administrator Notes | 9 Oct 08:18 2006

SMSDOM detected a violation in a document you authored.

Please contact CS Department

The scanned document was deleted.

Violation Information:
The body violated the content filtering rule Block Virus generated mails.

_______________________________________________
freebsd-isp <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe <at> freebsd.org"


Gmane