• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

PFSense

How do you know your config was "pristine"?

I work with Cisco products every day, and have for over a decade. I'm very familiar with IOS.

They had connectivity problems and some sites were slow to come up. Yes, latency was part of it. The router had various overflows and buffer related issues during high usage. This was awhile ago so I didn't exactly save the error messages nor remember my CPU usage. I did some tweaking with the buffers, one-minute and incomplete parameters which helped, but it was just easier to put in a real firewall. It also helped to offload the VPN.

Eight years ago I used a 2610 for a home "firewall + VPN" and it was painful. I also had 4 offices use a 2610 in the same way, each with an Internet T1. A Sonicwall SOHO2 at that time was noticeably snappier. But the 2610 only had a 40Mhz CPU and 10Mb/half ethernet IIRC. It's not the stated PPS that slows it down, it's something else. My guess is CPU. (And these had the AIM-VPN/BP)

I'm not sure why don't agree with me about this. It's a router, not a firewall. Sure there is overlap, and probably not noticeable on most broadband connections. I imagine you would agree that it would be silly to replace an ASA5580 with a 7204VXR as the corporate firewall to use an extreme example.

Now ask yourself why.
.
 
Unfortunately I can't really throw anything knowledge-wise into this argument (Cisco vs PFsense) other than the fact that if PFsense (or smoothwall, m0n0wall, etc...) were as good as Cisco or Juniper, then you'd see them in massive networks. I've been working in the research & education networking community for a year now and on not one of the 13 networks I've worked on have I ever seen a PFsense box or the like used. It's always Cisco, Juniper, etc...

I've been at 2x specialized ISPs that have used PFSense for their setups, including managed WAN bandwidth.

Traveling around many networks doing SMB work...opensource setups are actually getting quite common. I've found I'm not the only one out there using Untangle or Endian and other distros.

What separates the professionals from the home grade experimental setups are that professional setups using such as PFSense are running it on full business grade hardware.
 
I work with Cisco products every day, and have for over a decade. I'm very familiar with IOS.

They had connectivity problems and some sites were slow to come up. Yes, latency was part of it. The router had various overflows and buffer related issues during high usage. This was awhile ago so I didn't exactly save the error messages nor remember my CPU usage. I did some tweaking with the buffers, one-minute and incomplete parameters which helped, but it was just easier to put in a real firewall. It also helped to offload the VPN.

Eight years ago I used a 2610 for a home "firewall + VPN" and it was painful. I also had 4 offices use a 2610 in the same way, each with an Internet T1. A Sonicwall SOHO2 at that time was noticeably snappier. But the 2610 only had a 40Mhz CPU and 10Mb/half ethernet IIRC. It's not the stated PPS that slows it down, it's something else. My guess is CPU. (And these had the AIM-VPN/BP)

I'm not sure why don't agree with me about this. It's a router, not a firewall. Sure there is overlap, and probably not noticeable on most broadband connections. I imagine you would agree that it would be silly to replace an ASA5580 with a 7204VXR as the corporate firewall to use an extreme example.

Now ask yourself why.
.

I'm not sure how this turned into router vs firewall. I'm comparing a device designed for routing/firewalling to a computer running software. I'm also not talking about 2600s or ASAs or any of that. I'm saying my 1811 was more than enough for my needs (which I think are far beyond those of most people) and I can't see how you overloaded an 1841 at home.

I actually wouldn't mind putting this stuff to the test, I still have my 1811 and I can configure it however you had yours, I can also order another NIC and put it on the Dell GX620 I was using for ESX (before buying my current ESX server). Just tell me what you were doing with your stuff and I'll try to replicate it with my stuff.

I'm not calling you a liar, but I just don't see how you were overloading an 1841, or how PFSense would out perform one.
 
I've been at 2x specialized ISPs that have used PFSense for their setups, including managed WAN bandwidth.

Traveling around many networks doing SMB work...opensource setups are actually getting quite common. I've found I'm not the only one out there using Untangle or Endian and other distros.

What separates the professionals from the home grade experimental setups are that professional setups using such as PFSense are running it on full business grade hardware.

What are "specialized ISPs"? I've worked for two ISPs, one small and one very large. Neither of them used PFSense or anything similar in production.
 
What are "specialized ISPs"? I've worked for two ISPs, one small and one very large. Neither of them used PFSense or anything similar in production.

I didn't try to claim 100% of internet service providers out there did such things...so naturally a few will chime in "Well I've never seen that". :p <right on cue>

Specialized as in not a major provider like ATT or Comcast...but smaller ones that focus on business grade accounts, they don't do home accounts. Managed bandwidth for businesses, fractional Ts, moto canopies, RLAN DSL, stuff like that. For example...2x floors up from me, a data center fed by a DS3, some AT&T Optilan product, and recently acquired dark fiber...ties in WANs for clients, does SMTP smart hosting and quite a few other things up in the data center.
 
I didn't try to claim 100% of internet service providers out there did such things...so naturally a few will chime in "Well I've never seen that". :p <right on cue>

I wasn't implying that you said/meant that.

Specialized as in not a major provider like ATT or Comcast...but smaller ones that focus on business grade accounts, they don't do home accounts. Managed bandwidth for businesses, fractional Ts, moto canopies, RLAN DSL, stuff like that.

That's interesting, I really wouldn't have expected any ISPs to use PFSense or similar software.
 
Why then are the ASA firewalls usually 2Ghz or so but the routers much slower?
Because the ASA inspects EVERYTHING unless you tell it otherwise. The TCAM is very small and thus since most things require CPU cycles and large CPU was chosen. :cool:

Routers are not punting all the ACL's and FW functions to the ASIC/RP 100% of the time. Not everything runs in CEF.
Absolutely correct. ACL's, QoS, Next hop info, etc are all calculated and placed into the TCAM for hardware rewrite's and hardware switching, when you configured IOS-FW at the branch office you inherently punted packets to the CPU because of the inspection, granted they're only the first packets for the stream.

I installed a 1841 as a NAT/Firewall device for a small branch of mine and the users had problems with it as a firewall. When I replaced it with an ASA, they were fine. I was trying to kill two birds with one stone since it was also their router, but it couldn't cut it. Once I left it to routing only, it was fine.
How many users out of curiosity?

Sorry, I didn't "kill" it. Bad choice of words. It was slower. And I assure you my config was pristine.

I work with Cisco products every day, and have for over a decade. I'm very familiar with IOS.
You're saying this is why you had a pristine configuration? I work with people that have been using Cisco equipment since the beginning of the company... they still make stupid mistakes. Ive been working with the equipment for about 8 years and still make mistakes in my configuration, nothing is pristine... ever.

They had connectivity problems and some sites were slow to come up. Yes, latency was part of it. The router had various overflows and buffer related issues during high usage. This was awhile ago so I didn't exactly save the error messages nor remember my CPU usage. I did some tweaking with the buffers, one-minute and incomplete parameters which helped, but it was just easier to put in a real firewall. It also helped to offload the VPN.
Modifying buffers is not a good thing unless you know what you're doing, Ive had customers that have worked on extremely large network modify their buffers incorrectly to only worsen the issue. This probably contributed to your problems. Also, instead of buying a completely new firewall you could have offloaded the duties to an AIM(dedicated hardware) which would have saved money and possibly performed better.

Traveling around many networks doing SMB work...opensource setups are actually getting quite common. I've found I'm not the only one out there using Untangle or Endian and other distros.
I agree with you here, ive seen and heard about this a lot but, only with distros that have a SOLID support program, which is almost nill. Whats your experience with support from say pfsense or endian? Have you ever dealt with cisco TAC and what would be your comparison?

Valnar,

In another post I said I worked with a 2801 in production with over 15,000 BGP routes it its RIB and about 20k in its bgp table. This same router was also running IOS-FW, over 80 ipsec tunnels and at the time 20+ H.323 calls on H.264 + G.711. The router never pushed about 60% CPU and video and voice quality was rated by a blind study to be acceptable. If you look at the raw performance specs for a 1841 vs 2801 they're not too far off(about 15k PPS). I find it extremely hard to believe that you choked up an 1841 running the features that you mentioned at a branch office, keep in mind this is the exact verticle that the 18xx router targets, when you consider what I just mentioned(especially with the BGP factor). Im going to agree with Vito and say it was a problem with your configuration.
 
This thread is ridiculously hostile and judgmental for the subject matter. Just sayin'

/mytwocents
 
Gee, it's a good thing I don't have to answer to any of you. I like how everyone assumes I don't know what I'm doing. Perhaps I just won't offer advice on this forum since there are plenty of know-it-alls already. :rolleyes: I now remember why I usually stay away. Thanks for reminding me.

Good day.
 
Gee, it's a good thing I don't have to answer to any of you. I like how everyone assumes I don't know what I'm doing. Perhaps I just won't offer advice on this forum since there are plenty of know-it-alls already. :rolleyes: I now remember why I usually stay away. Thanks for reminding me.

Good day.

I'm surprised that's what you're taking from all this. I've offered to recreate all of this and do some actual testing. Why get all sensitive and pout?
 
I agree with you here, ive seen and heard about this a lot but, only with distros that have a SOLID support program, which is almost nill. Whats your experience with support from say pfsense or endian? Have you ever dealt with cisco TAC and what would be your comparison?

I disagree that their support is almost NIL. I haven't experienced direct support for PFSense or Endian..but they do offer it in various packages...I have turned to PFSense forums for help..it's quite a responsive forum. Also quite a few of the manufacturers of hardware specific for these distros offer their own support packages.

I have experienced, several times, direct support from Untangle. Get to a live person on the other end of the phone within 1 minute..and it's been absolutely fantastic support. Even though I used to sell/use some Cisco gear quite a few years ago I never had to lean on their support, as the few times I needed help I utilized one of the guys in the data center upstairs from me..as he was a super ultra braniac Cisco wiz. I remember a few years ago the staff upsstairs celebrated his passing of some top Cisco certification..the kid supposedly scored 100 on the test. He was actually the one that got me into PFSense when it first came out. He's like Rainman...socially challenged, panics when he's in a room with more than 2 people, prefers to stay in a dark data center by himself or 1 other person at the most. But a wicked sharp propeller head.

I have experienced Juniper support...which was excellent.

Certainly a valid reason you don't see many consulting companies using open sourced products is to maintain support. Larger places that have more staff, thus more turnover of staff, will find it harder to find someone knowledgeable on a product. Versus a smaller company, where say the owner or a primary guy who plans on staying with the company forever, will use them in confidence he will most likely be there tomorrow and the day after and so on.
 
This thread is ridiculously hostile and judgmental for the subject matter. Just sayin'

/mytwocents
Then you would have never made it here 6 or so years ago.... why is everyone so sensitive here as of late?

Gee, it's a good thing I don't have to answer to any of you. I like how everyone assumes I don't know what I'm doing. Perhaps I just won't offer advice on this forum since there are plenty of know-it-alls already. :rolleyes: I now remember why I usually stay away. Thanks for reminding me.

Good day.
You're kidding me right? No one in this thread questioned your knowledge but offered potential explanations as to why you may have experienced bad results with your equipment. If you're getting pissy about what I said, specifically about the pristine configuration, I would really hate to see how you work in real life, I was extremely diplomatic with those last responses.

Stonecat,
Thanks, I was always curious about the support models for each but if I may. For a larger customer would you really trust the forums of pfsense if you had a major issue that was a show stopper? This is what would scare me right away from using a pfsense box at and mid-size customer, and if they were bent on going the opensource route it would seem like untangle or clarkconnect(from what ive heard) has the best support model.
 
Sorry, I'm not interested in a cock fight. Re-read some of your statements. It's obvious there is nothing I can do or say to convince you, and I'm not willing to take the time to recreate that setup for this thread. I already offered my experience and opinion on the matter.

An 1800 series router is not a replacement for a firewall. Can it be used as one? Sure. We've all done that.
 
Stonecat,
Thanks, I was always curious about the support models for each but if I may. For a larger customer would you really trust the forums of pfsense if you had a major issue that was a show stopper? This is what would scare me right away from using a pfsense box at and mid-size customer, and if they were bent on going the opensource route it would seem like untangle or clarkconnect(from what ive heard) has the best support model.

For a larger customer....I'm in agreement..I would not use a product where the support was only on forums with assistance mostly from volunteers. Same follows for medium or smaller customers. On the few instances where I did implement an open source product without a support package with a client of mine...it was a situation where the customer was very close to me (proximity)..and I had a backup solution in place that I could swap out immediately (such as their prior router/firewall) so that production was not really impacted. The important clients of mine where I do have an opensource product in production (Untangle)..I maintain the professional "pay for" package for those clients with Untangle..so that I have official support from them on the product.

The subject of support is certainly a valid and important point. In smaller situations though, one has to consider the reality of it.
*Hardware, select quality biz grade hardware. Minimize failure due to junky bargain basement components with pre-mature failure and sub par performance.
*For most setups....it's only basic features you need to work. Obtaining an IP address from the ISP, port forwarding, QoS, VPN tunnels. These are all basic things that I have confidence the product works on due to hands on experience. If I didn't know if these features worked, I wouldn't go install this product for a client. If I have problems with these, it's not something that I would turn to their support on, I know it works already, if I can't get it working then I fell asleep in my own networking 101 class a long time ago and I should change jobs.
 
Sorry, I'm not interested in a cock fight. Re-read some of your statements. It's obvious there is nothing I can do or say to convince you, and I'm not willing to take the time to recreate that setup for this thread. I already offered my experience and opinion on the matter.

An 1800 series router is not a replacement for a firewall. Can it be used as one? Sure. We've all done that.

Personally, if it were my issue, I'd post some of the config. It's always a great learning experience -- whether you turn out to be right or wrong. And for some reason or another, the scenarios I come across always seem to come up again.

But given the 'heat', let's all move on. I agree that an 1800 shouldn't replace a firewall in a business environment.
 
Sorry, I'm not interested in a cock fight. Re-read some of your statements. It's obvious there is nothing I can do or say to convince you, and I'm not willing to take the time to recreate that setup for this thread. I already offered my experience and opinion on the matter.

An 1800 series router is not a replacement for a firewall. Can it be used as one? Sure. We've all done that.
Im not interested in an argument either, just wanted to hear your thoughts. I re-read all of my comments and they're not unprofessional at all, just figured I would give you some information :(...

I appreciate your opinion and understand that you do have experience, but I get the feeling that you're one of the types that really doesn't listen to anyone, myself and Vito were simply trying to help, thats all. I went out of my way today to get some more information on this subject and im giving you an open invitation to PM me about it, it would be verbal(so nothing formal) but it would help you to understand more about IOS-FW vs ASA so you don't run into this issue again.

BTW, in complete agreement that a router w/ IOS FW is not the same as a firewall, though depending on the implementation and what services you're running it *could* perform as well as an ASA.

Just2cool,
Dude, you gotta get on AIM more... me,vito and a few others have our GRE+BGP+MPLS tunnels going. You gotta join in, CCIE network my friend, CCIE network.
 
Then you would have never made it here 6 or so years ago.... why is everyone so sensitive here as of late?
Right, because the way I judge myself relies heavily on whether or not I'm well-accepted on a forum I use to learn and better myself?

xphil3 said:
From,
someone half your age.

xphil3 said:
meh, sontecat always comes off snobby and acting like he knows more than everyone

For working in a communications field, you don't seem to know how to do so very effectively. You have a valid point, and I happen to agree with you, but you can argue without being overly abrasive.
 
Right, because the way I judge myself relies heavily on whether or not I'm well-accepted on a forum I use to learn and better myself?
You misunderstood what I was saying, I was saying that 6 years ago people we much more harsh... worse than I am.

For working in a communications field, you don't seem to know how to do so very effectively. You have a valid point, and I happen to agree with you, but you can argue without being overly abrasive.
On forums, I am abrasive.. I will give you that. In person, im much more humble. If I wasn't, I wouldn't be nearly as successful as I am. Im not sure what you mean by your first statement, "For working in a communications field, you don't seem to know how to do so very effectively." ... what were you refering to?
 
Back
Top