Just keeping a record of this for later.
On the server machine: iperf -s
On the client machine: iperf -c [ip address] -t 60 -i 5 -r
(This is for a time of 60 seconds, a reporting interval on the client of 5 seconds, and for bi-directional bandwidth measurement – which should report the same as non-bi-directional, if the links to and from the client are the same speeds.)
This package seems to be working ok for basic use. Just wanted to make a quick note:
- Download, unzip etc
- Copy the iperf.exe to C:\Windows\System32
- Copy the cygwin1.dll to C:\Windows
- You should be able to use the iperf command in cmd now
In this config (I’m using ubuntu 10.04), there are two NICs; eth0 (ip 10.100.160.6) and eth1 (ip 10.120.160.6). Traffic for the networks 10.100.0.0/16, 10.9.0.0/16 and 192.168.150.0/24 is routed out of eth0, and all other traffic is routed out of eth1.
## config for eth0
iface eth0 inet static
post-up route add -net 10.9.0.0 netmask 255.255.0.0 gw 10.100.220.1 dev eth0
post-up route add -net 192.168.150.0 netmask 255.255.255.0 gw 10.100.220.1 dev eth0
post-up route add -net 10.100.0.0 netmask 255.255.0.0 gw 10.100.220.1 dev eth0
pre-down route del -net 10.9.0.0 netmask 255.255.0.0 gw 10.100.220.1 dev eth0
pre-down route del -net 192.168.150.0 netmask 255.255.255.0 gw 10.100.220.1 dev eth0
pre-down route del -net 10.100.0.0 netmask 255.255.0.0 gw 10.100.220.1 dev eth0
# config for eth1
iface eth1 inet static
Then restart the machine (just doing /etc/init.d/networking restart didn’t work for me) and check the routing table using “route”.
In this case, I’m NATing 10.8.0.0/16 (interface name = vlan8) to 10.120.0.0/16 (interface name = int8), so a packet to 10.8.150.3 will be NATed to 10.120.150.3.
Go to Firewall -> Nat
Create a new 1:1 mapping, and put the settings as follows:
External subnet IP: 10.8.0.0
Internal IP: int8 subnet
Destination: any (you might be able to use int8 subnet here, but it wouldn’t work with my VPN configuration as VPN IPs are on a separate subnet)
NAT reflection: use system default
And save, now to Firewall -> virtual IPs
Create a new virtual IP
I’ve used CARP, but when I get the chance I’ll try Proxy ARP, which would be better for those who have an entire subnet behind the pfsense (I don’t, so I need to put in each address to NAT individually)
And then the settings on your host behind the pfsense:
IP: 10.120.150.3/16 (whatever IP you want)
gw: 10.120.x.x (IP of pfsense’s int8 interface)
(to set the gateway in Ubuntu, using /etc/network/interfaces didn’t seem to want to work for me, so I used “route add default gw 10.120.x.x” instead)
UPDATE: Creating a new partition in /dev/sdb (second volume) works, but doesn’t use the last 5% of the disk. I can’t seem to fix this with the Other Solution posted here; regardless of what I do, the partition shows up in the web GUI of openfiler but as unknown partition type. I’ve tried using mkpart as described below – it gives errors when trying to use ext3; using ext2 and then converting it to ext3 with mkfs.ext3 has the same issue, as does creating the partition with no filesystem. This is all regardless of what I do with pvcreate. For now I’ve left it as empty space, hopefully Openfiler will fix their issue creating new volumes soon.
Experienced a lot of Google-fail before finally getting the solution to this, so I’m posting it here.
New install of Openfiler v2.99.1, trying to create a new partition in /dev/sda, clicking the ‘create’ button does nothing, just refreshes the page.
Easy Solution (but it loses some GB – for some reason, ending cylinder is reduced)
Set the ‘starting cylinder’ 80 cylinders more than the recommended number, then try and create again. It should work.
Other Solution (works properly, hurray)
From the cli:
[name?] // click enter
[file system type? ext2] ext3
[start?] // here, type one cylinder up from the end of the last partition shown by the print command, and space, and then the ending cylinder (for the entire disk, enter the number shown in the print command under the Model, on the line “Disk /dev/sda : ”
print // see the new partition
After this, Openfiler should see the new partition from the GUI.
This issue may well effect other firewall models, but I’ve just been playing with the SSG 5.
I want to
Be able to reach 10.9.x.x and 10.10.x.x using my VPN connect (it’s set up like this, by the way)
– With one VPN connection, two policies on the Juniper and in Shrew Soft; for some reason, the wrong policy is often used and my packet gets dropped due to not having a policy to allow it
– With one VPN connection, one policy on Juniper and Shrew (CIDR covering both addresses); also not working, the policy isn’t matching at all, weirdly
– With one VPN connection, two policies in Shrew and one policy using a IP address group in Juniper; policy not matching again…
– With two VPN connections, two policies in Shrew and Juniper; still not working!! policies not matching if both VPNs are active as Juniper seems to disregard which VPN the packet has come from
– With one VPN connection, two policies in Shrew and one ANY policy on Juniper; also not working…think Juniper just doesn’t like this policy
Pick the last problem above; use one VPN connection, whatever policies you need in Shrew and one ANY policy in Juniper, then, log onto your SSG, and use the following command:
unset ike policy-checking
That was much more difficult than it should have been…
Should be obvious, but I spent a while Googling it before realizing the answer.
To get out of shell in XenServer and back to the “home” options (where it displays the interfaces and options for what you want to do), just type exit (you know, as if you were exiting any other shell…).
download latest version: http://www.shrew.net/download/ike
apt-get install cmake build-essential flex bison libssl-dev libqt3-mt libqt3-mt-dev
cmake -DQTGUI=YES -DETCDIR=/etc -DNATT=YES
copy /etc/iked.conf.sample /etc/iked.conf
For some reason, it had binded on eth1 rather than eth0 (it’s supposed to bind on both).
Shrewsoft uses IPSEC_Pluto for IKE connections, check out this manpage: http://www.linuxsecurity.com/resource_files/cryptography/FreeSWAN-HOWTO/manpage.d/ipsec_pluto.8.html
To refresh the interfaces (restarting didn’t work for me, but this did), use:
ipsec whack –listen
UPDATE: I was wrong! It’s strongswan that uses IPSEC_PLUTO, Shrewsoft uses it’s own stuff, and the reason my Shrewsoft wasn’t making the connections as it should was because of conflicts with strongswan; once I uninstalled that it started working again.