Re: [pfSense] New intel atom board

2014-04-05 Thread Jim Thompson 

On Apr 5, 2014, at 5:06 PM, Adam Thompson  wrote:

> On 14-04-05 02:02 PM, Jim Thompson wrote:
>>> http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fb&ncid=fb
>>> An interesting platform for pfSense?
>>> It looks like it only has 1 NIC though.
>> I looked at this earlier in the week when it was released.
>> It’s interesting,
>> [...]
>> and Circuitco is just up the highway in Richardson, TX.   I’ve considered 
>> driving up and seeing what it would take to take
>> the schematics (when they are available) and have a board built with 2 
>> Ethernets (rather than one), and maybe
>> a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more 
>> of these work, or possibly an m-sata drive),
>> in addition to pulling the expansion header off, and connectorizing the 
>> serial ‘debug’ header for a proper console.
> Given the high up-front costs to produce a variant board, wouldn't it be 
> easier, faster and cheaper to just use the expansion header, which IIRC 
> includes two PCIe 1x lanes?  If a breakout cable existed that provided 2 PCIe 
> slots, it would be possible to simultaneously have much more flexibility in 
> enclosure design (e.g. PCIe cards underneath the board?) as well as 
> flexibility in choice of add-on.

The expansion header only includes one PCIex1 2.0 lane, 1x SATA2, 1x USB 2.0 
host, I2C, GPIO, JTAG, +5VDC, GND
http://www.minnowboard.org/meet-minnowboard-max/

> I don't see that a breakout cable exists yet for the high-speed expansion 
> bus, so there's that minor (*cough*) problem... but that seems a much smaller 
> problem than re-tooling the board.
> 
>> We would need a simple enclosure as well.Painted (or powder-coated) 
>> steel is less expensive than anodized aluminum, but I think the anodized 
>> aluminum looks
> In case you don't have a local firm you're happy with, talk to Protocase for 
> sample qtys.  I've seen them be cheaper than mass mfg for small runs of 
> simple cases (e.g. interlocked-U style).

We have a local firm we’re pretty happy with.  We also have a lot of experience 
in injection molding now (smallworks.com)

>> The other issue is single or dual core and 1GB or 2GB ram (4GB?)?
> The stock 2GB version should be adequate (barely) IMHO for most applications 
> that function with that class of CPU/ethernet/storage anyway.
> Much more interesting to me would be if a small, low-cost board like that 
> were available with ECC.  That CPU does support ECC RAM, after all…
yes it does.
ECC ram is also a lot more expensive.

>> How interesting is the m-sata / miniPCIe option?
> Not to me, as I tend to deploy pfSense at the higher-end of the spectrum, but 
> *some* way to add WiFi would probably be important for the putative target 
> audience.  USB probably won't cut it for an AP, so mPCIe is probably needed.  
> Again, expansion-header-to-mPCIe should be possible instead of reworking the 
> board... and unlike PCIe 1x sockets, that wouldn't take up much more room 
> than putting the mPCIe headers on the board.

see above.

>> How you can help:
>> 
>> Indicate your level of interest.
> Neat, but not commercially interesting to me right now. Linksys/ASUS/D-Link 
> make cheaper gateways that are "good enough" for home users, and commercial 
> users will either get a FortiWiFi (or equivalent) or if pfSense, re-use an 
> existing rackmount server.
> 
>> This board would without a doubt cost more than the minnow board.   I don’t 
>> know how much more, but we’re not going to hit the
>> same volumes as the minnow board.  (I could be wrong.)   The minnow board 
>> could be subsidized by Intel. (I could be wrong.)
> See above comments :-).  I'm not sure if a breakout cable is 100% workable, 
> but if so it's a faster/cheaper option than mPCIe.
> 
>> It’s going to require a significant investment (up-front NRE), an investment 
>> in getting a run of these made, and some return on those investments 
>> (profit).
>> 
>> How important is form-factor?   Larger PCBs cost more, but can sometimes 
>> relax routing enough to not need additional layers (fewer layers tend
>> to cost less).
> Smaller is better.  Otherwise I may as well just deploy a miniITX or 1U 
> system.  Which, yes, argues *against* using a breakout cable for PCIe.
> 
>> - dual core or single core?Remember that pfSense 2.2 (which is based on 
>> FreeBSD 10)  supports a pf capable of multi-threading.
> Good question - optimize for today or for tomorrow?

Back when I was a teenager, I liked to hang out in the local speed shop.  There 
was a plaque on the wall, with a very bent connecting rod, and the following 
lettered below it:

“Speed costs money, son.  How fast do you want to go?”

This was before Mad Max appropriated it: 
http://www.imdb.com/title/tt0079501/quotes?item=qt0427399

Jim


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 can't auto-update anymore?

2014-04-05 Thread Jim Thompson 
Kevin,

Glad you like the update.

You won’t get ‘mutlicore’ PF until pfSense 2.2 (which is based on FreeBSD 10).  
Snapshots are available now.

Rangely hardware, you say?  
http://store.netgate.com/Firewall/C2758.aspx
Also available “real soon now" at the pfSense store.   We believe in the C2000, 
so there will be other hardware leveraging that series coming available this 
year.
And yes, I agree that pfSense 2.2 will perform very well on the Intel C2000 
series SoCs.

You’ll notice that rather than create a “commercial version” of pfSense, (as 
many want to accuse me of doing), we just put the drivers in pfSense 2.1.1,
where everyone can enjoy them.   What you don’t get in the community builds is 
the testing/tuning that are part of the above.  The results are significantly
better than a stock load.

But even here, I’m working on a way to make those “platform-specific” tuning 
parameters available to the community.

Jim

On Apr 5, 2014, at 4:17 PM, Kevin Boatswain  wrote:

> Well i just upgraded sucessfully thanks alot for the fix. 
> 
> Dont know if its the sugar pill effect but general web browsing seems MUCH 
> MUCH Faster (and it wasnt slow to begin with). 
> 
> 
> 
> I'm guessing this is due to many of the improvements including the updated PF 
> for multicore. 
> 
> Not time to look at the supermicro versions of the Rangeley or Avoton 
> platforms as I was waiting until PFSense supported the new i354 and i210 
> nics. 
> 
> 
> 
> These would make AWESOME pfsense platforms. 
> 
> http://www.servethehome.com/Server-detail/intel-atom-c2750-8-core-avoton-rangeley-benchmarks-fast-power/
> 
> 
> 
> 
> 
> 
> On Sat, Apr 5, 2014 at 3:39 PM, Jeremy Porter  wrote:
> There was an error in one of the version number strings, this has been fixed. 
>  (It didn't replicate to one of the mirrors correctly.)
> 
> 
> Auto-update is just a quick link to the upgrade system, it dose not 
> automatically upgrade the firewall without clicking on it,
> so if your firewall is offline, that is likely a different problem.
> 
> 
> On 4/5/2014 2:48 PM, Kevin Boatswain wrote:
>> I am having the same issue on my box. 
>> 
>> Downloading new version information...done
>> Unable to check for updates.
>> Could not contact pfSense update server 
>> http://updates.pfsense.org/_updaters
>> 
>> 
>> At first I thought maybe my box needed to be rebooted but seeing your 
>> message and the forum post below makes me wonder is there something wrong 
>> with the upgrade url or am I supposed to be using a new upgrade url?
>> 
>> https://forum.pfsense.org/index.php?topic=74639.0
>> 
>> 
>> I am currently using http://updates.pfsense.org/_updaters for my update url 
>> as well. 
>> 
>> 
>> Odd that you were able to update from the console however.
>> 
>>  I wonder does the console use the same url listed in the Gui? 
>>  
>> 
>> 
>> On Sat, Apr 5, 2014 at 1:46 PM, Brian Caouette  wrote:
>> I see the same thing. I also notice I can no longer get online. I haven't 
>> touched the box in over a month. It went from working to not working. I can 
>> only assume its related to the auto update to 2.1.1 
>> 
>> On 4/5/2014 2:40 PM, Adam Thompson wrote:
>>> On 14-04-05 01:31 PM, Adam Thompson wrote:
 My own 2.1-release pfSense now can't auto-update.
>>> After updating from the console to 2.1.1, the web GUI *still* can't handle 
>>> auto-update checking.  Ordinarily, I'd assume misconfiguration, but the 
>>> only thing affected is the web UI.  WTF?
>>> -- 
>>> -Adam Thompson
>>>  athom...@athompso.net
>>> 
>>> 
>>> ___
>>> List mailing list
>>> List@lists.pfsense.org
>>> https://lists.pfsense.org/mailman/listinfo/list
>> 
>> 
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>> 
>> 
>> 
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
> 
> 
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
> 
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] New intel atom board

2014-04-05 Thread Adam Thompson 

On 14-04-05 02:02 PM, Jim Thompson wrote:

http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fb&ncid=fb
An interesting platform for pfSense?
It looks like it only has 1 NIC though.

I looked at this earlier in the week when it was released.
It’s interesting,
[...]
and Circuitco is just up the highway in Richardson, TX.   I’ve considered 
driving up and seeing what it would take to take
the schematics (when they are available) and have a board built with 2 
Ethernets (rather than one), and maybe
a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more of 
these work, or possibly an m-sata drive),
in addition to pulling the expansion header off, and connectorizing the serial 
‘debug’ header for a proper console.
Given the high up-front costs to produce a variant board, wouldn't it be 
easier, faster and cheaper to just use the expansion header, which IIRC 
includes two PCIe 1x lanes?  If a breakout cable existed that provided 2 
PCIe slots, it would be possible to simultaneously have much more 
flexibility in enclosure design (e.g. PCIe cards underneath the board?) 
as well as flexibility in choice of add-on.
I don't see that a breakout cable exists yet for the high-speed 
expansion bus, so there's that minor (*cough*) problem... but that seems 
a much smaller problem than re-tooling the board.



We would need a simple enclosure as well.Painted (or powder-coated) steel 
is less expensive than anodized aluminum, but I think the anodized aluminum 
looks
In case you don't have a local firm you're happy with, talk to Protocase 
for sample qtys.  I've seen them be cheaper than mass mfg for small runs 
of simple cases (e.g. interlocked-U style).



The other issue is single or dual core and 1GB or 2GB ram (4GB?)?
The stock 2GB version should be adequate (barely) IMHO for most 
applications that function with that class of CPU/ethernet/storage anyway.
Much more interesting to me would be if a small, low-cost board like 
that were available with ECC.  That CPU does support ECC RAM, after all...



How interesting is the m-sata / miniPCIe option?
Not to me, as I tend to deploy pfSense at the higher-end of the 
spectrum, but *some* way to add WiFi would probably be important for the 
putative target audience.  USB probably won't cut it for an AP, so mPCIe 
is probably needed.  Again, expansion-header-to-mPCIe should be possible 
instead of reworking the board... and unlike PCIe 1x sockets, that 
wouldn't take up much more room than putting the mPCIe headers on the board.



How you can help:

Indicate your level of interest.
Neat, but not commercially interesting to me right now. 
Linksys/ASUS/D-Link make cheaper gateways that are "good enough" for 
home users, and commercial users will either get a FortiWiFi (or 
equivalent) or if pfSense, re-use an existing rackmount server.



This board would without a doubt cost more than the minnow board.   I don’t 
know how much more, but we’re not going to hit the
same volumes as the minnow board.  (I could be wrong.)   The minnow board could 
be subsidized by Intel. (I could be wrong.)
See above comments :-).  I'm not sure if a breakout cable is 100% 
workable, but if so it's a faster/cheaper option than mPCIe.



It’s going to require a significant investment (up-front NRE), an investment in 
getting a run of these made, and some return on those investments (profit).

How important is form-factor?   Larger PCBs cost more, but can sometimes relax 
routing enough to not need additional layers (fewer layers tend
to cost less).
Smaller is better.  Otherwise I may as well just deploy a miniITX or 1U 
system.  Which, yes, argues *against* using a breakout cable for PCIe.



- dual core or single core?Remember that pfSense 2.2 (which is based on 
FreeBSD 10)  supports a pf capable of multi-threading.

Good question - optimize for today or for tomorrow?

--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] successor to ALIX is here

2014-04-05 Thread Thinker Rix 

Hi Jim

On 2014-04-05 20:32, Jim Thompson wrote:


On Apr 5, 2014, at 8:53 AM, Thinker Rix > wrote:



On 2014-04-05 07:00, Ryan Coleman wrote:

And you cannot eliminate three of this with a switch?


I don't know any method how a network switch could replace the NICs 
of my firewall - other than by operating with VLANs.


But I do not trust VLANs for this. This is not the correct purpose of 
VLANS, IMO.
Using VLAN for segregating networks that should live in physically 
different network zones because they have fundamental differing 
security levels, is like placing your firewall into a VM - You can, 
but you should not.



Sounds like you should look at your design.


No, I don't think so.
I think you should audit your security policy.

Regards
Thinker Rix


'Rix',


 why do you do this?



Please don't be rude.  Your message contains only non-informed opinion 
backed by hostile invective, and such is not welcome on the list.


"hostile invective" in my posting? Interesting. Could not find anything 
of that in my posting, though.


Oh, no! Now I remember: Jim Thompson!  Once again in his starring role: 
"the bully of the pfsense list", threatening, ridiculing, insulting and 
bullying other users who ask questions he does not like (e.g. about if 
NSA or others have approached pfSense (yet)) or who have another opinion 
as he has...



If you don't trust VLANs, don't use them.


Thank you, for the approval.

 a common strategy that many propagandists use to avert suspicion and 
the same strategy that you used the other time when I asked 
unconmfortable questions about NSA and pfsense>



But VLANs have their place.


Yes, in networks of homogeneous security level.
They do not have their place when it comes to segment networks with 
vastly diverging security level, IMO.
It is the same discussion as about virtualizing a firewall. Some do it 
claiming that virtualization is rock solid, others avoid it, because 
they won't risk it just to save some bucks on hardware.


But everyone can decide that for himself. I don't ridicule you for 
deciding differently. But you try to ridicule me, once again. Why?


 They're used a lot in security applications.  Not for very 
high-security applications (military networks, financial trading 
networks, etc), but they are effective enough for the network 
segmentation requirements of PCI DSS.


This SANS paper has a description of the common attacks against a VLAN 
segmentation architecture, as well as countermeasures to same.  It 
includes code to demonstrate several of the attacks.

https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090


IMO the greatest weakness of VLAN is user error such as 
misconfiguration, bugs in software/firmware, etc.


Cheers
Thinker Rix

--
*Thinker Rix*, an internet user.
Please avoid TOFU in newsgroups and mailing lists 
(https://en.wikipedia.org/wiki/Posting_style#Top-posting)
Bitte vermeidet TOFU in Newsgroups und Mailing-Listen 
(https://de.wikipedia.org/wiki/TOFU)

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 can't auto-update anymore?

2014-04-05 Thread Kevin Boatswain 
Well i just upgraded sucessfully thanks alot for the fix.

Dont know if its the sugar pill effect but general web browsing seems MUCH
MUCH Faster (and it wasnt slow to begin with).



I'm guessing this is due to many of the improvements including the updated
PF for multicore.

Not time to look at the supermicro versions of the Rangeley or Avoton
platforms as I was waiting until PFSense supported the new i354 and i210
nics.



These would make AWESOME pfsense platforms.

http://www.servethehome.com/Server-detail/intel-atom-c2750-8-core-avoton-rangeley-benchmarks-fast-power/






On Sat, Apr 5, 2014 at 3:39 PM, Jeremy Porter  wrote:

>  There was an error in one of the version number strings, this has been
> fixed.  (It didn't replicate to one of the mirrors correctly.)
>
>
> Auto-update is just a quick link to the upgrade system, it dose not
> automatically upgrade the firewall without clicking on it,
> so if your firewall is offline, that is likely a different problem.
>
>
> On 4/5/2014 2:48 PM, Kevin Boatswain wrote:
>
> I am having the same issue on my box.
>
>  Downloading new version information...done
> Unable to check for updates.
> Could not contact pfSense update server
> http://updates.pfsense.org/_updaters
>
>
>  At first I thought maybe my box needed to be rebooted but seeing your
> message and the forum post below makes me wonder is there something wrong
> with the upgrade url or am I supposed to be using a new upgrade url?
>
>  https://forum.pfsense.org/index.php?topic=74639.0
>
>
>  I am currently using http://updates.pfsense.org/_updaters for my update
> url as well.
>
>
>  Odd that you were able to update from the console however.
>
>   I wonder does the console use the same url listed in the Gui?
>
>
>
> On Sat, Apr 5, 2014 at 1:46 PM, Brian Caouette  wrote:
>
>>  I see the same thing. I also notice I can no longer get online. I
>> haven't touched the box in over a month. It went from working to not
>> working. I can only assume its related to the auto update to 2.1.1
>>
>> On 4/5/2014 2:40 PM, Adam Thompson wrote:
>>
>>  On 14-04-05 01:31 PM, Adam Thompson wrote:
>>
>> My own 2.1-release pfSense now can't auto-update.
>>
>> After updating from the console to 2.1.1, the web GUI *still* can't
>> handle auto-update checking.  Ordinarily, I'd assume misconfiguration, but
>> the only thing affected is the web UI.  WTF?
>>
>> --
>> -Adam Thompson
>>  athom...@athompso.net
>>
>>
>>
>>  ___
>> List mailing 
>> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 can't auto-update anymore?

2014-04-05 Thread Jeremy Porter 
There was an error in one of the version number strings, this has been 
fixed.  (It didn't replicate to one of the mirrors correctly.)



Auto-update is just a quick link to the upgrade system, it dose not 
automatically upgrade the firewall without clicking on it,

so if your firewall is offline, that is likely a different problem.

On 4/5/2014 2:48 PM, Kevin Boatswain wrote:

I am having the same issue on my box.

  Downloading new version information...done
Unable to check for updates.
Could not contact pfSense update server 
http://updates.pfsense.org/_updaters



At first I thought maybe my box needed to be rebooted but seeing your 
message and the forum post below makes me wonder is there something 
wrong with the upgrade url or am I supposed to be using a new upgrade url?


https://forum.pfsense.org/index.php?topic=74639.0


I am currently using http://updates.pfsense.org/_updaters for my 
update url as well.



Odd that you were able to update from the console however.

 I wonder does the console use the same url listed in the Gui?


On Sat, Apr 5, 2014 at 1:46 PM, Brian Caouette > wrote:


I see the same thing. I also notice I can no longer get online. I
haven't touched the box in over a month. It went from working to
not working. I can only assume its related to the auto update to
2.1.1

On 4/5/2014 2:40 PM, Adam Thompson wrote:

On 14-04-05 01:31 PM, Adam Thompson wrote:

My own 2.1-release pfSense now can't auto-update.

After updating from the console to 2.1.1, the web GUI *still*
can't handle auto-update checking. Ordinarily, I'd assume
misconfiguration, but the only thing affected is the web UI.  WTF?
-- 
-Adam Thompson

  athom...@athompso.net  


___
List mailing list
List@lists.pfsense.org  
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 can't auto-update anymore?

2014-04-05 Thread Kevin Boatswain 
I am having the same issue on my box.

Downloading new version information...done
Unable to check for updates.
Could not contact pfSense update server
http://updates.pfsense.org/_updaters


At first I thought maybe my box needed to be rebooted but seeing your
message and the forum post below makes me wonder is there something wrong
with the upgrade url or am I supposed to be using a new upgrade url?

https://forum.pfsense.org/index.php?topic=74639.0


I am currently using http://updates.pfsense.org/_updaters for my update url
as well.


Odd that you were able to update from the console however.

 I wonder does the console use the same url listed in the Gui?



On Sat, Apr 5, 2014 at 1:46 PM, Brian Caouette  wrote:

>  I see the same thing. I also notice I can no longer get online. I
> haven't touched the box in over a month. It went from working to not
> working. I can only assume its related to the auto update to 2.1.1
>
> On 4/5/2014 2:40 PM, Adam Thompson wrote:
>
> On 14-04-05 01:31 PM, Adam Thompson wrote:
>
> My own 2.1-release pfSense now can't auto-update.
>
> After updating from the console to 2.1.1, the web GUI *still* can't handle
> auto-update checking.  Ordinarily, I'd assume misconfiguration, but the
> only thing affected is the web UI.  WTF?
>
> --
> -Adam Thompson
>  athom...@athompso.net
>
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] New intel atom board

2014-04-05 Thread Jim Thompson 

On Apr 5, 2014, at 12:48 PM, Ugo Bellavance  wrote:

> http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fb&ncid=fb
> 
> An interesting platform for pfSense?
> 
> It looks like it only has 1 NIC though.

I looked at this earlier in the week when it was released.

It’s interesting,

(AES-NI and VT-x support! 
http://ark.intel.com/products/78475/Intel-Atom-Processor-E3845-2M-Cache-1_91-GHz)

and Circuitco is just up the highway in Richardson, TX.   I’ve considered 
driving up and seeing what it would take to take
the schematics (when they are available) and have a board built with 2 
Ethernets (rather than one), and maybe
a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more of 
these work, or possibly an m-sata drive),
in addition to pulling the expansion header off, and connectorizing the serial 
‘debug’ header for a proper console.

We would need a simple enclosure as well.Painted (or powder-coated) steel 
is less expensive than anodized aluminum, but I think the anodized aluminum 
looks nicer, and it can be laser engraved.

The other issue is single or dual core and 1GB or 2GB ram (4GB?)?
How interesting is the m-sata / miniPCIe option?

How you can help:

Indicate your level of interest.

This board would without a doubt cost more than the minnow board.   I don’t 
know how much more, but we’re not going to hit the
same volumes as the minnow board.  (I could be wrong.)   The minnow board could 
be subsidized by Intel. (I could be wrong.)

It’s going to require a significant investment (up-front NRE), an investment in 
getting a run of these made, and some return on those investments (profit).

How important is form-factor?   Larger PCBs cost more, but can sometimes relax 
routing enough to not need additional layers (fewer layers tend
to cost less).

- miniPCIe is going to require a connector (these cost money to both buy and 
place)

- m-sata also requires a switch, such that if the m-sata drive is in-place it 
is connected to the SATA controller

- RAM costs.   At these densities, 2GB of ram costs twice as much as 1GB of 
ram.   4GB of ram costs 4X as much as 1GB of ram.
making lots of different variants of the boards costs extra to both 
manufacture (stop the line, load the new parts, run the new SKU) and inventory.

- dual core or single core?Remember that pfSense 2.2 (which is based on 
FreeBSD 10)  supports a pf capable of multi-threading.

Jim
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense version 2.1.1 has been released

2014-04-05 Thread A Mohan Rao 
I m not satisfied with new release 2.1.1 before i upgrade my firewall
working fine after upgrade facing lots of problems like broadcasting etc...
On Apr 5, 2014 11:43 PM, "Jeppe Øland"  wrote:

> On Fri, Apr 4, 2014 at 8:58 AM, Jim Thompson  wrote:
> > Please see the blog post
> > https://blog.pfsense.org/?p=1238
>
> Hmmm... mine gives an error that it can't verify the image signature...
> (I'm on 4gb 2.1 nano vga 64bit)
>
> Regards,
> -Jeppe
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 can't auto-update anymore?

2014-04-05 Thread Brian Caouette 
I see the same thing. I also notice I can no longer get online. I 
haven't touched the box in over a month. It went from working to not 
working. I can only assume its related to the auto update to 2.1.1


On 4/5/2014 2:40 PM, Adam Thompson wrote:

On 14-04-05 01:31 PM, Adam Thompson wrote:

My own 2.1-release pfSense now can't auto-update.
After updating from the console to 2.1.1, the web GUI *still* can't 
handle auto-update checking.  Ordinarily, I'd assume misconfiguration, 
but the only thing affected is the web UI.  WTF?

--
-Adam Thompson
  athom...@athompso.net


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] IPv6 Match / Queue

2014-04-05 Thread Giles Davis 
Hi all,

Wondering if anyone else has come across weirdness with queue'ing IPv6
traffic with PF / PFSense at all (or could perhaps point out my derps)? :)

As far as I can tell, 'Match' rules just plain don't seem work to queue
v6 traffic, whereas they work just fine with v4. Behaviour seems to be
the same on 2.1 and 2.1.1.

In the proess of trying to hunt down where this is going wrong, i've got:

A match rule for all IPv4 TCP [From rules.debug]:
match log  on {  bge0  } inet proto tcp  from any to any flags S/SA 
queue (qIPV4,qACK)  label "USER_RULE: Match v4 TCP LAN"
 This works fine, all v4/TCP traffic matches and falls into the
qIPV4 queue just as it should do. No issues here.

However with a match rules for all IPv6 TCP [From rules.debug]:
match log  on {  bge0  } inet6 proto tcp  from any to any flags S/SA 
queue (qIPV6,qACK)  label "USER_RULE: Match v6 TCP LAN"
 This doesn't cause IPv6 traffic to fall into the qIPV6 queue as you
would expect - it just hits the default queue. :(

The rule seems to have gone in just fine:
[2.1.1-RELEASE][root@pfsense.localdomain]/root(8): pfctl -vvvs rules |
grep 'inet6 proto tcp all'
@64 match log on bge0 inet6 proto tcp all flags S/SA label "USER_RULE:
Match v6 TCP LAN" queue(qIPV6, qACK)

And furthermore, traffic seems to match the rule just fine too:
[2.1.1-RELEASE][root@pfsense.localdomain]/root(1): tcpdump -n -e -ttt -i
pflog0

00:00:23.541557 rule 64/0(match): unkn(11) in on bge0: [|ip6]
00:00:00.633186 rule 64/0(match): unkn(11) in on bge0: [|ip6]
00:00:00.664269 rule 64/0(match): unkn(11) in on bge0: [|ip6]

 but yet the v6 traffic always just falls into the Default queue all
the same where v4 traffic ends up queue'd in the specified queue perfectly.

It seems I can make IPv6 traffic match a queue by using Pass/Quick:
pass log  quick  on {  bge0  } inet6 proto tcp  from any to
2001:4db0:10:1::2 flags S/SA keep state  queue (qIPV6,qACK)  label
"USER_RULE: Pass/Quick"
 This does seem to drop traffic to this destination into the correct
queue as expected - but this breaks the nice flexibilty of being able to
have a whole pile of 'Floating' Match rules for traffic shaping coupled
with 'Interface' Pass / Drop rules to actually firewall traffic as required.

My google-fu seems to be failing me on finding much in the way of help
on this one, so if anyone has any thoughts - they would be greatly
appreciated.

Many thanks! :)

Giles.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 2.1 can't auto-update anymore?

2014-04-05 Thread Adam Thompson 

On 14-04-05 01:31 PM, Adam Thompson wrote:

My own 2.1-release pfSense now can't auto-update.
After updating from the console to 2.1.1, the web GUI *still* can't 
handle auto-update checking.  Ordinarily, I'd assume misconfiguration, 
but the only thing affected is the web UI.  WTF?


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] successor to ALIX is here

2014-04-05 Thread Adam Thompson 

On 14-04-05 12:32 PM, Jim Thompson wrote:
This SANS paper has a description of the common attacks against a VLAN 
segmentation architecture, as well as countermeasures to same.  It 
includes code to demonstrate several of the attacks.

https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090


Jim, thank you for that - I've been looking for published references to 
convince one of the companies I work with that VLANs are "secure enough" 
for their needs.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] 2.1 can't auto-update anymore?

2014-04-05 Thread Adam Thompson 

My own 2.1-release pfSense now can't auto-update.
After I navigate to Firmware->Auto Update tab, I get:

Downloading new version information...done
Unable to check for updates.
Could not contact pfSense update server 
http://updates.pfsense.org/_updaters


with no corresponding log entries anywhere.  Dashboard exhibits 
corresponding " Unable to check for updates." issue.

Packages->Available still works.
Manual testing ("telnet updates.pfsense.org 80") indicates there's no 
problem talking to that web server.  (N.B. appears to work on both IPv4 
and IPv6, I tested all three addresses.)

I can even use command-line "ftp" client to download "latest.tgz"!
I have rebooted today, just in case something was "stuck".
One last thing to try... yup, upgrading from the console works fine.

Did I miss something obvious?  How can php from the console work, but 
php from the webserver not work?


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense version 2.1.1 has been released

2014-04-05 Thread Jeppe Øland 
On Fri, Apr 4, 2014 at 8:58 AM, Jim Thompson  wrote:
> Please see the blog post
> https://blog.pfsense.org/?p=1238

Hmmm... mine gives an error that it can't verify the image signature...
(I'm on 4gb 2.1 nano vga 64bit)

Regards,
-Jeppe
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] New intel atom board

2014-04-05 Thread Ugo Bellavance 

http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fb&ncid=fb

An interesting platform for pfSense?

It looks like it only has 1 NIC though.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] successor to ALIX is here

2014-04-05 Thread Jim Thompson 

On Apr 5, 2014, at 8:53 AM, Thinker Rix  wrote:

> On 2014-04-05 07:00, Ryan Coleman wrote:
>> And you cannot eliminate three of this with a switch?
> 
> I don't know any method how a network switch could replace the NICs of my 
> firewall - other than by operating with VLANs.
> 
> But I do not trust VLANs for this. This is not the correct purpose of VLANS, 
> IMO.
> Using VLAN for segregating networks that should live in physically different 
> network zones because they have fundamental differing security levels, is 
> like placing your firewall into a VM - You can, but you should not.
> 
>> Sounds like you should look at your design. 
> 
> No, I don't think so.
> I think you should audit your security policy.
> 
> Regards
> Thinker Rix

‘Rix’,

Please don’t be rude.  Your message contains only non-informed opinion backed 
by hostile invective, and such is not welcome on the list.

If you don’t trust VLANs, don’t use them.

Perhaps your network only runs over fiber inside pressurized tubes with 
pressure transducers wired into a system that will physically cut the fiber if 
the pressure in the tube drops.  This prevents ‘tapping’ the fiber via 
mechanical means.   The fiber is so your network can’t be tapped via means of 
sampling the emissions of the cat5 cable you would otherwise use for Ethernet.

Perhaps even this physically secure network (I’ll assume you have a 19 year-old 
with an M-16 standing guard outside the door of each of your secure facilities 
attached to this network) is not enough, and you also use quantum key 
distribution (transmission of non-orthogonal photon states using single photons 
to generate shared key material.  Heisenberg ensures that an adversary can 
neither successfully tap the key transmissions, nor evade detection, as 
eavesdropping raises the key error rate above a threshold value. )   Using the 
result of this keying, you encrypt all links with a strong, but fast stream 
cypher such as SOSEMANUK or Salsa/20/12, because you do not trust hardware 
cryptographic accelerators.

But VLANs have their place.  They’re used a lot in security applications.  Not 
for very high-security applications (military networks, financial trading 
networks, etc), but they are effective enough for the network segmentation 
requirements of PCI DSS.

This SANS paper has a description of the common attacks against a VLAN 
segmentation architecture, as well as countermeasures to same.  It includes 
code to demonstrate several of the attacks.
https://www.sans.org/reading-room/whitepapers/networkdevs/virtual-lan-security-weaknesses-countermeasures-1090

Jim

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] successor to ALIX is here

2014-04-05 Thread Thinker Rix 

On 2014-04-05 07:00, Ryan Coleman wrote:

And you cannot eliminate three of this with a switch?


I don't know any method how a network switch could replace the NICs of 
my firewall - other than by operating with VLANs.


But I do not trust VLANs for this. This is not the correct purpose of 
VLANS, IMO.
Using VLAN for segregating networks that should live in physically 
different network zones because they have fundamental differing security 
levels, is like placing your firewall into a VM - You can, but you 
should not.



Sounds like you should look at your design.


No, I don't think so.
I think you should audit your security policy.

Regards
Thinker Rix

--
*Thinker Rix*, an internet user.
Please avoid TOFU in newsgroups and mailing lists 
(https://en.wikipedia.org/wiki/Posting_style#Top-posting)
Bitte vermeidet TOFU in Newsgroups und Mailing-Listen 
(https://de.wikipedia.org/wiki/TOFU)

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] 2.1.1 and OpenVPN Client Export

2014-04-05 Thread Peder Rovelstad 
I'm seeing a 404 when going to the Client Export tab.  Do I need to delete
my OVPN server and recreate to be able to export a new install package?
Using Mr. Wizard, I get "port in use" stepping through the process.  Or is
this even necessary?  It does connect OK with the old client.  Thanks much.

 

Peder

 

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list