Re: [pfSense] CVE-2004-0230
Maybe a blog post about this? -- Jim On Sep 18, 2014, at 10:01, Jim Pingle li...@pingle.org wrote: On 9/18/2014 8:55 AM, Martin Fuchs wrote: Does CVE-2004-0230 affect pfSense 2.1.5 ? As Vick mentions, practically the answer is 'no'. There are some rare cases when it might, however. It would require: 1. Disabled pf (System Advanced, Firewall/NAT tab, check Disable all packet filtering) 1a. Or the default rules were replaced by interface and floating rules in every direction set to 'no state' 2. The firewall is still reachable by the attacker 3. Connections are being made _to_ pfSense (not _through_ pfSense), e.g. local services such as the GUI, packages such as haproxy or squid, etc, *NOT* WAN-to-LAN or LAN-to-DMZ type connections. If all of the above are true then it may be susceptible to the attack described in the FreeBSD SA. I don't think I have ever witnessed a setup that met all of those criteria, and even those that could meet the criteria wouldn't necessarily have long-lived connections for which such a TCP session reset would have any meaningful impact. We will have the fix in 2.2 but I'm not sure if there will be another 2.1.x release at this time, but we'll see what happens. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Develop Applications for pfseu
On Sep 9, 2014, at 9:37 PM, Ryan Coleman ryanjc...@me.com wrote: Hi Tom! You would be better suited contacting Electric Sheep Fencing (http://www.electricsheepfencing.com/) directly for your how-to but you can start with a few basic concepts: 1) This system is running FreeBSD 8.3 at present (future systems may be running FreeBSD 9 or 10) You shouldn't bother with the 2.1.x train. Go 2.2. There is not FreeBSD 9 based version of pfSense, (nor will there ever be). 2) Your best option would be SQLite and PHP - why? because I’ve been developing in PHP since 2.3 days (current deployment is 5.5 but I am not sure what version is installed and supported on the system) and it’s pretty darn user friendly. PHP is version 5.5 in pfSense software version 2.2. https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes There is some additional information here. https://doc.pfsense.org/index.php/How_do_I_get_PHP_support_for_mysql,_sqlite,_sockets,_etc 3) I would steer clear of C for one specific reason: it’s a royal pain in the butt and most of your needs should be capable with PHP. I am of exactly the opposite opinion. I don't like PHP, but I am but one person. Right now we are focused on getting 2.2 to a production-ready state. After that, there will be a focus on performance, and sometime after that, in the 3.0 release planning, it is likely that a fundamental architecture re-design will occur. Since this type of work is expensive in terms of time (and yes, time is money), this is an early heads up to an event on the horizon. I won't say more now, other than I'm willing to reconsider every technical aspect of the product during this process. It is unlikely that 32-bit x86 machines are supported on the other side of that event. To be clear, 32-bit platforms continue to be viable for the 2.2 releases. (Cue up the always wrong idiots who claim that this time they're right, and pfSense will no longer be open source after a 3.0 in 5...4...3...2...) Something to take note of is that not all installations are the same. Most of my clients run on AMD Geode processors. My two firewalls at home are running on Xeon 6-core VMs in VMWare ESXi, some people are running on dual and quad core CPUs. RAM ranges from a minimum of 256MB on those supported ALIX boards (I’m sure someone will correct me if I am wrong on this) up beyond 4GB (on the new APU boards and VMs and other systems). Others have installed the software on different desktop PCs running as dedicated systems - I have one such that is running on an old Dell P4 with Hyper Threading. What experience do you have in application development - both desktop and web? — Ryan Publisher, d3photography.com On Sep 9, 2014, at 22:39, Tom Mody bug29...@gmail.com wrote: Hi, I have worked on pfsense this summer and I am really interested in developing apps for packet analysing , I have pfsense apps source code from github but didn't get how to work with it Please help me , how can I start writing apps for pfsense ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] menu bar in safari on 2.1.5
More properly, the CSS file was updated, but we didn’t change the name (or ‘version’), so your browser is using a stale, cached version. jim On Sep 10, 2014, at 12:29 PM, Ryan Coleman ryanjc...@me.com wrote: I had the issue too but all I had to do was flush my cache and it was cleared up. There's a CSS file that's not updating. And I hits safari more than other browsers -- since they added to Gold menu. On Sep 10, 2014, at 14:08, Josh Reynolds j...@spitwspots.com mailto:j...@spitwspots.com wrote: Having the same issue here, had to use the old sidebar theme. Josh Reynolds, Chief Information Officer SPITwSPOTS, www.spitwspots.com http://www.spitwspots.com/On 09/10/2014 04:09 AM, Toni Garcia wrote: Hello, I'm facing this exact problem using this theme with latest Firefox, Chrome and Chromium. After clearing the cache I'm unable to see the complete menu bar in one line, and System menu is really hard to access. It's me or it's a bug? Regards De: Vick Khera vi...@khera.org mailto:vi...@khera.org Para: pfSense Support and Discussion Mailing List list@lists.pfsense.org mailto:list@lists.pfsense.org Enviados: Viernes, 29 de Agosto 2014 17:24:43 Asunto: Re: [pfSense] menu bar in safari on 2.1.5 On Fri, Aug 29, 2014 at 11:17 AM, Jim Thompson j...@netgate.com mailto:j...@netgate.com wrote: Have you reloaded (the CSS changed) and/or cleared the browser cache? Yeah, just did that and it cleared up. Sorry for the noise. My failovers are all upgraded... waiting for later in the night to do the primaries. ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list -- Toni Garcia Técnico de Sistemas Oracle Linux 6 Certified Implementation Specialist Oracle Certified Professional Solaris 10 System Administrator Oracle Certified Associate Solaris 11 System Administrator SISTEL Servicios Informáticos de Software y Telecomunicaciones Avd. Los Jarales, 4 (03010) ALICANTE TLF 965930080 - FAX 901021558 www.sistel.es http://www.sistel.es/ Por favor recuerda tu responsabilidad medioambiental antes de imprimir este e-mail. / Please consider your environmental responsibility before printing this e-mail. ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Fwd: [Announce] 2.1.5 Release
again, the CSS changed, and the browsers love to cache that stuff. On Fri, Aug 29, 2014 at 8:47 AM, Peder Rovelstad provels...@comcast.net wrote: I did note the Code Red color scheme wraps the page header bar, putting Help under System. I have such problems... It did this for me a well, but holding the shift key down and doing a browser refresh fixed it. Doug And there you go. Thanks! P ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] menu bar in safari on 2.1.5
Have you reloaded (the CSS changed) and/or cleared the browser cache? (I use Safari, too.) On Fri, Aug 29, 2014 at 10:15 AM, Vick Khera vi...@khera.org wrote: In 2.1.5 pfsense_ng theme, you added a new menu bar item for the Gold support subscription. What this does in Safari is make the system menu unusable, as the Help menu wraps around and covers it. I can hover over the System menu and see the options, but when I try to go click on one, I pass over the Help menu and the popup switches to that list of options. See the screenshots of 2.1.4 vs. 2.1.5: The primary reason I was using this theme is because it works in Safari... I guess I'll revert back to the old pfsense theme. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense hardware with comersial support.
On Aug 29, 2014, at 10:19 AM, Vick Khera vi...@khera.org wrote: On Thu, Aug 28, 2014 at 3:37 AM, Ulrik Lunddahl u...@proconsult.dk wrote: Is there a difference in the software (firmware image) Is there a difference in the bundled support. From what I can tell, the difference between the Netgate products and the pfSense store products is to whom you send payment. The same people seem to be providing the support. That said, I purchased my systems directly from the pfSense store (I got bigger units, not the little guys). They’re built by the same people. They’re shipped by the same people. The same people provide support. The same firmware files are used (and the same update files). There are 2 companies, but they’re in the same office. jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense hardware with comersial support.
Not ‘DBAs’. (Technically ‘Netgate’ is a DBA on “Rubicon Communications, LLC”, and pfSense is really “Electric Sheep Fencing, LLC”. There is no “pfSense” DBA (though I’ve considered it.) On Aug 29, 2014, at 10:23 AM, Ryan Coleman ryanjc...@me.com wrote: It is the same product - they are just two different vendors, really. And maybe they are the same but DBAs? I don't know, care, or worry about it. The hardware lines that they share are the same thing. You just might get more of something from one and not from the other. -- Ryan On 8/29/2014 10:19 AM, Vick Khera wrote: On Thu, Aug 28, 2014 at 3:37 AM, Ulrik Lunddahl u...@proconsult.dk wrote: Is there a difference in the software (firmware image) Is there a difference in the bundled support. From what I can tell, the difference between the Netgate products and the pfSense store products is to whom you send payment. The same people seem to be providing the support. That said, I purchased my systems directly from the pfSense store (I got bigger units, not the little guys). ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate APU2 SSD module question
And I'm saying that you have to evaluate these things as systems, not the base level tech. On Aug 28, 2014, at 8:06 AM, Espen Johansen pfse...@gmail.com wrote: All I'm saying is that a normal SLC cell can handle about 10 times more writes then a MLC if everything else is the same. And as far as I ca tell, the ability to handle writes is the OPs main concern. A SLC based SDHC card will have about 10 times longer life span in that regard. If you want it perfect then sure there are better options and technologies. I'm just trying to make the choice a easy one based on what the OP asked. There is allways better cheaper and faster tech just around the corner. 27. aug. 2014 21:26 skrev Jim Thompson j...@smallworks.com følgende: SD cards are storage, but not “disks” nor “drives”. Beyond m-SATA, eMMC is your best option. Not only are they faster than SD cards (speeds of the larger devices rival those of traditional SSDs, as well as supporting a “TRIM”-like operation, priority interruptible READ and ERASE operations, background operations, and riding the cost-curve of cellular handsets (growing) .vs consumer point-and-shoot cameras (shrinking), etc.) (This, by the way, is a huge, huge ‘hint’.) (You may wish read between the lines.) A lot of the SLC / MLC mythos is from before the days of JEDEC standards for endurance, advanced wear-leveling algorithms, and before a lof of the firmware engineers understood concepts such as “read disturbance”, “write disturbance”, and “ECC correction thresholds”. It’s certainly not as simple as you’re making it out to be. (This, again, is the big reason that Netgate stayed out of the early fracas around SSDs.) I’m not going to depend on what someone said in the forum over 3 years ago, since it’s unlikely to apply today. Jim On Aug 27, 2014, at 1:32 PM, Espen Johansen pfse...@gmail.com wrote: For completeness sake. Just to clarify. You can get SDHC cards that are SLC based. Pretty much everything called industrial grade SD/SDHC will be a SLC SSD in SD format. Understood. Thank you for the clarification. Would it be possible to have the description updated on the sales page? It only says you can boot via SD through USB. -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote: Yes, the system can be booted from an SD (or SDHC) card. Or from USB, or from the m-SATA. All of these require proper preparation of the requisite ‘disk’ (-like device). Jim On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote: I understand *that* however it doesn't say on the features page it can be booted off the SD slot - is that true? If so I have to change a few quotes I have in play as they will need to get mSATA SSDs instead. On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote: The SD (SDHC describes some cards which work in the slot) card slot is a “base feature”. If people choose to fit a m-SATA drive, then they can. Or they can use the SD card socket. It’s not like we’re going to de-solder the SD card socket if it’s not going to be used. Neither are we going to carry two different SKUs (one with, one without). Jim On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote: Why not answer the question? On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote: Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards, Sergii Cherkashyn Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List
Re: [pfSense] Netgate APU2 SSD module question
Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards, Sergii Cherkashyn Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate APU2 SSD module question
The SD (SDHC describes some cards which work in the slot) card slot is a “base feature”. If people choose to fit a m-SATA drive, then they can. Or they can use the SD card socket. It’s not like we’re going to de-solder the SD card socket if it’s not going to be used. Neither are we going to carry two different SKUs (one with, one without). Jim On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote: Why not answer the question? On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com mailto:j...@netgate.com wrote: Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com mailto:ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com mailto:ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards, Sergii Cherkashyn Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com mailto:pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org mailto:list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com mailto:caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate APU2 SSD module question
Yes, the system can be booted from an SD (or SDHC) card. Or from USB, or from the m-SATA. All of these require proper preparation of the requisite ‘disk’ (-like device). Jim On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote: I understand *that* however it doesn't say on the features page it can be booted off the SD slot - is that true? If so I have to change a few quotes I have in play as they will need to get mSATA SSDs instead. On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com mailto:j...@smallworks.com wrote: The SD (SDHC describes some cards which work in the slot) card slot is a “base feature”. If people choose to fit a m-SATA drive, then they can. Or they can use the SD card socket. It’s not like we’re going to de-solder the SD card socket if it’s not going to be used. Neither are we going to carry two different SKUs (one with, one without). Jim On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com mailto:ryanjc...@me.com wrote: Why not answer the question? On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com mailto:j...@netgate.com wrote: Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com mailto:ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com mailto:ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards, Sergii Cherkashyn Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com mailto:pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org mailto:list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com mailto:caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate APU2 SSD module question
That's how the SD card is connected. -- Jim On Aug 27, 2014, at 9:26, Ryan Coleman ryanjc...@me.com wrote: Understood. Thank you for the clarification. Would it be possible to have the description updated on the sales page? It only says you can boot via SD through USB. -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote: Yes, the system can be booted from an SD (or SDHC) card. Or from USB, or from the m-SATA. All of these require proper preparation of the requisite ‘disk’ (-like device). Jim On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote: I understand *that* however it doesn't say on the features page it can be booted off the SD slot - is that true? If so I have to change a few quotes I have in play as they will need to get mSATA SSDs instead. On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote: The SD (SDHC describes some cards which work in the slot) card slot is a “base feature”. If people choose to fit a m-SATA drive, then they can. Or they can use the SD card socket. It’s not like we’re going to de-solder the SD card socket if it’s not going to be used. Neither are we going to carry two different SKUs (one with, one without). Jim On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote: Why not answer the question? On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote: Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards, Sergii Cherkashyn Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate APU2 SSD module question
Ryan, I’m not sure what you’re asking. This thread started off with Sergii Cherkashyn asking if running on an SSD was advisable. Obviously, it works, or we wouldn’t offer it. (The thread Sergii pointed-to is from early 2011. Netgate did not ship SSDs for several years because the reliability *then* was so poor. The situation changed, and, once quality SSDs were available (*with power-fail capacitors, etc.*), we began offering same. Then you jumped in asking (is) “SDHC slot on this board is simply for show?” I honestly though you were trolling. Since there is a configuration of the APU units available for sale both at the Netgate store *and* the pfSense store (http://store.pfsense.org) that does not include a m-sata drive, how else could the system boot pfSense? Now you post on a public list, (a list about pfSense), asking me to change an unspecified page on (I assume), the Netgate site. Setting aside the whole issue of why we’re talking about this on-list, I can’t find the text that confused you. Here is what I found on the Netgate site: http://store.netgate.com/APU1C4.aspx says: Boot from SD card (connected through USB), external USB or m-SATA SSD.” http://store.netgate.com/APU1C.aspx says: Boot from SD card (connected through USB), external USB or m-SATA SSD. You may wish to note that this language exactly matches that found on the PC Engines site: Boot from SD card (connected through USB), external USB or m-SATA SSD.” ref: http://pcengines.ch/apu.htm, and http://pcengines.ch/apu1c.htm, and page 9 of the schematic for the APU (http://pcengines.ch/schema/apu1c.pdf) clearly shows that the “SD card interface” runs through a Alcore Micro AU6465 (http://www.alcormicro.com/en_content/c_product/product_01b.php?CategoryID=7IndexID=19) to USB6 on the AMD T40 SoC. If you will be so kind as to make a specific request for change of the language you found confusing, I’ll take a look at it. You might even send such a request to me in-private, so as not to further clutter the list. Right now, I can’t find a problem. JIm On Aug 27, 2014, at 9:26 AM, Ryan Coleman ryanjc...@me.com wrote: Understood. Thank you for the clarification. Would it be possible to have the description updated on the sales page? It only says you can boot via SD through USB. -- Ryan Coleman ryanjc...@me.com m. 651.373.5015 o. 612.568.2749 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com wrote: Yes, the system can be booted from an SD (or SDHC) card. Or from USB, or from the m-SATA. All of these require proper preparation of the requisite ‘disk’ (-like device). Jim On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com wrote: I understand *that* however it doesn't say on the features page it can be booted off the SD slot - is that true? If so I have to change a few quotes I have in play as they will need to get mSATA SSDs instead. On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com wrote: The SD (SDHC describes some cards which work in the slot) card slot is a “base feature”. If people choose to fit a m-SATA drive, then they can. Or they can use the SD card socket. It’s not like we’re going to de-solder the SD card socket if it’s not going to be used. Neither are we going to carry two different SKUs (one with, one without). Jim On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com wrote: Why not answer the question? On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com wrote: Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards, Sergii Cherkashyn Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman
Re: [pfSense] Netgate APU2 SSD module question
SD cards are storage, but not “disks” nor “drives”. Beyond m-SATA, eMMC is your best option. Not only are they faster than SD cards (speeds of the larger devices rival those of traditional SSDs, as well as supporting a “TRIM”-like operation, priority interruptible READ and ERASE operations, background operations, and riding the cost-curve of cellular handsets (growing) .vs consumer point-and-shoot cameras (shrinking), etc.) (This, by the way, is a huge, huge ‘hint’.) (You may wish read between the lines.) A lot of the SLC / MLC mythos is from before the days of JEDEC standards for endurance, advanced wear-leveling algorithms, and before a lof of the firmware engineers understood concepts such as “read disturbance”, “write disturbance”, and “ECC correction thresholds”. It’s certainly not as simple as you’re making it out to be. (This, again, is the big reason that Netgate stayed out of the early fracas around SSDs.) I’m not going to depend on what someone said in the forum over 3 years ago, since it’s unlikely to apply today. Jim On Aug 27, 2014, at 1:32 PM, Espen Johansen pfse...@gmail.com wrote: For completeness sake. Just to clarify. You can get SDHC cards that are SLC based. Pretty much everything called industrial grade SD/SDHC will be a SLC SSD in SD format. Understood. Thank you for the clarification. Would it be possible to have the description updated on the sales page? It only says you can boot via SD through USB. -- Ryan Coleman ryanjc...@me.com mailto:ryanjc...@me.com m. 651.373.5015 tel:651.373.5015 o. 612.568.2749 tel:612.568.2749 On Aug 27, 2014, at 9:24, Jim Thompson j...@netgate.com mailto:j...@netgate.com wrote: Yes, the system can be booted from an SD (or SDHC) card. Or from USB, or from the m-SATA. All of these require proper preparation of the requisite ‘disk’ (-like device). Jim On Aug 27, 2014, at 9:21 AM, Ryan Coleman ryanjc...@me.com mailto:ryanjc...@me.com wrote: I understand *that* however it doesn't say on the features page it can be booted off the SD slot - is that true? If so I have to change a few quotes I have in play as they will need to get mSATA SSDs instead. On Aug 27, 2014, at 9:20, Jim Thompson j...@smallworks.com mailto:j...@smallworks.com wrote: The SD (SDHC describes some cards which work in the slot) card slot is a “base feature”. If people choose to fit a m-SATA drive, then they can. Or they can use the SD card socket. It’s not like we’re going to de-solder the SD card socket if it’s not going to be used. Neither are we going to carry two different SKUs (one with, one without). Jim On Aug 27, 2014, at 7:57 AM, Ryan Coleman ryanjc...@me.com mailto:ryanjc...@me.com wrote: Why not answer the question? On Aug 27, 2014, at 7:56, Jim Thompson j...@netgate.com mailto:j...@netgate.com wrote: Ryan, Don't troll. On Aug 27, 2014, at 7:33 AM, Ryan Coleman ryanjc...@me.com mailto:ryanjc...@me.com wrote: Wait, so the SDHC slot on this board is simply for show? On Aug 26, 2014, at 13:56, Sergii Cherkashyn ser...@accurategroup.com mailto:ser...@accurategroup.com wrote: Thank you Espen, Squid is for filtering purpose only, not to save bandwidth. On Netgate they have only this SSD as an option. But I’ll keep your advice in mind. Best regards, Sergii Cherkashyn Date: Mon, 25 Aug 2014 20:45:46 +0200 From: Espen Johansen pfse...@gmail.com mailto:pfse...@gmail.com To: pfSense support and discussion list@lists.pfsense.org mailto:list@lists.pfsense.org Subject: Re: [pfSense] Netgate APU2 SSD module question Message-ID: caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com mailto:caadq7-adzhlsv1p6rl7kwaaomaws1uqcet6fxa5ngdn8sl5...@mail.gmail.com Content-Type: text/plain; charset=utf-8 I personally don't think you will have an issue with too many writes in a normal environment. Why squid tho? if its for filtering fine. For acceleration and 3-6 persons it will most likely not do you much good. Also check MLC vs SLC. SLC based SSD will last longer. Approximately 10 times longer. And even more with the right write leveling tech. Just my 2 cents. ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List@lists.pfsense.org mailto:List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list https://lists.pfsense.org/mailman/listinfo/list___ List mailing list List
Re: [pfSense] ZFS warning message on local console during boot
On Jul 30, 2014, at 3:21 PM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Am 30.07.2014 um 22:09 schrieb Espen Johansen: ZFS = FS+LVM. Its efficient in many ways. Its highly resillient to things like silent data corruption ( disk FW bugs, power spikes). It has on the fly checking and repair. Copy on write, snapshoting, NFSv4 native acls and a few more nice things. I dont understand the bashing? This is a firewall, not a fileserver, where such features do indeed make sense. And no bashing, just saying I don't care what filesystem pfSense uses under the hood, as long as it works. The fact that it spits out a warning seems to indicate that it does not work and there's something wrong, so I came here to ask. tl;dr: I wouldn’t run ZFS… yet. I didn’t see the error message, you’re barking up a tree attempting to use it right now. That said, there are certain advantages to ZFS, and there are internal experiments underway looking to use it for a future (64-bit only) release of pfSense. The data integrity and resiliency (due to COW semantics checksumming) (etc) is one thing. I’ve had pretty good results turning on LZJB compression and ‘copies=2”, which is nearly as good as a nanobsd image with 2 separate slices, and, since you have a live filesystem, has NONE of the drawbacks of the nanobsd approach. One could even ‘checkpoint’ (snapshot) the zvol prior to any change (pkg install, config change, etc), and, of course zfs send | ssh foo; zfs receive” makes it entirely trivial to keep your entire firewall backed up, rather than (just) the config file. People who say, “I can’t fathom a sensible use care for using ZFS on pfSense” or “why use it to replace nanobsd?” are (likely) stuck in a system admin mindset/mentality(*). I get the same pushback about bhyve (“why would you use that on a firewall?”) from people stuck in the same headspace. I’m not going to reveal everything here, because it’s going to be post-2.2 before any of this comes about, and I’m keeping the focus on 2.2. In short: ZFS is not just about building a NAS. Jim (*) If there isn’t an O’Reilly book out about it, it seems to not exist to these people. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ZFS warning message on local console during boot
On Jul 30, 2014, at 4:40 PM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Am 30.07.2014 um 23:34 schrieb Jim Thompson: tl;dr: I wouldn’t run ZFS… yet. I didn’t see the error message, you’re barking up a tree attempting to use it right now. Again, I don't care what FS pfSense uses under the hood as long as it works. I didn't make a conscious decision to install/run ZFS, I firmly believe I picked the default options during the pfSense install and now I'm seeing this warning. I don't insist on using ZFS at all. If I can and should get rid of ZFS to get rid of the warning, just tell me how. no pfSense we produce has an installer that will make a zfs filesystem. Try again? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ZFS warning message on local console during boot
Well, you could use it for that (pfSense on pfSense), but there will be unnecessary overhead. On Jul 30, 2014, at 4:38 PM, Josh Reynolds j...@spitwspots.com wrote: Sounds like the mikrotik metarouter feature. Josh Reynolds, CIO SPITwSPOTS www.spitwspots.com On 07/30/2014 01:34 PM, Jim Thompson wrote: On Jul 30, 2014, at 3:21 PM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Am 30.07.2014 um 22:09 schrieb Espen Johansen: ZFS = FS+LVM. Its efficient in many ways. Its highly resillient to things like silent data corruption ( disk FW bugs, power spikes). It has on the fly checking and repair. Copy on write, snapshoting, NFSv4 native acls and a few more nice things. I dont understand the bashing? This is a firewall, not a fileserver, where such features do indeed make sense. And no bashing, just saying I don't care what filesystem pfSense uses under the hood, as long as it works. The fact that it spits out a warning seems to indicate that it does not work and there's something wrong, so I came here to ask. tl;dr: I wouldn’t run ZFS… yet. I didn’t see the error message, you’re barking up a tree attempting to use it right now. That said, there are certain advantages to ZFS, and there are internal experiments underway looking to use it for a future (64-bit only) release of pfSense. The data integrity and resiliency (due to COW semantics checksumming) (etc) is one thing. I’ve had pretty good results turning on LZJB compression and ‘copies=2”, which is nearly as good as a nanobsd image with 2 separate slices, and, since you have a live filesystem, has NONE of the drawbacks of the nanobsd approach. One could even ‘checkpoint’ (snapshot) the zvol prior to any change (pkg install, config change, etc), and, of course zfs send | ssh foo; zfs receive” makes it entirely trivial to keep your entire firewall backed up, rather than (just) the config file. People who say, “I can’t fathom a sensible use care for using ZFS on pfSense” or “why use it to replace nanobsd?” are (likely) stuck in a system admin mindset/mentality(*). I get the same pushback about bhyve (“why would you use that on a firewall?”) from people stuck in the same headspace. I’m not going to reveal everything here, because it’s going to be post-2.2 before any of this comes about, and I’m keeping the focus on 2.2. In short: ZFS is not just about building a NAS. Jim (*) If there isn’t an O’Reilly book out about it, it seems to not exist to these people. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ZFS warning message on local console during boot
On Jul 30, 2014, at 7:20 PM, Paul Mather p...@gromit.dlib.vt.edu wrote: Despite all that FreeBSD ZFS love, I still would not recommend it on FreeBSD/i386-based installations (as the OP said he was using). It is much more of a headache to use in that milieu, and, IMHO, doesn't get the testing and general care and feeding that the FreeBSD/amd64 version gets. Note that I said any use we make would be amd64 only. Also, ZFS would not be a good fit on low-memory embedded hardware. There are enough problems getting ARC to play nicely on high-memory systems under memory pressure... :-) What do you consider ‘low-memory’? It’s getting difficult to put less than 4GB in some systems. ZFS works really well on a 4GB system with around 100GB of ssd/m-sata. auto-tuned ARC maximum is physical RAM less 1GB, or 1/2 of available RAM. on a 2GB system, this is 1GB, on a 4GB system, its 2GB. Have you looked at memory usage in pfSense lately? Most of the ‘tuning guides’ consider fileserver/webserver/db applications. pfSense is none of these. There are several applications that would like to reliably write logfiles / rrd files, etc., however. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
On Jul 27, 2014, at 13:06, Matthias May matth...@may.nu wrote: Am 27.07.2014 18:32, schrieb Kenward Vaughan: On 07/22/2014 02:19 PM, Rainer Duffner wrote: Am 22.07.2014 um 21:29 schrieb Nickolai Leschov nlesc...@gmail.com mailto:nlesc...@gmail.com: The difference is not $200, but about $100 with 8GB Sandisk Extreme Secure [sic!] SDHC card included. ... What sort of bandwidth are these be able to handle? I have rotated older computers into the closet over the years, and found them to be bottlenecks earlier on (not so now with a relatively recent AMD 2500+ cpu). With a standard brighthouse hookup/plan we currently are at 1.2 GB/s. I'd hope these laugh at such speeds? Kenward Are you sure you meant 1.2 GB/s ? That would be 9.6 Gbit/s (as in 9600 Mbit/s) These don't route that much. With the built in Realtek cards you get 450 Mbit/s without any fancy rules. I would expect this to go down with additional rules. With intel cards on the same board you can get up to 650 Mbit/s, but i expect it to be lower with additional rules. Note that Intel NICs are not available on the PC Engines board, so it's not the same board, though a few suppliers build boards with the same SOC and Intel NICs. With a dual core Rangeley or Avoton 900Mbps between two ports is an everyday thing. The strength of this board isn't, that it performs very fast, but that it performs reasonably well without taking too much power. You can expect power consumation of below 10W without additional cards in the PCIe slots. Those are miniPCIe slots, not PCIe. Rangeley / Avoton are 6-20W TDP, depending on the number of cores. Jim -- Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
On Jul 22, 2014, at 16:19, Rainer Duffner rai...@ultra-secure.de wrote: Am 22.07.2014 um 21:29 schrieb Nickolai Leschov nlesc...@gmail.com: The difference is not $200, but about $100 with 8GB Sandisk Extreme Secure [sic!] SDHC card included. 1. What's secure about this card? I suppose it's a regular SDHC one. 2. I would like to pay less, but I'm worried about assembling it right with regards to cooling. Can anyone clarify how is cooling achieved in this unit? http://pcengines.ch/apu.htm Cooling: Conductive cooling from the CPU and south bridge to the enclosure using a 3 mm alu heat spreader.“ If assembly is similar to that of ALIX-boards, it’s not difficult. Except for the heat spreader, and issues related to the sd cards falling out, it's exactly like an Alix. Which is to say, the similarities are easy to spot. Putting the spreader in place correctly, on the first attempt is in question. How much is your time worth? This is the question. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] Seeking ipfw pf rulesets for performance work
We're doing some performance work with pf, and have issued a call for pf and ipfw rule sets. http://lists.freebsd.org/pipermail/freebsd-net/2014-July/039373.html If you wish to help, please get in-touch with George. -- Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
Ryan, Your point is entirely lost, I’ve already shown where your words are false by any measure. Time to close this thread. Jim On Jul 27, 2014, at 9:08 PM, Ryan Coleman ryanjc...@me.com wrote: Nickolai, I don’t know about you but I get my 8GB SDHC Class 10 cards for between $5 and $15. — Ryan On Jul 22, 2014, at 14:29, Nickolai Leschov nlesc...@gmail.com wrote: The difference is not $200, but about $100 with 8GB Sandisk Extreme Secure [sic!] SDHC card included. 1. What's secure about this card? I suppose it's a regular SDHC one. 2. I would like to pay less, but I'm worried about assembling it right with regards to cooling. Can anyone clarify how is cooling achieved in this unit? ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
On Jul 22, 2014, at 10:58, Ryan Coleman ryanjc...@me.com wrote: I asked the differences in the two line items from netgate. Perhaps you should ask sa...@netgate.com Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
On Jul 22, 2014, at 17:19, Nickolai Leschov nlesc...@gmail.com wrote: I wonder why they wouldn't just build the board with some appropriate Atom CPU? :-) And maybe even more performant, to boot? E3815, probably? Bay Trail? Why? That's for tablets. C2xx8 more likely. IJS...___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
On Jul 22, 2014, at 17:19, Nickolai Leschov nlesc...@gmail.com wrote: Just like the others: dissipation through the aluminum case How does the CPU connect to the aluminum case? Is there some thermal interface involved? Maybe an interface between CPU heatsink and aluminum case? Yes, there is a transfer pad. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
Very little if this thread is related to pfSense. Please stay on topic. -- Jim On Jul 22, 2014, at 17:32, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 22/7/14 11:17 pm, Nickolai Leschov wrote: I didn't notice this page. So it looks like it's some kind of thermal paste allows for adequate thermal conductivity between the CPU/south bridge and the aluminum heat spreader, but the heat spreader is in dry contact with the case? The one I've just installed here in my home office has 'sticky' thermal pads on both sides of the aluminium heat spreader, and sticks to both the chips and the base of the chassis. It gets warm in use, but not uncomfortably hot. Ambient temperature is about 22C at this time of year. Now, how is the board held in place, inside the enclosure? Is it held in place by 'screws and hex nuts'? 4 screws in the corners which go into binding posts on the chassis, not particularly dissimilar from most PC motherboards into cases. What is the thing in the second-to-last picture near the thumb of the presenter's right hand: is it the SIM card tray? Is it accessible from outside, after the installation? There is a SIM card tray, and like the SD card slot, no, it's not accessible externally after installation. (as a matter of curiosity, does pfSense support this SIM card slot for anything 'interesting'? - one presumes it would need to be used in conjunction with a miniPCIe radio card of some persuasion) Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
Ryan, Profanity and personal attacks have no place on this list. -- Jim On Jul 22, 2014, at 20:12, Ryan Coleman ryanjc...@me.com wrote: Look fuck nut: branded and shipped hardware is 100% on topic. Thank you. On Jul 22, 2014, at 20:10, Jim Thompson j...@netgate.com wrote: Very little if this thread is related to pfSense. Please stay on topic. -- Jim On Jul 22, 2014, at 17:32, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 22/7/14 11:17 pm, Nickolai Leschov wrote: I didn't notice this page. So it looks like it's some kind of thermal paste allows for adequate thermal conductivity between the CPU/south bridge and the aluminum heat spreader, but the heat spreader is in dry contact with the case? The one I've just installed here in my home office has 'sticky' thermal pads on both sides of the aluminium heat spreader, and sticks to both the chips and the base of the chassis. It gets warm in use, but not uncomfortably hot. Ambient temperature is about 22C at this time of year. Now, how is the board held in place, inside the enclosure? Is it held in place by 'screws and hex nuts'? 4 screws in the corners which go into binding posts on the chassis, not particularly dissimilar from most PC motherboards into cases. What is the thing in the second-to-last picture near the thumb of the presenter's right hand: is it the SIM card tray? Is it accessible from outside, after the installation? There is a SIM card tray, and like the SD card slot, no, it's not accessible externally after installation. (as a matter of curiosity, does pfSense support this SIM card slot for anything 'interesting'? - one presumes it would need to be used in conjunction with a miniPCIe radio card of some persuasion) Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
On Jul 22, 2014, at 16:30, Nickolai Leschov nlesc...@gmail.com wrote: Bay Trail? Why? That's for tablets. What's the difference, in practical terms? First: Rangeley has an integrated i354 10/100/1000 quad Ethernet MAC. Bay Trail requires one to add Ethernet Second: Rangeley has a high-speed crypto co-processor (Quick Assist) Third: the lowest end Rangeley has twice the cache of the low-end Bay Trail. Similarly, the highest end Rangeley has twice the cache of the highest end Bay Trail Fourth: Bay Trail is a max quad core part, Rangeley is max 8-core (C27x8). Fifth: Bay Trail maxes out at 1.5GHz, Rangeley at 2.4GHz. (Both non-turbo) Is that enough, or shall I continue? Jim___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Difference between APU4 and APU1C4
I am. I have. I'm trying to be patient and professional. On Jul 22, 2014, at 20:47, Sean Colins s...@corequick.com wrote: Who is the list mom and why is he/she not responding to this? On Jul 22, 2014, at 6:12 PM, Ryan Coleman ryanjc...@me.com wrote: Look fuck nut: branded and shipped hardware is 100% on topic. Thank you. On Jul 22, 2014, at 20:10, Jim Thompson j...@netgate.com wrote: Very little if this thread is related to pfSense. Please stay on topic. -- Jim On Jul 22, 2014, at 17:32, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 22/7/14 11:17 pm, Nickolai Leschov wrote: I didn't notice this page. So it looks like it's some kind of thermal paste allows for adequate thermal conductivity between the CPU/south bridge and the aluminum heat spreader, but the heat spreader is in dry contact with the case? The one I've just installed here in my home office has 'sticky' thermal pads on both sides of the aluminium heat spreader, and sticks to both the chips and the base of the chassis. It gets warm in use, but not uncomfortably hot. Ambient temperature is about 22C at this time of year. Now, how is the board held in place, inside the enclosure? Is it held in place by 'screws and hex nuts'? 4 screws in the corners which go into binding posts on the chassis, not particularly dissimilar from most PC motherboards into cases. What is the thing in the second-to-last picture near the thumb of the presenter's right hand: is it the SIM card tray? Is it accessible from outside, after the installation? There is a SIM card tray, and like the SD card slot, no, it's not accessible externally after installation. (as a matter of curiosity, does pfSense support this SIM card slot for anything 'interesting'? - one presumes it would need to be used in conjunction with a miniPCIe radio card of some persuasion) Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://cp.mcafee.com/d/1jWVIe6zqb5TbzxNEVpodTdzAQS1PPbVIsCCMqenxMUSejjo7fcK6NOqrZXKf6WvI0lqIv5CVmaYKrJmfyPsH5und_V2XJCn-LPy8VdOXTnKnjhd7b_6zAsUqerEEYJt6OaaJSmul3PWApmU6CQjr9K_8K6zBV55BeXNKVIDeqR4IM-l9QVpSDMF_00s4RtxxYGjB1SK7OFcSvaAOV2Hsbvg57OFeDbeQ-5fU02rvsKMr1vF6y0QJHez7MFVFtd40t9RTU_2TCy0xYP7_0Qg20m2r1EwS21Ew40I4Qh9wSMYr3d8KpF1D ___ List mailing list List@lists.pfsense.org http://cp.mcafee.com/d/FZsS921J5yXBNMUQsII6XCNOqr0VVBYSejjod7bMUsr79FI3DCn3oVdd-ZT7ztfS0aJmfyPsH5undSH7NpKlyLbC_YxtSPb_nVN4sCVtXHTbFECzB_zhOesd7dQkumKzp55mXbfaxVZicHs3jqpJATvAn3hOYyyODtUTsSjDdqymovaAWsIXjUk_w0e2qKMM-l9OwXn3VkCrfBipsxlK5LE2zVkDjBDqv2DY01dLKnodwLQzh0qmRDhzUkYQKCy0eAWXYvxrPh0g-pz_wq810b1dwQgr10Qg20m2q8AMroudVHDmk1gq ___ List mailing list List@lists.pfsense.org http://cp.mcafee.com/d/5fHCN0q43qb5TbzxNEVpodTdzAQS1PPbVIsCCMqenxMUSejjo7fcK6NOqrZXKf6WvI0lqIv5CVmaYKrJmfyPsH5und_V2XJCn-LPy8VdOXTnKnjhd7b_6zAsUqerEEYJt6OaaJSmul3PWApmU6CSjr9K_8K6zBV55BeXNKVIDeqR4IM-l9QVpSDMF_00s4RtxxYGjB1SK7OFcSvaAOV2Hsbvg57OFeDbeQ-5fU02rvsKMr1vF6y0QJHez7MFVFtd40t9RTU_2TCy0xYP7_0Qg20m2r1EwS21Ew40I4Qh9wSMYriex-wjKS ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 802.11ac Mini PCI Express adapter for pfSense
On Jul 21, 2014, at 8:18 AM, Nickolai Leschov nlesc...@gmail.com wrote: What is the status of pfSense 2.2? alpha snapshots ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 802.11ac Mini PCI Express adapter for pfSense
there is no 802.11ac support in FreeBSD (and thus pfSense) as yet. 802.11n support is in FreeBSD 10 (and thus pfSense 2.2) On Jul 20, 2014, at 11:08 PM, Ryan Coleman ryanjc...@me.com wrote: The compatibility is strictly up to the software drivers. Is the driver for the card you’re looking at listed in the HCL? On Jul 20, 2014, at 16:52, Nickolai Leschov nlesc...@gmail.com wrote: I would like to use a PC Engines APU series board with pfSense as a wireless router. In their store, I can see 802.11n cards, at most, but can I use 802.11ac already? Does anyone have positive experience with a 802.11ac and can recommend a particular model? Best regards, Nickolai ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] apu.4c silently dies
On Jun 4, 2014, at 2:29 PM, mayak ma...@australsat.com wrote: i really want to love this board, but, it it is simply a heater -- my problems are thermal. i have now completely removed the the board from the case and put a huge copper heat sync on it -- i'll take a picture -- i placed it next to a switch where the fans blow on the sync. if my office gets above 23 or 24 degrees (C), it starts dropping packets, then goes toes up. so sad as this is the ideal platform that i was after. It’s nice, (and I have zero problems in a 24C ambient), but I wouldn’t call it “Ideal”. (watch this space) ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Report Errors
On Jun 2, 2014, at 13:18, Brian Caouette bri...@dlois.com wrote: As much as I like pfSense it and packages are really prone to glitches and over all bugs. PfSense has bugs, and packages have bugs, but it is a mistake to conflate the two. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Report Errors
On Jun 2, 2014, at 10:02 PM, Ryan Coleman ryanjc...@me.com wrote: It’s also a mistake to not report them to the maintainers. :) That’s true, and the maintainers for Squid, Snort and Silicata are very good about fixing said bugs. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Poweredge 2850
On May 20, 2014, at 9:30 AM, Giles Coochey gi...@coochey.net wrote: On 20/05/2014 12:28, Ryan Coleman wrote: On May 20, 2014, at 1:59, Giles Coochey gi...@coochey.net wrote: s Not to mention that if I ran a PE 2850 at home there would probably be complaints about the noise!!! Those things *scream* in the audible sense!!! Typically just on the first boot - mine always stopped screaming after about 30 seconds ___ Even after the fan's have kicked out of their max-cooling, max-air-flow mode the server is still way too loud for me in a home environment. Fan-less atom based box for home environment any day... and easily push 40Mbps IPsec. The new ones (like the 2758 that pfSense sells) are actually *faster* than a 2850. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Poweredge 2850
If you had purchased something more modern, (even an APU, which uses 5-10% of your 2850, and is completely silent) bhyve would be an option. Which is the general direction I'm headed with pfSense for being able to run a media center or NAS on top. Refurb c1100s are $600 on fleabay with 8 cores and 72GB ram. http://www.ebay.com/itm/261355969100 We use these for test boxes at ESF, since we boot them off USB, I don't care about the no drives. If you don't need the ram, an 8GB version is $300. http://www.ebay.com/itm/261441251762 We pulled all our 2850s and 2950s out of service. They're not worth the power draw (operating costs). I think the only remaining machine from that era we operate is a PE1950 my son uses for a minecraft server. -- Jim On May 20, 2014, at 12:45, Brian Caouette bri...@dlois.com wrote: For the price paid it can't be beat. I've seen smaller systems go for much more so figured I had room to grow. At some point I maybe be able to have to virtual machines on this unit and use one for a media center or cloud backup for the home business. Are their packages available for this? I don't really see anything that leads me to believe pfSense could be used in the way which is why I'm thinking virtual. What software is available to do virtual machines? On 5/20/2014 12:11 PM, Jason Pyeron wrote: -Original Message- From: Brian Caouette Sent: Tuesday, May 20, 2014 12:00 Are we talking fan noise? Hard drive noise? Also a comment was made about power. What are we talking? The general comments about how a PE2850 is overkill in the described home environment. On 5/20/2014 2:59 AM, Giles Coochey wrote: On 20/05/2014 02:12, Chris Bagnall wrote: Forgive me for saying so, but that's a massive overkill for routing a 15Mbps connection. Granted, it'd be entirely appropriate if you were routing multiple gig transits in a datacentre environment where the power consumption might be justified, but in a home environment, you're just burning through electricity for the sake of it. Of course, if you're going to run pfSense as a VM under a hypervisor with several other VMs, then I take all the above back :-) Kind regards, Chris Not to mention that if I ran a PE 2850 at home there would probably be complaints about the noise!!! Those things *scream* in the audible sense!!! -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Giant lock is still there?
On May 17, 2014, at 5:16 PM, Leon Volfson l...@one.co.il wrote: Hi guys, I had lots of issues in the past with the performance and as I understood then - one of the biggest problems was the Giant lock in pf. Since the 2.2 version is going to be FreeBSD 10 based I looked it up and saw that there was some work done on this by Gleb Smirnoff a couple of years ago. I was wondering whether it's actually been implemented and whether the 2.2 is going to be Giant lock-free. Also - performance-wise, how much will I gain upgrading from 1.2.2? (old, I know, but worked better than 1.2.3 in my case and was left like this since). What kind of CPU are you running? What type of Ethernet parts? What does your load look like? Even after answering these, it’s going to be a guess as to how your performance will change. Yes, Gleb’s changes to pf (which are in FreeBSD 10) are in pfSense 2.2. You could always try a snapshot. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] upgrade dual ALIX netgate box?
On May 8, 2014, at 12:04 PM, b...@todoo.biz wrote: Hi we are french resellers of Alix / APU Le 6 mai 2014 à 21:16, Vick Khera vi...@khera.org a écrit : I have the dual ALIX RM1U box from netgate which is a bit over 2 years old now (and an older one too!) Has anyone attempted replacing the ALIX boards with APU2 boards? They appear to use the identical openings and case mounting holes. This is true. PC Engines updated their cases about 9 months ago. Cases older than this are about 1mm too small. APU1C comes with an iron plate to be sticked below the APU in order to dissipate the heat. Iron? It’s a heat-conductive pad, with an aluminum plate. Netgate themselves doesn't sell such a beast so it made me curious as to why they wouldn't sell a version with the board swapped and instead recommend other devices. I can’t really tell why NetGate does not resale APU1C http://store.netgate.com/APU1C.aspx (board only, 2GB ram) http://store.netgate.com/APU1C4.aspx (board only, 4GB ram) http://store.netgate.com/NetgateAPU2.aspx (system, 2GB ram) http://store.netgate.com/NetgateAPU2.aspx (system, 4GB ram) Currently there is a problem with the MSata sold by PCEngines which does not support TRIM - this has a limited effect on pfSense where TRIM is not activated by default. That being said It is not really « normal » for an MSata device not to support such function and might reveal some other problems… though so far we have noticed 0 problem on such device. These cards DO support TRIM, but you have to correctly install software on the device to have it be stable. We are working on a “platform specific release” of pfSense for the APU We have updated the firmware of the 10 units we have received so far. We are currently testing the unit with quite good results considering the price. Also does anyone know of a crypto accelerator board for the APU2? Or is that even worth the effort for 4 home-office OpenVPN tunnels? You really don’t need such item - processor is strong enough to handle any kind of local VPN (our test shows about 80Mb/s with an OVPN tunnel)… We’re testing 67 Mbps using UDP over OpenVPN AES256. AES-128 is about 78Mbps. But “don’t really need” is strong language, and to be clear, I disagree. My connection from my house is faster than this. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Upgrading Alix 2d13
On May 2, 2014, at 23:42, David Newman dnew...@networktest.com wrote: It's possible this is related to this being 4G Sandisk CF cards, and modern 2G and 4G Sandisk cards producing alignment errors. Unlikely. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Apr 22, 2014, at 10:39, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: In fact, I'd be petty disappointed, too, if a newer pfSense release stopped working on my hardware and it the whole issue appeared out of the blue (== no hwe driver no longer supported or similar notice in the release notes). Your potential disappointment is noted. It's not like we disabled the hme driver. We have no ability to test it, since we don't have one of these cards. Nor are we likely to invest in one. I can think of a half dozen reasons that could cause the card to run on 2.0.3, and not run on 2.1. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Apr 20, 2014, at 5:32 PM, Volker Kuhlmann list0...@paradise.net.nz wrote: I've been running pfsense for many years (and been very happy with it) on scrapped PCs with a Sun 4-port Ethernet PCI card because I need 5 Ethernet ports. Now freebsd dieing on the hme driver effectively turns those cards into scrap and I'm stuck. What are alternatives now? Are there any other 4-port cards that are supported by pfsense in practice (not just in theory), that are also affordable? You’ll need to define “affordable”. You’ll also need to state if you’re looking for PCI, PCI-x or PCIe cards. The power consumption (and box volume) of scrapped PCs is not optimal, and I've been looking at moving to a small single-board. Soekris was always underpowered and overpriced IMHO, and PCEngines underpowered, until they released the exciting APU series recently. They all only have 3 Ethernet ports though, which is the stopper here. What mPCIe Ethernet cards are supported by pfsense that people can recommend? We’ve run some experiments with various Intel-based cards in a NUC (we’re building a rack mount for them). They work, but it’s not an inexpensive solution. Are there any USB Ethernet adapters that actually work with pfsense? Reliably? I am looking for reports from those who have tried, not the freebsd supported HW list - that list is too long and not really trustworthy (I have a USB wifi adapter which runs for 10min then makes pfsense kernel panic). WiFi isn’t recommended until at least pfSense 2.2, if then. The frequently recommended option of using VLANs may look good for larger commercial networks, but just buying a VLAN capable switch costs more than a suitable pfsense box and brings the power budget of the combination to the same level as a scrapped PC - with the latter winning hands down on cost. You can pick up the 8 port HP switches (e.g. 1810-8G aka J9802A) for less than $100 these days. No fan, so noise-free. 8W maximum. Real SNMP implementation, supports 802.1q, jumbo packets, etc. When we lived in Hawaii, (expensive power), I used to run a 24-port version of this (1810-24G aka J9803A). Still no fan, 24 10/100/1000 ports, of these can support SFP. Current price is less than $200 on newegg, and probably way more switch than you need. These days my “home lab” (the test lab at work) has a dedicated room, dedicated AC, several racks, and is connected via redundant 10Gbps links, with a backup fiber link at 100Mbps, so my home network is just an APU, a 16-port dumb switch, and a couple 802.11 APs. If I decided to upgrade the Grande connection to 1Gbps or, when Google fiber arrives, I’ll probably replace all that with an SDN (OpenFlow) setup. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Apr 22, 2014, at 12:27 PM, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Am 22.04.2014 18:29, schrieb Jim Thompson: It's not like we disabled the hme driver. Nobody accused you of intentionally disabling it. Manure happens. :-) Relax. We have no ability to test it, since we don't have one of these cards. Nor are we likely to invest in one. Over in the Interface yoyo thread, Message-ID 5355875d.9050...@athompso.net, Adam Thompson wrote: If any of the devs want to test this hardware, I have at least one just sitting on the shelf I can ship to you. (I thought I had 3 or 4 of them, maybe they're still sitting in the E450s that are also sitting on the shelf. Well, actually on the ground, but only because I don't have any shelves that can hold *those*.) If Adam is willing to donate his spare card to you dev folks, and maybe Volker buys a Gold Membership (in case he doesn't have one already), would that significantly increase the chances of having a working hme driver in a future release? :-) That would require finding a PC with a PCI slot, and time. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Interface options for pfsense
On Apr 22, 2014, at 3:42 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: On Wed 23 Apr 2014 05:02:59 NZST +1200, Jim Thompson wrote: Are there any USB Ethernet adapters that actually work with pfsense? Reliably? I am looking for reports from those who have tried, not the freebsd supported HW list - that list is too long and not really trustworthy (I have a USB wifi adapter which runs for 10min then makes pfsense kernel panic). WiFi isn't recommended until at least pfSense 2.2, if then. OK, thanks Jim, good to know. Do you mean this to apply to USB wifi only? No. There are cheap mPCIe atheros-based wifi cards for the PCEngine APU board. Are they known to be reliable? Yes, I know. We sell thousands of them every month, but not for use in pfSense. Maybe with 2.2 the situation will improve. You can pick up the 8 port HP switches (e.g. 1810-8G aka J9802A) for less than $100 these days. No fan, so noise-free. 8W maximum. Yes, thank you for mentioning that - I had seen that yesterday and their power specs had escaped me when I looked at them previously (some of those similar models do guzzle it). That's my plan B, but I really don't like to use VLANs when I can avoid the clutter and complexity (more bugs, more time spent). A pfsense box with more ports is much easier. You asked. BTW, VLANs end up as less clutter, not more. jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Apr 16, 2014, at 4:34 PM, Brian Candler b.cand...@pobox.com wrote: On 15/04/2014 20:12, Jim Thompson wrote: We dropped the price, too. -- Jim Which price are you referring to? On the EC2 instance(s). I see that a support subscription is now $200 for 2 hours plus $200 per extra hour. $400 for the initial 2 hours, $200/hr after that. The one my client purchased a couple of months ago was $600 for 5 hours and (I think) $100 per extra hour. That doesn't sound like a price drop to me :-) The initial buy-in is $400, not $600. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
They're built; we're waiting on Amazon. -- Jim On Apr 11, 2014, at 22:41, linbloke linbl...@fastmail.fm wrote: On 11/04/2014 5:23 am, Jim Thompson wrote: https://blog.pfsense.org/?p=1253 pfSense release 2.1.2 is now available. pfSense release 2.1.2 follows less than a week after pfSense release 2.1.1, and is primarily a security release. Thanks for the new release. Any sign of updated AWS AMIs? Regards, lb The Heartbleed OpenSSL bug and another OpenSSL bug which enables a side-channel attack are both covered by the following security announcements: • pfSense-SA-14_04.openssl • FreeBSD-SA-14:06.openssl • CVE-2014-0160 (Heartbleed) • CVE-2014-0076 (ECDSA Flaw) Packages also have their own independent fixes and need updating. During the firmware update process the packages will be properly reinstalled. If this fails for any reason, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use. Other Fixes • On packages that use row_helper, when user clicks on an add or delete button, the page scrolls to top. #3569 • Correct a typo on function name in Captive Portal bandwidth allocation. • Make extra sure that we do not start multiple instances of dhcpleases if, for example, the PID is stale or invalid, and there is still a running instance. • Fix for CRL editing. Use an alphanumeric test rather than purely is_numericint because the ID is generated by uniqid and is not purely numeric. #3591 You will want to perform a full security audit of your pfSense installations, renewing any passwords, generating or fitting new certificates, placing the old certificates on a CRL, etc. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Apr 12, 2014, at 18:55, Volker Kuhlmann hid...@paradise.net.nz wrote: On Fri 11 Apr 2014 18:43:18 NZST +1200, Ryan Coleman wrote: He gave you an option to subscribe to the list. You seem to have missed the point I was making: critical security fixes (the 2.1.2 release in this case, unless I am misunderstanding) were not posted to security-announce@. The posting to announce@ only happened, because of initial setup problems, after I pointed out it was missing. Volker Technically, the SA was posted, but the guy (Jeremy) who setup the list hasn't given me mod privs yet, and they are stuck in the mod queue. So, actually, I've not missed your point. The whole security-announce setup is quite new. Patience, please, while the kinks are worked out. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1.2-RELEASE up for testing
The final testing (testing updates against the real update servers, which can’t be effectively simulated) is happening now. jim On Apr 10, 2014, at 12:50 PM, k_o_l k_...@hotmail.com wrote: Any update to when the fix will be released?! -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: Wednesday, April 09, 2014 5:04 AM To: pfSense support and discussion Subject: Re: [pfSense] 2.1.2-RELEASE up for testing Scratch that - that just missed a commit for another security fix, it's rebuilding now. On Wed, Apr 9, 2014 at 3:48 AM, Chris Buechler c...@pfsense.org wrote: Normally we wouldn't put these out to the general public at this stage, but a few people are wanting the OpenSSL fix ASAP, and I already posted it to the forum. I've upgraded a handful of production systems and it seems fine, but still a number of things we'll verify before announcing it more widely and sending it to the mirrors and auto-update. I think this is what will become 2.1.2 release. https://files.pfsense.org/cmb/2.1.2-REL-testing/ also mirrored at: http://files.nyi.pfsense.org/cmb/2.1.2-REL-testing/ Those are signed and everything, just a matter of moving them into place if things test out fine. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense 2.1.2 is released
https://blog.pfsense.org/?p=1253 pfSense release 2.1.2 is now available. pfSense release 2.1.2 follows less than a week after pfSense release 2.1.1, and is primarily a security release. The Heartbleed OpenSSL bug and another OpenSSL bug which enables a side-channel attack are both covered by the following security announcements: • pfSense-SA-14_04.openssl • FreeBSD-SA-14:06.openssl • CVE-2014-0160 (Heartbleed) • CVE-2014-0076 (ECDSA Flaw) Packages also have their own independent fixes and need updating. During the firmware update process the packages will be properly reinstalled. If this fails for any reason, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use. Other Fixes • On packages that use row_helper, when user clicks on an add or delete button, the page scrolls to top. #3569 • Correct a typo on function name in Captive Portal bandwidth allocation. • Make extra sure that we do not start multiple instances of dhcpleases if, for example, the PID is stale or invalid, and there is still a running instance. • Fix for CRL editing. Use an alphanumeric test rather than purely is_numericint because the ID is generated by uniqid and is not purely numeric. #3591 You will want to perform a full security audit of your pfSense installations, renewing any passwords, generating or fitting new certificates, placing the old certificates on a CRL, etc. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Apr 10, 2014, at 4:10 PM, Volker Kuhlmann hid...@paradise.net.nz wrote: On Fri 11 Apr 2014 07:23:52 NZST +1200, Jim Thompson wrote: pfSense release 2.1.2 is now available. Thank you for all the quick work! May I ask though why this isn't simultaneously posted on pfsense-announce and pfsense-security-announce? In particular, if the security-announce list was to be used as a reliable source of critical information, posting the 2.1.2 release announcement with the heartbleed fix is not optional??? It was posted on announce@, but it seems that I’m moderated there. This is why my 2.1.1 release announcement was also held. I’ve pushed the message through. security@ is for posting SAs Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1.2 is released
On Apr 10, 2014, at 4:25 PM, Dimitri Rodis dimit...@integritasystems.com wrote: Can we also get information as to which versions of pfSense are affected aside from 2.1.1? Or is 2.1.1 the only affected version? https://pfsense.org/security/advisories/pfSense-SA-14_04.openssl.asc ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
I believe pfSense users are only affected by the secondary flaw, and also any software in pfSense using the /usr/local/... version of OpenSSL, as mentioned by Vick Khera earlier. Both SAs affect pfSense 2.1 and 2.1.1. Heartbleed is an issue because OpenSSL version 1.0.1f is used for software that is not part of FreeBSD 8.3-RELEASE (i.e. things found in /usr/local) in addition to the version without the Heartbleed issue, which is part of FreeBSD 8.3-RELEASE Both issues are being corrected via pending release of pfSense 2.1.2, as well as a near future rev for the pfSense 2.2 snapshots. -- Jim On Apr 8, 2014, at 21:05, Paul Mather p...@gromit.dlib.vt.edu wrote: On Apr 8, 2014, at 9:35 PM, Paul Mather p...@gromit.dlib.vt.edu wrote: On Apr 8, 2014, at 3:04 PM, Jim Thompson j...@smallworks.com wrote: Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimised. The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the Impact section: = III. Impact An attacker who can send a specifically crafted packet to TLS server or client with an established connection can reveal up to 64k of memory of the remote system. Such memory might contain sensitive information, including key material, protected content, etc. which could be directly useful, or might be leveraged to obtain elevated privileges. [CVE-2014-0160] A local attacker might be able to snoop a signing process and might recover the signing key from it. [CVE-2014-0076] = I take that to read the vulnerability being exploitable both ways, i.e., a malicious server could also attack a vulnerable client connecting to it via SSL/TLS, making the attack surface potentially much larger. FWIW, the pre-advisory heads-up message from the FreeBSD Security Officer appears to back this up. It included the following advice: = Users who use TLS client and/or server are strongly advised to apply updates immediately. Because of the nature of this issue, it's also recommended for system administrators to consider revoking all of server certificate, client certificate and keys that is used with these systems and invalidate active authentication credentials with a forced passphrase change. = Just as an followup and clarification to the above, the recent OpenSSL vulnerability Security Advisory actually covers two OpenSSL flaws. The heartbleed flaw only affects FreeBSD 10 in the base OS. All other supported FreeBSD releases are affected by the other flaw they describe (in the ECDSA Montgomery Ladder Approach implementation). I believe pfSense users are only affected by the secondary flaw, and also any software in pfSense using the /usr/local/... version of OpenSSL, as mentioned by Vick Khera earlier. Kudos to the pfSense team for beavering away and cranking out a fix! Cheers, Paul. ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
2.1.2 wasn’t “UP”. Chris cut a version of something he called “2.1.2” that he indicated *might* become 2.1.2, but it was incomplete. So I asked him to pull it back down. Jim On Apr 9, 2014, at 4:59 PM, Ryan Coleman ryanjc...@me.com wrote: There was a post to the list at 0400 central US today that 2.1.2 was up but then he pulled it. I haven’t heard anything since then. You could turn off SSL or ust not use it for the time being from anywhere you don’t trust the system - if they don’t see traffic to the firewall they cannot snoop your information. On Apr 9, 2014, at 3:40 PM, mayak ma...@australsat.com wrote: snip hi all, any news? my routers feel exposed :-) god bless pfsense. m ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimized. We are working at cutting a new release. Jim On Apr 8, 2014, at 1:49 PM, Paul Galati paulgal...@gmail.com wrote: Is this vulnerability tied to a secure web connection on the wan interface? If I do not have the web gui enabled on the wan interface and I am not using openVPN, what other services allow this point of entry possible? Thanks for your time. Paul Galati paulgal...@gmail.com On Apr 8, 2014, at 8:20 AM, Marek Salwerowicz marek_...@wp.pl wrote: Regarding the web test provided at: http://filippo.io/Heartbleed/ All my pfSense firewalls (their HTTPS WEB GUI) are vulnerable... ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Apr 8, 2014, at 12:34 PM, Paul Heinlein heinl...@madboa.com wrote: On Tue, 8 Apr 2014, b...@todoo.biz wrote: This might not be enough as there are two versions of openssl installed… One in /usr/bin/openssl and one in /usr/local/bin/openssl Both should be ok. Not on 2.1: [2.1-RELEASE]/root(9): /usr/local/bin/openssl version OpenSSL 1.0.1e 11 Feb 2013 Worse, that's the version used by OpenVPN and lighttpd: Your use of “worse” here merely pours gasoline on an already burning fire. [2.1-RELEASE]/root(8): ldd /usr/local/sbin/openvpn /usr/local/sbin/openvpn: libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007e9000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x80094f000) [2.1-RELEASE]/root(14): ldd /usr/local/sbin/lighttpd /usr/local/sbin/lighttpd: libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007d3000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x800939000) The situation is no different with pfSense version 2.1.1, even though the ports version of openssl is 1.0.1f. (1.0.1g is required to be clear of the Heartbleed issue.) [2.1.1-RELEASE][root@pfSense.localdomain]/root(3): /usr/local/bin/openssl version OpenSSL 1.0.1f 6 Jan 2014 [2.1.1-RELEASE][root@pfSense.localdomain]/root(4): /usr/bin/openssl version OpenSSL 0.9.8y 5 Feb 2013 [2.1.1-RELEASE][root@pfSense.localdomain]/root(5): [2.1.1-RELEASE][root@pfSense.localdomain]/root(15): ldd /usr/local/sbin/openvpn /usr/local/sbin/openvpn: liblzo2.so.2 = /usr/local/lib/liblzo2.so.2 (0x8006ca000) libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007e9000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x80094f000) libc.so.7 = /lib/libc.so.7 (0x800c22000) libthr.so.3 = /lib/libthr.so.3 (0x800e4f000) [2.1.1-RELEASE][root@pfSense.localdomain]/root(22): ldd /usr/local/sbin/lighttpd /usr/local/sbin/lighttpd: libpcre.so.3 = /usr/local/lib/libpcre.so.3 (0x80067) libssl.so.8 = /usr/local/lib/libssl.so.8 (0x8007d3000) libcrypto.so.8 = /usr/local/lib/libcrypto.so.8 (0x800939000) libthr.so.3 = /lib/libthr.so.3 (0x800c0c000) libc.so.7 = /lib/libc.so.7 (0x800d25000) As previously mentioned, we’re working on a new release. jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] The Heartbleed Bug, CVE-2014-0160
On Apr 8, 2014, at 3:39 PM, Rainer Duffner rai...@ultra-secure.de wrote: Am 08.04.2014 um 21:04 schrieb Jim Thompson j...@smallworks.com: Well, that’s the point, Paul. (You hit the nail on the head.) If you don’t have an openssl service exposed, the problem doesn’t affect you. Since normally the web GUI isn’t exposed to the WAN, the attack surface is minimized. We are working at cutting a new release. Hi, according to: http://www.kb.cert.org/vuls/id/BLUU-9HY33E only FreeBSD 10 is affected. There are binary updates for FreeBSD 10 available, just no advisory-text. No update for FreeBSD 9.1 pfSense 2.1 and 2.1.1 are affected. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] New intel atom board
On Apr 5, 2014, at 12:48 PM, Ugo Bellavance u...@lubik.ca wrote: http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fbncid=fb An interesting platform for pfSense? It looks like it only has 1 NIC though. I looked at this earlier in the week when it was released. It’s interesting, (AES-NI and VT-x support! http://ark.intel.com/products/78475/Intel-Atom-Processor-E3845-2M-Cache-1_91-GHz) and Circuitco is just up the highway in Richardson, TX. I’ve considered driving up and seeing what it would take to take the schematics (when they are available) and have a board built with 2 Ethernets (rather than one), and maybe a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more of these work, or possibly an m-sata drive), in addition to pulling the expansion header off, and connectorizing the serial ‘debug’ header for a proper console. We would need a simple enclosure as well.Painted (or powder-coated) steel is less expensive than anodized aluminum, but I think the anodized aluminum looks nicer, and it can be laser engraved. The other issue is single or dual core and 1GB or 2GB ram (4GB?)? How interesting is the m-sata / miniPCIe option? How you can help: Indicate your level of interest. This board would without a doubt cost more than the minnow board. I don’t know how much more, but we’re not going to hit the same volumes as the minnow board. (I could be wrong.) The minnow board could be subsidized by Intel. (I could be wrong.) It’s going to require a significant investment (up-front NRE), an investment in getting a run of these made, and some return on those investments (profit). How important is form-factor? Larger PCBs cost more, but can sometimes relax routing enough to not need additional layers (fewer layers tend to cost less). - miniPCIe is going to require a connector (these cost money to both buy and place) - m-sata also requires a switch, such that if the m-sata drive is in-place it is connected to the SATA controller - RAM costs. At these densities, 2GB of ram costs twice as much as 1GB of ram. 4GB of ram costs 4X as much as 1GB of ram. making lots of different variants of the boards costs extra to both manufacture (stop the line, load the new parts, run the new SKU) and inventory. - dual core or single core?Remember that pfSense 2.2 (which is based on FreeBSD 10) supports a pf capable of multi-threading. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] 2.1 can't auto-update anymore?
Kevin, Glad you like the update. You won’t get ‘mutlicore’ PF until pfSense 2.2 (which is based on FreeBSD 10). Snapshots are available now. Rangely hardware, you say? http://store.netgate.com/Firewall/C2758.aspx Also available “real soon now at the pfSense store. We believe in the C2000, so there will be other hardware leveraging that series coming available this year. And yes, I agree that pfSense 2.2 will perform very well on the Intel C2000 series SoCs. You’ll notice that rather than create a “commercial version” of pfSense, (as many want to accuse me of doing), we just put the drivers in pfSense 2.1.1, where everyone can enjoy them. What you don’t get in the community builds is the testing/tuning that are part of the above. The results are significantly better than a stock load. But even here, I’m working on a way to make those “platform-specific” tuning parameters available to the community. Jim On Apr 5, 2014, at 4:17 PM, Kevin Boatswain kboat...@gmail.com wrote: Well i just upgraded sucessfully thanks alot for the fix. Dont know if its the sugar pill effect but general web browsing seems MUCH MUCH Faster (and it wasnt slow to begin with). I'm guessing this is due to many of the improvements including the updated PF for multicore. Not time to look at the supermicro versions of the Rangeley or Avoton platforms as I was waiting until PFSense supported the new i354 and i210 nics. These would make AWESOME pfsense platforms. http://www.servethehome.com/Server-detail/intel-atom-c2750-8-core-avoton-rangeley-benchmarks-fast-power/ On Sat, Apr 5, 2014 at 3:39 PM, Jeremy Porter jpor...@netgate.com wrote: There was an error in one of the version number strings, this has been fixed. (It didn't replicate to one of the mirrors correctly.) Auto-update is just a quick link to the upgrade system, it dose not automatically upgrade the firewall without clicking on it, so if your firewall is offline, that is likely a different problem. On 4/5/2014 2:48 PM, Kevin Boatswain wrote: I am having the same issue on my box. Downloading new version information...done Unable to check for updates. Could not contact pfSense update server http://updates.pfsense.org/_updaters At first I thought maybe my box needed to be rebooted but seeing your message and the forum post below makes me wonder is there something wrong with the upgrade url or am I supposed to be using a new upgrade url? https://forum.pfsense.org/index.php?topic=74639.0 I am currently using http://updates.pfsense.org/_updaters for my update url as well. Odd that you were able to update from the console however. I wonder does the console use the same url listed in the Gui? On Sat, Apr 5, 2014 at 1:46 PM, Brian Caouette bri...@dlois.com wrote: I see the same thing. I also notice I can no longer get online. I haven't touched the box in over a month. It went from working to not working. I can only assume its related to the auto update to 2.1.1 On 4/5/2014 2:40 PM, Adam Thompson wrote: On 14-04-05 01:31 PM, Adam Thompson wrote: My own 2.1-release pfSense now can't auto-update. After updating from the console to 2.1.1, the web GUI *still* can't handle auto-update checking. Ordinarily, I'd assume misconfiguration, but the only thing affected is the web UI. WTF? -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] New intel atom board
On Apr 5, 2014, at 5:06 PM, Adam Thompson athom...@athompso.net wrote: On 14-04-05 02:02 PM, Jim Thompson wrote: http://techcrunch.com/2014/04/03/intel-releases-99-minnowboard-max-an-open-source-single-board-computer/?utm_campaign=fbncid=fb An interesting platform for pfSense? It looks like it only has 1 NIC though. I looked at this earlier in the week when it was released. It’s interesting, [...] and Circuitco is just up the highway in Richardson, TX. I’ve considered driving up and seeing what it would take to take the schematics (when they are available) and have a board built with 2 Ethernets (rather than one), and maybe a miniPCIe socket (for an 802.11 NIC, as pfSense 2.2 should make a lot more of these work, or possibly an m-sata drive), in addition to pulling the expansion header off, and connectorizing the serial ‘debug’ header for a proper console. Given the high up-front costs to produce a variant board, wouldn't it be easier, faster and cheaper to just use the expansion header, which IIRC includes two PCIe 1x lanes? If a breakout cable existed that provided 2 PCIe slots, it would be possible to simultaneously have much more flexibility in enclosure design (e.g. PCIe cards underneath the board?) as well as flexibility in choice of add-on. The expansion header only includes one PCIex1 2.0 lane, 1x SATA2, 1x USB 2.0 host, I2C, GPIO, JTAG, +5VDC, GND http://www.minnowboard.org/meet-minnowboard-max/ I don't see that a breakout cable exists yet for the high-speed expansion bus, so there's that minor (*cough*) problem... but that seems a much smaller problem than re-tooling the board. We would need a simple enclosure as well.Painted (or powder-coated) steel is less expensive than anodized aluminum, but I think the anodized aluminum looks In case you don't have a local firm you're happy with, talk to Protocase for sample qtys. I've seen them be cheaper than mass mfg for small runs of simple cases (e.g. interlocked-U style). We have a local firm we’re pretty happy with. We also have a lot of experience in injection molding now (smallworks.com) The other issue is single or dual core and 1GB or 2GB ram (4GB?)? The stock 2GB version should be adequate (barely) IMHO for most applications that function with that class of CPU/ethernet/storage anyway. Much more interesting to me would be if a small, low-cost board like that were available with ECC. That CPU does support ECC RAM, after all… yes it does. ECC ram is also a lot more expensive. How interesting is the m-sata / miniPCIe option? Not to me, as I tend to deploy pfSense at the higher-end of the spectrum, but *some* way to add WiFi would probably be important for the putative target audience. USB probably won't cut it for an AP, so mPCIe is probably needed. Again, expansion-header-to-mPCIe should be possible instead of reworking the board... and unlike PCIe 1x sockets, that wouldn't take up much more room than putting the mPCIe headers on the board. see above. How you can help: Indicate your level of interest. Neat, but not commercially interesting to me right now. Linksys/ASUS/D-Link make cheaper gateways that are good enough for home users, and commercial users will either get a FortiWiFi (or equivalent) or if pfSense, re-use an existing rackmount server. This board would without a doubt cost more than the minnow board. I don’t know how much more, but we’re not going to hit the same volumes as the minnow board. (I could be wrong.) The minnow board could be subsidized by Intel. (I could be wrong.) See above comments :-). I'm not sure if a breakout cable is 100% workable, but if so it's a faster/cheaper option than mPCIe. It’s going to require a significant investment (up-front NRE), an investment in getting a run of these made, and some return on those investments (profit). How important is form-factor? Larger PCBs cost more, but can sometimes relax routing enough to not need additional layers (fewer layers tend to cost less). Smaller is better. Otherwise I may as well just deploy a miniITX or 1U system. Which, yes, argues *against* using a breakout cable for PCIe. - dual core or single core?Remember that pfSense 2.2 (which is based on FreeBSD 10) supports a pf capable of multi-threading. Good question - optimize for today or for tomorrow? Back when I was a teenager, I liked to hang out in the local speed shop. There was a plaque on the wall, with a very bent connecting rod, and the following lettered below it: “Speed costs money, son. How fast do you want to go?” This was before Mad Max appropriated it: http://www.imdb.com/title/tt0079501/quotes?item=qt0427399 Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On Apr 2, 2014, at 3:17 PM, Thinker Rix thinke...@rocketmail.com wrote: On 2014-04-02 17:35, Eugen Leitl wrote: Apu.1c http://www.heise.de/newsticker/meldung/Embeddded-Mainboard-mit-x86-CPU-und-Coreboot-2160404.html http://www.pcengines.ch/apu1c.htm in stock, €105.13 Unfortunately again only 3 NICs... and Realteks with bad performance. I would love to see such a board one day with at least 4-8 NICs. Such things are literally, on the way, but aren’t going to be priced similarly to the APU. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On Apr 2, 2014, at 3:24 PM, Ryan Coleman ryanjc...@me.com wrote: Wouldn’t a layer-3 switch be a good investment in this situation? Put the load on another device instead of, what is for all intents and (definitely) purpose a thin, light-weight piece of hardware? It doesn’t even need to be a layer-3 switch. A decent layer-2 switch with enough programmable control would do it. Such switches (layer 2 and even layer 3) exist, and programmable control can be had (sometimes) via protocols like OpenFlow. The obvious path here is pfSense - ofSense as a controller for OpenFlow hardware. Not that this isn’t already being actively discussed inside Netgate or anything… :-) (here is a huge hint: http://store.netgate.com/Switches-C167.aspx) This would enable multiples of 10G performance for load-balancing, packet filtering, and even NAT (with the right switch hardware). The only issue here is that such switches tend to be a bit … pricey. Thusfar, the community hasn’t shown a lot of appetite for solutions that cost more than a few hundred dollars. Even Chris continually touts that an Alix board is “enough for most people”. He’s right, except that the world of existing networking doesn’t allow a lot of flexibility, and even home users might find that the complexity of configuring NAT/VLANs/packet filtering/caching/… is a bit much. I’m not saying that a home user needs a $3,000 openflow switch, but a $300 solution with 3-4 Gb Ethernet ports should be more than adequate, since, in the right scenarios, even a Gb/s Google Fiber feed could be handled by a 2-4 core SoC and a set of re-architected software. Jim___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] successor to ALIX is here
On Apr 2, 2014, at 5:01 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 2/4/14 9:17 pm, Thinker Rix wrote: Unfortunately again only 3 NICs... and Realteks with bad performance. I would love to see such a board one day with at least 4-8 NICs. On that subject, we've recently been experimenting with these: http://linitx.com/product/jetway-jbc373-intel-atom-d525-barebone-system-quad-gigabit-lan/13700 Initial results seem promising, they've got a CF slot, and they're not a great deal more expensive than the ALIX units were. Yeah, we carried those for a while, then they started coming back, so we carrying it in the store, and are moving the remaining inventory on Amazon. I think we called it the FW-525B. They (also) have RealTek NICs. YMMV. Jim ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Blast from the past: pfSense 1.2 / ALIX / VLANs
What's your time worth? -- Jim On Mar 24, 2014, at 9:03, Stefan Baur newsgroups.ma...@stefanbaur.de wrote: Am 24.03.2014 14:18, schrieb Chris Bagnall: However, the new tenant found that performance was erratic - certain websites loaded instantly, but others wouldn't load at all. This normally screams classic MTU problems, in my experience, but I normally see these on weird WAN connections, not on the LAN. Does anyone know if there are/were 'problems' with 1.2 and VLAN MTUs on ALIX platforms (ethernet driver 'vr'), and whether an update to 1.3 might fix it? This is old hardware with only 128MB RAM, so jumping to 2.x is optimistic. The site in question is a couple of hundred miles away from me, so 'try it and see' isn't really an option in this case. :-) While I do have to admint that I don't have experience with the particular ethernet driver you mention, I know that there are several Unix Operating Systems where not all ethernet drivers are capable of dealing with the added bytes that a VLAN tag brings with it. IIRC, VLAN needs four bytes, so instead of upgrading to 1.3 you could first try to set the MTU to 1496 instead of the usual 1500. -Stefan ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] (no subject)
Chris had to rebuild lists.pfsense.org, as one of the databases became corrupted. You might have gotten added in that process. On Mar 19, 2014, at 1:54 PM, Doug Barton do...@dougbarton.us wrote: Actually I'm sort of curious as to how I got on the list in the first place. I certainly did not sigh up for it. I can figure out how to remove myself of course, but was there some sort of mass involuntary subscription process that occurred in the last 24-36 hours? Doug On 3/19/2014 11:48 AM, Vick Khera wrote: because clicking the link at the bottom of every message you get from the list is too hard? On Wed, Mar 19, 2014 at 2:25 PM, robert gledhill robert...@gmail.com mailto:robert...@gmail.com wrote: Remove me ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Wifi/WAN issues
On Mar 6, 2014, at 5:26, Jeremy Bennett jbenn...@hikitechnology.com wrote: What am I doing wrong? You're running a more modern card than supported in pfSense 2.1, which is based on FreeBSD 8.3. Perhaps 2.2 will fix the issue. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Wifi/WAN issues
On Mar 6, 2014, at 12:51 PM, Jeremy Bennett jbenn...@hikitechnology.com wrote: I spoke to the good folks at Netgate, and they assured me that the card was indeed compatible with 2.1. From what I've seen, they've always been very responsible with the products they sell and they were very helpful when I raised the issue with them. So, that said, any other ideas? Yeah, my mistake. (Note my employer…) I thought you had a more modern Atheros card. These things typically turn out to be RF issues. poor connection of the pigtail, high signal levels in the environment, etc. In your particular case, you report: In configuring the WAN interface, I set the card to infrastructure mode (BSS) and fill in the network I'm trying to join's name (wireless_network”).” and If I go to status interfaces, I see that the status says no carrier I setup an open network off of my cell phone and submitted the SSID of my phone's network and I get the same status : no carrier result.” So we don’t know if your card is even receiving beacon frames. Can you drop to a shell and run ifconfig wlan0 scan” (for whatever the name of your interface is)? Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfsync state full resync
See your link http://www.openbsd.org/faq/pf/carp.html It's all in there. -- Jim On Feb 16, 2014, at 12:03, rajan agarwal rajanagarwa...@gmail.com wrote: I was about to post the same question. Thanks Brian, been facing a problem with this in my 2 pfsense setup. On Sun, Feb 16, 2014 at 7:20 PM, Brian Candler b.cand...@pobox.com wrote: I have a question about pfsync failover. Suppose you have a master/slave firewall pair; the master is broadcasting updates to its state table and the slave is picking them up. Then you reboot the master firewall. The slave firewall takes over. When the master firewall comes back, its state table will initiallly be empty. So does it have a way to request from the slave a dump of the current state table? And will this transfer be completed before it becomes master on any CARP interfaces? I can't see this situation described at http://www.openbsd.org/faq/pf/carp.html http://www.openbsd.org/cgi-bin/man.cgi?query=pfsyncsektion=4manpath=OpenBSD+5.4 It talks about state change messages but not a full resync. However, I can find a hint of a bulk transfer here: http://www.freebsd.org/cgi/man.cgi?query=pfsyncsektion=4 and in this old posting: http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010823.html Thanks, Brian. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Feb 14, 2014, at 5:15 AM, Jostein Elvaker Haande jehaa...@gmail.com wrote: On 14 February 2014 11:54, Brian Candler b.cand...@pobox.com wrote: On 13/02/2014 19:43, Jostein Elvaker Haande wrote: The thing that brand names as Netgear now sells out of the box [..] I welcome Netgear to the pfSense community as a most welcome addition, and I hope to see similar additions in the time to come. That would be Netgate, not Netgear :-) Oooops! :) Slight slip of the fingers that. You would not believe how often it happens. It’s likely that some of you don’t know that Netgate was originally the name of a source-available(*) packet filter for SunOS(**) in 1991. See, for example: http://www.greatcircle.com/firewalls/mhonarc/firewalls.199309/msg00092.html Jim (*) the term “open source” had yet to exist in 1991, which was when ‘SmallWorks’, the company behind the Netgate firewall, was formed. (**) FreeBSD didn’t exist in 1991, either. ’Netgate' ran on BSDI’s BSD/OS though we never formally launched it the platform. Rob Kolstad was my boss at Convex in the mid-80s. So I knew those guys really well, but the USL lawsuit prevented our launch on BSD/OS. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Feb 13, 2014, at 12:10 PM, Chris Buechler c...@pfsense.org wrote: On Thursday, February 13, 2014, Andrew Hull l...@coffeebreath.org wrote: Hi List, Having purchased several pfSense devices assembled by Netgate (m1n1wall and FW-7541), I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? I’m not sure why it would be discussed on the list. It’s an business matter between ESF and Netgate. My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. No, no, no. Custom hardware-specific images are a good thing - when done by us, as in the case of Netgate. More when I'm not on my phone. Indeed. You’ll see more of this in the future. It supports the project in a big way. Perhaps you don’t care about that, but I do. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Netgate's customized pfSense release
On Feb 13, 2014, at 11:30 AM, Mathieu Simon (Lists) matsimon.li...@simweb.ch wrote: Am 13.02.2014 17:54, schrieb Andrew Hull: [...] I've noticed that the pfSense pre-install image was customized with Netgate branding and the firmware auto-update mechanism was set to a Netgate URL. Has this been discussed on the list before? I don't think often for what I can remember. My knee jerk reaction is that this is A Bad Thing(tm), and I reloaded the devices with images from ESF. Does anyone here have a strong opinion one way or the other? No worries, that's how open source works, and in case of the BSD license there are are almost all liberties to do derivative products, as long as you follow minimal rules and trademark (pfSense and the logo are trademarks of ESF). Netgate allows you to run what image you like, other (non pfSense) appliance vendors are way less nice :-) Common guess: Beyond branding, their images may contain pre-done tuning for the hardware that makes it perform at its best without extra user intervention. In comparison, at one place I have a 3-letter brand server running pfSense and I had to spend some time on loader.conf.local and tunings to make all NICs work and work good (props to ESF staff who assisted). Quick history: BSD Perimeter moved from Kentucky (in 2012) to Texas and reinstated as ESF. Jim Thompson from Netgate (also Texas) got involved with ESF, he is actually active in both companies. In mid-2012, Chris approached several parties, including the principals of Netgate to investigate their interest in purchasing the interest in BSD Perimeter formerly held by Scott Ulrich. In August 2012, the principals of Netgate completed the purchase of those shares. Subsequently, Chris moved to Texas (his idea, not forced on him in any way). (To be perfectly clear on the history, Netgate was, quite literally, the first support customer of BSD Perimeter, back in 2006, and has continuously supported the project from that day until now.) That may explain why Netgate is permitted to redistribute modifed images without the need to rename the resulting product binaries or replacing the logos. (Jim, correct me I'm writing this out of my memory, I remember there was once a post or a mailing list discussion) Given that I’m managing both companies, some things get ‘shared’ (Netgate and ESF run on a common set of infrastructure (switches, servers, etc) though in some cases, the usage is exclusively ESF (e.g. the co-location at NYI.) Those of us in Austin (and there is more headcount under ESF than you might imagine) are all collocated in the same office space. That all said: 1) I really do try to keep Netgate and ESF ‘separate’ in terms of business. 2) Co-branding is permitted, and even encouraged, if done under the auspices of the ESF program directed to same. There is revenue attached that flows to ESF, and thus, directly supports the project. These releases are built on the same (identical) infrastructure, from the same tree, by ESF personnel. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
On Feb 12, 2014, at 9:05 AM, David Burgess apt@gmail.com wrote: On Feb 11, 2014 5:55 AM, Jim Thompson j...@netgate.com wrote: Thanks for this. As before, we'll supply a solution for pfSense on the ERL after 2.2 (based on FreeBSD 10) after 2.2 drops. -- Jim That's great news. Does anybody care to speculate whether FreeBSD will be able to take advantage of the packet forwarding acceleration of this hardware at some point you know it’s ipv4-only, right? (there should be a layer2 version as well, but you can’t run both.) jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
The reality is “when it’s done”. I’m hoping for “mid-May”. On Feb 12, 2014, at 9:28 AM, Brian Caouette bri...@dlois.com wrote: What is the time frame for 2.2? On 2/11/2014 7:55 AM, Jim Thompson wrote: Thanks for this. As before, we'll supply a solution for pfSense on the ERL after 2.2 (based on FreeBSD 10) after 2.2 drops. -- Jim On Feb 11, 2014, at 7:25, Eugen Leitl eu...@leitl.org wrote: http://rtfm.net/FreeBSD/ERL/ FreeBSD 10.0 on Ubiquiti EdgeRouter Lite The Ubiquiti EdgeRouter Lite is a neat little device that costs less than US$100, has three Ethernet ports, and can run FreeBSD/mips. It's based on the Cavium Octeon CN5020 platform and features a dual core 500mhz MIPS64 processor, 512MB RAM, and 4GB storage on removable USB. The EdgeRouter Lite in the foreground, near a Netgear WNDR3700 and a bulky ISP-provided cablemodem. This page provides ready-to-use images of FreeBSD 10.0-RELEASE. Thanks to the open nature of the EdgeRouter Lite, it's very easy to install and use these images; just follow the instructions below. Thanks to the fine folks at the FreeBSD Project, building your own is almost as easy. A script to build them, along with instructions, is also provided. Special thanks is due to Juli Mallett and Warner Losh, without whose hard work and generous assistance none of this would be possible. Note that this is experimental software which comes with no warranty of any kind. These builds are works in progress and are not fit or suitable for any purpose whatsoever. By proceeding you assume all risks. On my EdgeRouter Lite, the builds provided below are stable and pretty much fully functional. There are two outstanding issues: Performance could be a little better, though it's more than adequate for my home Internet connection. Basic packet passing between two Gigabit hosts seems to top out at about 250Mbits/sec. There is currently no way to pass boot options (such as single-user mode) to the kernel from U-Boot. Hardware crypto acceleration via /dev/crypto seems to work. Use AES in CBC mode to see a huge speedup over CTR. etc. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
On Feb 12, 2014, at 9:41 AM, Eugen Leitl eu...@leitl.org wrote: On Wed, Feb 12, 2014 at 08:05:17AM -0700, David Burgess wrote: That's great news. Does anybody care to speculate whether FreeBSD will be able to take advantage of the packet forwarding acceleration of this hardware at some point? IIRC you need NDAs for that, so unless it's cleanroom reversed we're SOL. Not really. Even if it’s proprietary (and can’t be open sourced), what you’re after is the functionality, yes? jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
On Feb 12, 2014, at 9:55 AM, Eugen Leitl eu...@leitl.org wrote: On Wed, Feb 12, 2014 at 09:44:46AM -0600, Jim Thompson wrote: On Feb 12, 2014, at 9:41 AM, Eugen Leitl eu...@leitl.org wrote: On Wed, Feb 12, 2014 at 08:05:17AM -0700, David Burgess wrote: That's great news. Does anybody care to speculate whether FreeBSD will be able to take advantage of the packet forwarding acceleration of this hardware at some point? IIRC you need NDAs for that, so unless it's cleanroom reversed we're SOL. Not really. Even if it’s proprietary (and can’t be open sourced), what you’re after is the functionality, yes? Can the blobs be reversed so easily? (Too bad about lack of IPv6 offloading, but we can live with that for a while, I guess). I don’t know. If you’re really curious, you can read this: http://university.caviumnetworks.com/downloads/Mini_version_of_Prog_Guide_EDU_July_2010.pdf to find out how to get ahold the real programming guide from Cavium, then read Chapter 2 “Packet Flow” in same. This might give you some ideas as well: https://hactive.googlecode.com/files/CN50XX-HRM-V0.99E.pdf Note that this link seems to support the idea that IPv6 processing is supported by the hardware (see, for example, Sections 7.2.4, 7.5 and 7.7). I do know that *I* don’t want to invest a ton of RE effort in a $99 platform that bears near zero margins, when far, far faster Intel / AMD platforms that aren’t more than 2-3X the price are just around the corner. Note slide 17 in this: https://noppa.aalto.fi/noppa/kurssi/s-38.3310/harjoitustyot/S-38_3310_matias_elo.pdf Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
On Feb 12, 2014, at 12:16 PM, Brian Caouette bri...@dlois.com wrote: Sounds good. Is there a planned feature list we can look forward too? On 2/12/2014 10:43 AM, Jim Thompson wrote: The reality is “when it’s done”. I’m hoping for “mid-May”. On Feb 12, 2014, at 9:28 AM, Brian Caouette bri...@dlois.com wrote: What is the time frame for 2.2? Is there a planned revenue stream? The answer to both is ‘No’. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] FreeBSD 10.0 on Ubiquiti EdgeRouter Lite
Thanks for this. As before, we'll supply a solution for pfSense on the ERL after 2.2 (based on FreeBSD 10) after 2.2 drops. -- Jim On Feb 11, 2014, at 7:25, Eugen Leitl eu...@leitl.org wrote: http://rtfm.net/FreeBSD/ERL/ FreeBSD 10.0 on Ubiquiti EdgeRouter Lite The Ubiquiti EdgeRouter Lite is a neat little device that costs less than US$100, has three Ethernet ports, and can run FreeBSD/mips. It's based on the Cavium Octeon CN5020 platform and features a dual core 500mhz MIPS64 processor, 512MB RAM, and 4GB storage on removable USB. The EdgeRouter Lite in the foreground, near a Netgear WNDR3700 and a bulky ISP-provided cablemodem. This page provides ready-to-use images of FreeBSD 10.0-RELEASE. Thanks to the open nature of the EdgeRouter Lite, it's very easy to install and use these images; just follow the instructions below. Thanks to the fine folks at the FreeBSD Project, building your own is almost as easy. A script to build them, along with instructions, is also provided. Special thanks is due to Juli Mallett and Warner Losh, without whose hard work and generous assistance none of this would be possible. Note that this is experimental software which comes with no warranty of any kind. These builds are works in progress and are not fit or suitable for any purpose whatsoever. By proceeding you assume all risks. On my EdgeRouter Lite, the builds provided below are stable and pretty much fully functional. There are two outstanding issues: Performance could be a little better, though it's more than adequate for my home Internet connection. Basic packet passing between two Gigabit hosts seems to top out at about 250Mbits/sec. There is currently no way to pass boot options (such as single-user mode) to the kernel from U-Boot. Hardware crypto acceleration via /dev/crypto seems to work. Use AES in CBC mode to see a huge speedup over CTR. etc. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] January Project News
It still needs attention in the editing and formatting departments, but all the tech is there, yes. -- Jim On Jan 21, 2014, at 5:00, Michał Karas m.ka...@hafis.pl wrote: Hi, than you for your reply. Is the electronically available version already finished. Does it cover all features of PFSense 2.0/2.1 ? Best Michał On Tue, Jan 21, 2014 at 11:54 AM, Chris Buechler c...@pfsense.org wrote: On Tue, Jan 21, 2014 at 4:40 AM, Michał Karas m.ka...@hafis.pl wrote: Hello Chris, any updates on new PFSense book ? When will it be published ? Still to be determined. It's already available for subscribers @ portal.pfsense.org in PDF, mobi and epub. Individual electronic copy sales will come at some point. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Me-totemo-utsukushi-i-desu-ne totemo- utsukushi-i-me-wo-shitemasu - Mitch Ikeda ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Apple Messages Blocked
Turning on UPNP might make things better. It just works for me, too. -- Jim On Jan 15, 2014, at 10:00, Vick Khera vi...@khera.org wrote: On Tue, Jan 14, 2014 at 3:01 PM, Paul Galati paulgal...@gmail.com wrote: I have tried searching the forums for find a fix to allow Apple Messages app to successfully connect using Audio, Video, or Screen Sharing. It just works for me. I have pfSense protecting my home network, sitting behind a NAT from Verizon FiOS even (so my internal is double NATted.) I have done facetime chats with my kids on the computers at home which is the same as the Messages app and me on a computer and/or my phone in another state. I allow the internal computers to make all outbound connections, though, so that may be a difference in your configuration. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] IPSec problem with mobile IOS and Android
you lost me at “port forwarding”. Making NAT work for IPSEC (passthrough) can be … quite challenging. Hopefully you’re attempting to terminate IPSEC on the pfSense box, and the ISP router is configured to: IP Protocol ID 50: For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded. IP Protocol ID 51: For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded. UDP Port 500: For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded. Note that ‘forwarding’ here is packet forwarding, not port forwarding. If so, I’ve simply misunderstood you. If not, you’re not going to make it work without a TON of work on NAT-traversal. You say you looked at: https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 (I think). Commercial support is available if you need it. Jim On Jan 4, 2014, at 5:03 PM, Carlos Vicente cjpvice...@gmail.com wrote: Hi all, I have a problem with an IPSec VPN from mobile clients (IOS and Android). I can establish the tunnel but can’t ping, RDP or SSH the pfSense or any client behind it (which is working with OpenVPN). I see the “passed” logs on the firewall tab but can’t access the systems. My pfSense WAN is on the same subnet as the LAN of the ISP router, which has port forwarding of ESP, AH and IKE to the pfSense WAN network adapter. All the rules are correct and I they appear correctly on logs. My PfSense version is 2.0.3 upgraded from 1.2.3. I have tried all kind of configs from the doc “Mobile IPsec on 2.0”, but, as I said, can establish the connection but can´t access any device on LAN subnet. I use this excellent appliance for many years, so I must have IPSec VPN working on mobile clients the same way I have them working with OpenVPN. I’m stuck here, so any help would be very appreciated. Thanks. CV ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Compile on Sun v215
Unlikely. -- Jim On Dec 9, 2013, at 4:07, Denny Fuchs linuxm...@4lin.net wrote: hi, I want to use old two of Sun Fire SPARC v215 for pfsense. FreeBSD 8/98 runs without any problems, so the only question is, if it does make sense to compile pfsense on that hosts. Ram: 12GB # cat /proc/cpuinfo cpu: TI UltraSparc IIIi (Jalapeno) fpu: UltraSparc IIIi integrated FPU pmu: ultra3i prom: OBP 4.22.33 2007/06/18 12:47 type: sun4u ncpus probed: 2 ncpus active: 2 D$ parity tl1: 0 I$ parity tl1: 0 cpucaps: flush,stbar,swap,muldiv,v9,ultra3,mul32,div32,v8plus,vis,vis2 Cpu0ClkTck: 59a53800 Cpu1ClkTck: 59a53800 MMU Type: Cheetah+ State: CPU0:online CPU1:online cu denny ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
I was at the FreeBSD Vendor Summit last week, and raised the AES-NI issue as important to be solved in the next six months. The issue and fix are understood, it just needs someone to implement it (and then, presumably, backport it to 8.3, so we can release an update to 2.1 (2.1.1 or similar). Jim On Fri, Nov 8, 2013 at 12:33 PM, Thinker Rix thinke...@rocketmail.com wrote: Hi all, On 2013-11-06 07:53, Thinker Rix wrote: as I am planning to buy new hardware for pfSense, I was wondering if it is worthy to buy a CPU that supports AES new instructions, i.e. hardware-support for AES encyption. As I learned in this thread (big thanks to everybody participating), AES-NI is adding no value to pfSense currently, at all. So currently the only solution is to throw GHz at the problem. Searching myself through the web to learn what CPU speed I would need to achieve my desired 450 MBit/s VPN (or come at least somewhat close to this theoretical max), I found this: http://forums.freenas.org/threads/encryption-performance-benchmarks.12157/ I copied those measurements found there into a spreadsheet so to analyze those values. If anybody is interested in this spreadsheet (.ods), I can send it to him via private mail (I guess binaries are not allowed in the mailing list). Just drop me a message. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
I think the people with the relevant skill are willing to fix it, when they're show that what they did (cryptdev support) doesn't provide any benefit. read: it's being taken care of. On Mon, Nov 11, 2013 at 1:20 PM, Vick Khera vi...@khera.org wrote: Did you get the sense people with the relevant skill were open to a bounty for implementing the necessary fixes? On Mon, Nov 11, 2013 at 1:36 PM, Jim Thompson j...@netgate.com wrote: I was at the FreeBSD Vendor Summit last week, and raised the AES-NI issue as important to be solved in the next six months. The issue and fix are understood, it just needs someone to implement it (and then, presumably, backport it to 8.3, so we can release an update to 2.1 (2.1.1 or similar). Jim On Fri, Nov 8, 2013 at 12:33 PM, Thinker Rix thinke...@rocketmail.com wrote: Hi all, On 2013-11-06 07:53, Thinker Rix wrote: as I am planning to buy new hardware for pfSense, I was wondering if it is worthy to buy a CPU that supports AES new instructions, i.e. hardware-support for AES encyption. As I learned in this thread (big thanks to everybody participating), AES-NI is adding no value to pfSense currently, at all. So currently the only solution is to throw GHz at the problem. Searching myself through the web to learn what CPU speed I would need to achieve my desired 450 MBit/s VPN (or come at least somewhat close to this theoretical max), I found this: http://forums.freenas.org/threads/encryption-performance-benchmarks.12157/ I copied those measurements found there into a spreadsheet so to analyze those values. If anybody is interested in this spreadsheet (.ods), I can send it to him via private mail (I guess binaries are not allowed in the mailing list). Just drop me a message. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote: pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config setting for it. I'm not aware if any performance testing for AES-NI on pfSense. There are reports that FreeBSD doesn't support AES-NI very well. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
On Nov 6, 2013, at 8:06 AM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-11-06 15:29, Jim Thompson wrote: On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote: pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config setting for it. I'm not aware if any performance testing for AES-NI on pfSense. There are reports that FreeBSD doesn't support AES-NI very well. Thank you for this information, Jim. So I figure, that buying the Xeon just for it's AES functions would (currently) be a waste of money. I can’t answer this, because I’ve not tested it. I know that the linux kernel, and openbsd both take full advantage of AES-NI instructions. http://ibatanov.blogspot.com/2012/04/ipsec-performance-benchmarking-is-end.html http://comments.gmane.org/gmane.os.openbsd.misc/199639 I know there is an implementation of AES-NI for cryptdev, but **I HAVE NOT TESTED IT (nor has anyone else on the pfSense team, AFAIK). There seems to be an issue: http://forum.pfsense.org/index.php/topic,54008.30.html http://lists.freebsd.org/pipermail/freebsd-hackers/2012-May/038762.html In the meantime, it might be possible to use OpenVPN with a patched openssl library to achieve the results you desire (but now you’re off into DIY land.) https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux That all said, we will find and fix the issue at some point. (I’m actually in San Jose for the FreeBSD Vendor Summit, and plan to bring it up as a potential issue.) Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
The issue may not be that easy to fix. Current theory is that it's is a structural issue in cryptdev. -- Jim On Nov 6, 2013, at 20:59, Chris Buechler c...@pfsense.org wrote: I have done some brief testing of AES-NI a few months back, though I can't seem to find the results at the moment and that test environment isn't online currently. It doesn't give the performance benefit that it should at this time. So the immediate benefit is minimal (except for the fact the Xeon proc would be faster than the Pentium), but it will be properly supported in the future, hopefully in 2.2 with its FreeBSD 10 base, but we haven't done any testing there yet. On Tue, Nov 5, 2013 at 11:53 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello all, as I am planning to buy new hardware for pfSense, I was wondering if it is worthy to buy a CPU that supports AES new instructions, i.e. hardware-support for AES encyption. Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all VPN traffic (openVPN)? Woud pfSense benefit from this in any other way, too? The motherboards that I want to buy unfortunately support AES-NI only with Xeons that currently start from approx 170 €. If I would take a CPU without AES-IN, I could go with a dual-Pentium for 40€. What impact would you expect from AES-IN, in regards to the fact tht I will be having traffic from VPN secured WLAN with approx 300-450 Mpbs and VPN to/from the internet, 1-2 users at a time max. Do you think the AES-IN would be worthy the price premium of the Xeon for my case, e.g. because it would reduce VPN latency, etc., or is it just a pure waste of money in my case? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] AES-NI support of the CPU: Does it make sense for VPN with pfSense?
The Xeon CPUs are almost idle. The old Intel 32-bit Pentium 4 2.4GHz dual core server, however is the other end of that IPSEC tunnel. It's unlikely to be as idle as the Xeon. -- Jim On Nov 6, 2013, at 8:04, Thinker Rix thinke...@rocketmail.com wrote: On 2013-11-06 15:22, Vick Khera wrote: On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix thinke...@rocketmail.com wrote: Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all VPN traffic (openVPN)? Woud pfSense benefit from this in any other way, too? pfSense lists the AES-NI as a supported option for crypto acceleration. pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config setting for it. As to your question of is it worth the cost, that depends on how much VPN traffic you have. The Xeon will handle a damn lot of traffic all on its own. If you are pushing more than 40Mbps on the VPN, then perhaps consider the extra cost. If it is low, like under 5 or 10Mbps, then I'd probably suggest that it is not worth the cost. As a reference, between my data center and my primary office, I have an IPsec tunnel. The office runs on an old Intel 32-bit Pentium 4 2.4GHz dual core server. The data center runs on Intel Xeon E31220L @ 2.20GHz quad-core. Neither one has any built-in cryptodev supported devices. The IPsec tunnel maxes out at about 20Mbps during large file backups. I don't think it would go any faster with hardware acceleration, and the load on these boxes hovers around 0 still. The data center firewall is also busy pushing over 100Mpbs of regular traffic to hundreds of clients as well. Hi Vick, Thank you for your reference, it is very valuable for me! I guess I will go with a Pentium (Ivy Bridge) 2x 3.0 GHz CPU. What do you think is the reason for your VPN traffic maxing out at 20Mpbs (I assume that your connection is not the traffic bottle neck, right?), although your CPUs are almost idle? Best regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Disk Read failure (but it seems to work anyway)
https://doc.pfsense.org/index.php/DMA_and_LBA_Errors On Mon, Oct 28, 2013 at 12:18 PM, Bob Gustafson bob...@rcn.com wrote: I installed 2.1 on a SanDisk 4GB Ultra (200x) for use on an Alix board. I configured the ethernet ports using the serial connection and then left the connection and minicom running while I did more configuration using the ethernet webConfigurator. Every time I would make a change to the configuration, I get: ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 from the serial port. Even though it says FAILURE, the configuration was retained. (Perhaps a power cycle will wipe it out. Will power cycle in a minute and report here) Can I do something to fix the problem, or eliminate the messages? Perhaps the SanDisk Ultra is too fast? I picked it more for reliability than speed. Perhaps it was not a good choice. - On power cycle, there were some read errors: ...uhub0: 4 ports with 4 removable, self powered ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 ad0: FAILURE - READ status=51READY,DSC,ERROR error=10NID_NOT_FOUND LBA=78139 Root mount waiting for: usbus1 uhub1: 4 ports with 4 removable, self powered Trying to mount root from ufs:/dev/ufs/pfsense0 Configuring crash dumps... Mounting filesystems... Setting up memory disks... done. Disabling APM onad0: FAILURE - SETFEATURES 0x85 status=51READY,DSC,ERROR erro /dev/ad0 ... but it seems all of my configuration information was retained. Bob G __**_ List mailing list List@lists.pfsense.org http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Hardware requirements for gigabit wirespead
On Oct 24, 2013, at 12:02 PM, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 24/10/13 5:30 pm, Thinker Rix wrote: I want to have: - full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x Gigabit at max) Would have thought you'd be fine here. - full 450Mbps between the WLAN and pfsense Even with 450Mbps *radios* I'd be amazed if you get more than ~80Mbps out of your WLAN. Not a pfSense limitation, just a reality of WLAN claimed radio speeds. I generally expect to see ~55-65Mbps out of 2x2 radios, so ~80Mbps out of 3x3 is probably realistic. depends on your RF environment and channel orthogonality. Unless you're in a really isolated area, using an 80Mhz channel (which is what you'd need for 450Mbps radio speed) will slaughter spectrum availability for your neighbours. Short of really needing that speed, try to stick with 20Mhz channels where possible. And if you're in a very congested WiFi area, you may even get better speeds out of 20Mhz (much easier to find one free 20Mhz channel than a free 80Mhz channel). - maximal VPN speed without speed break due to hardware limitations, i.e. as near to wire speed as possible Depends on your choice of crypto algorithm and whether you can do it in hardware. I’d recommend for a CPU that supports AES-NI, even if the FreeBSD support for same turns out to be lagging. ‘wire speed’ would need to be defined. I do know of boxes that will run at 25Gbps. As the guy at the hot rod shop told me 30 years ago, “Speed costs money son. How fast do you want to go? 1. Would the Core2Duo CPU be sufficient for my requirements or should I chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a more powerful CPU or totally different setup? When I was deploying a Quagga-based BGP setup in a datacentre a couple of years ago, the general consensus was that cores are more important than raw clock speed - so 4x2.4Ghz is better than 2x3.4Ghz - at least when using multiple interfaces. That’s not what I’d have guessed. If your application load is single-threaded (or a single process), then clock speed will win every time. If your application (load) can be broken down into prices that execute in parallel, then cores will be a win. You’ve not specified the problem well enough to discuss. An AS with internal BGP (iBGP) must have all of its iBGP peers connect to each other in a full mesh (where everyone speaks to everyone directly). This full-mesh configuration requires that each router maintain a session to every other router. In large networks, this number of sessions may degrade performance of routers, due to either a lack of memory, or too much CPU process requirements. There will also need be some serious consideration on the reliability of the network, and its constituent part(s). If those wireless links are for exterior paths, and not simply 802.11 LANs, then you’re in for a huge amount of trouble, as wireless isn’t reliable. At all. This was, however, with Linux hosts. One of the nice things about those Intel server cards is the ability to lock NIC affinity to CPUs/cores, so you can effectively task a core to one or more NIC ports. But that would require completely re-archtecting the application(s). Hopefully others will chime in as to whether the same is true with FreeBSD - I seem to recall there were SMP/multi-core efficiency issues with earlier FreeBSD versions - hopefully those have been ironed out by now. 2. Is there any other bottle neck that will prevent my performance requirements? Bonding is not a guarantee of doubled speeds. In my experience, bonding 2 gigabit NICs will generally yield around 1.2-1.4Gbps raw throughput. You are very unlikely to get 2Gbps. Bonding is more about redundancy (failover) than throughput at this level. If you really need 1Gbps, you're going to have to consider 10GE kit. 3. When bonding the NICs, I was planning to use a port on each of the PCIe cards so to have a little bit of redundancy should an expansion card fail. Will there be significant performance losses due to this spread over 2 expansion cards, so that it would be much better to bond two NICs that live on the same expansion card and forget about the additional redundancy? No, I agree that bonding 2 ports on separate cards is the best option. You're already thinking redundancy with the multiple NIC considerations, but in my experience, NICs don't really fail that often - at least not compared to fans, power supplies and other PC components. Consider whether a 2x pfSense cluster in CARP might be more to your needs if redundancy/failover is a critical requirement. Looking at your hardware again, you've specced 12 NICs, but from what I can see from your config, you only need 8 (2 VDSL ports, 2 bonded ports for LAN, 2 bonded ports for DMZ, (assuming) 2 bonded ports for WLAN). 4x on-board Realtek 8111C Gigabit NICs Personally
Re: [pfSense] Hardware requirements for gigabit wirespead
The topic has wandered away from pfSense. -- Jim On Oct 24, 2013, at 18:48, Chris Bagnall pfse...@lists.minotaur.cc wrote: On 24/10/13 7:31 pm, Adam Thompson wrote: If I upgraded to a better-quality unit, or switched to licensed spectrum, I could probably eliminate the variability and increase speed simultaneously. Indeed, we have Ubiquiti kit running point to point links in the 5Ghz unlicensed spectrum (band C) over around 18km which deliver ~65Mbps throughput. I think our distance record is just shy of 68km. Within the Ubiquity line, the AirFiber apparently would get me to ~99.99% reliability at ~600Mbps, or ~99.9% reliability at ~1Gbps. Still using unlicensed spectrum, using the built-in directional antennas. Do check the 24Ghz spectrum rules carefully in your jurisdiction - certainly here in the UK the 24Ghz unlicensed spectrum is limited, and only allows fairly low power without a licence. I do not have personal experience with Alvarion, but I can unreservedly recommend Dragonwave. I'd add Motorola Orthogon kit to that list, based on some offshore experience with it a few years ago. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On Oct 15, 2013, at 8:53 AM, Alex DiMarco a...@cs.toronto.edu wrote: On Tue, Oct 15, 2013 at 8:20 AM, Robert Skinner rob...@robertskinner.com wrote: You would have hated the 90s then. Interesting time that was, no particular hate though for that period.. Now the 80's on the other hand :*) It was only the music that sucked in the 80s… Oh, and the clothing / hair styles, and the politics, and … :-) Though annoying at times, these displays on mailing lists have also sparked some great technology projects too. Those around in the early BSD days recall such episodes. Not that I am promoting or encouraging such behavior. There is no doubt great technology has emerged from conflict; verbal and otherwise. I think I may be an optimist with a belief that if we choose to interpret intentions in a positive way even when they are communicated otherwise, we can potentially do even greater things... maybe I am choosing to be naive... but then, that is the title of this thread You will always have “that guy”, at a bar now and then, but as long as it’s not a bar full of that personality. I think unfortunately all of us have had the privilege of being that guy at the bar - I know I have a few times even without the Guinness or Scotch flowing 8*] So what excuse do I have, given that I was stone sober? (In France at the time, but still… sober.) Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] not all backdoors are NSA backdoors
It occurs to me that being more ‘conversational’ with the community might be a good thing. Describing what is happening with pfSense, and why, and engaging the pfsense community in the process could be a good thing. My first attempt is included herein. But first, on the tail of the recent thread that erupted here, consider this backdoor that someone (?) recently (?) discovered (?) in the firmware for certain D-link routers: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ If you read the article, the user agent string that bypasses authentication (according to the post) can be read backwards as Edit by 04882 Joel Backdoor”. One possible Joel is Joel Liu, Senior Director-Chief Technology Office Alpha Networks: http://www.joesdata.com/executive/Joel_Liu_421313008.html Alpha Networks being a spin-off of D-Link. http://www.alphanetworks.com/_english/06_about/01_detail.php?appid=143pid=12 They have a GPL compliance office: http://www.alphanetworks.com/_english/10_gpl/gpl.php, but you can bet they won’t ship you that source code. [Normally, if one is going to hide secret strings inside the binary, one also obfuscates them. An example: http://www.codeproject.com/Articles/502283/Strings-Obfuscation-System] ... In some respects, the recent thread was about fear of asymmetric information, that those inside ESF have information and access that the community does not. In contract theory and economics, information asymmetry deals with the study of decisions in transactions where one party has more or better information than the other. In contrast to neo-classical economics which assumes perfect information, this is about What We Don't Know. This creates an imbalance of power in transactions which can sometimes cause the transactions to go awry, in the worst case a kind of market failure. Specific to the subject, the information asymmetry here is the community’s supposed inability to observe and/or verify ESF's actions. To the best of our ability so far, pfSense is both observable and verifiable. The source code is on github (https://github.com/pfsense/), and the build process is quasi-documented.Getting something like the ‘backdoor by Joel’ above into the codebase without detection would be difficult if not impossible. (There are more subversive means, which I touched on mid-thread, but they still fail in the presence of a public development process.) Frankly, (between you and I), the pfSense build process could be better documented. Truth be told: the build system for pfSense is archaic. Nobody associated with it (at this point) likes it. Simultaneously, everyone is afraid to replace it. “There be dragons…” An action-item post 2.2 (and it’s move to FreeBSD 10) is to clean-up the build system, possibly making it more like that which builds FreeBSD, rather than the mess of shell (and PHP) scripts that exists now. Having a cleaner build system could lead to better verification of the resultant bits. Another issue is the proliferation of pfSense mirrors. How do we (all) trust the bits on these mirrors, given that they’re run by parties entirely independent and remotely located from ESF? One possible solution: signed packages, and there was a bit of infrastructure put in-place just prior to the 2.1 release. We’ve yet to accomplish the rest of this, but.. it’s coming. As always, if you have ideas(*), bring them forward. Jim (*) that don’t involve re-incorporating as a non-US, non-profit company… ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On Oct 12, 2013, at 7:20 AM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-10-11 22:33, Walter Parker wrote: Yes, you have been informed correctly. There are more than 2. According the World Atlas (http://www.worldatlas.com/nations.htm#.UlhOHVFDsnY) the number is someone between 189 and 196. No kidding! ;-) But you did not answer the question asked: Name the country that you would move the project to and why you believe that country would do a better job? Why should *I* name it and why should I present ready solutions for an idea another community member brought up? Why should anybody be in a position to present ready solutions at this point? How about having a fruitful discussion and find solutions together? There is no reason to build a house on sand. There is no fruitful discussion to be had when the premise is patently false. Then because the USA can't be trusted, who is going to replace the Americans on the project? You are mixing things up here. Just because the USA invented their tyrannous Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, for which they perversely coined the euphemistic term Patriot Act and there fore can not be trusted anymore for hosting anything there, why should the Americans be replaced?!?!? The name and logo are owned by an American company. I guess, that is true, i.e. that ESF registered pfSense and it's log as a brand name. You seem upset at this. Why? Instead of some kooky conspiracy theory that ESF could be tortured or pressured to weaken pfSense, is this the *real* issue you have? I doubt they want to give them up to a foreign company owned by non-Americans Nobody suggested that. Try thinking a bit more outside the box! For instance: A non-profit foundation could be founded in a country outside the USA, and the brand, hosting of the project, etc. be transferred to that company. A board would be elected for this foundation who just a few basic things annually to keep the foundation running. ESF on the other side would be released of a great threat! They could continue offering their pfSense services to their customers as usual, but from now on nobody could come and force them to do things to pfSense since they have nothing to do with it”. You seem upset that ESF controls the project. Why? just to make it harder for the American government to pressure the project. Incorporating pfSense and bringing it out of the reach of US-domestic jurisdiction would not make it harder but impossible to pressure the project. You have provided no explanation (other than “rubber hoses”) for what form that “pressure” would take. If the rest of world wants to fork the project because of concerns about the US government, fine, but I don't think you will get buy in from ESF [the American company that owns the rights to the name pfSense]. Why to fork the code base?! No one suggested that - and no one suggested to do things without - or even against - the key people of the ESF. Right the opposite. It would even protect the ESF! Once again, name some names. Who do you consider more trustworthy? I am not Jesus to hand solutions to the community on a silver platter though point in fact, Jesus didn’t hand anyone a solution. (but surely would be available for a *constructive* and *well-disposed*, *amicable* discussion to find solutions together!). I know of quite a lot of countries that seem interesting for a closer analysis for this cause and surely would propose one or another in such a constructive discussion. Generally, what Adrian proposed makes only sense, if the community - including ESF - understands the threat and decides to act proactively to fight this threat. “The community” doesn’t own the copyright on the code, nor the trademarks to the names used. Those belong to ESF. Further, you’ve hypothesized about a ‘threat’ without providing any factual basis for same. The term for this form of argument is “conspiracy theory”. Since pfSense is open source (specifically, the BSD license), “the community” (or rather “a community”) could take the decision to fork the code and create their own solution. It’s been attempted a couple times, but none of these have flourished. While I don’t encourage forks (it’s typically not good for either project), occasionally they work out (at least for a while), I don’t go out of my way to inhibit those who wish to fork. However, in any case, such a community would be prohibited from naming the result “pfSense”. But since 33% of the ESF - namely Jim Thompson You greatly inflate my ownership interest here. - prefers bullying, insulting, frightening and muzzling anybody who brings up the threat that we are facing, trying to strike dead any thought as soon as it comes up (strange, isn't it?), Not as strange as someone randomly showing up one day, hiding
Re: [pfSense] Upgrade Guide: Needs update for Auto Update
On Oct 12, 2013, at 3:33 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello all, I just performed an upgrade to 2.1 via the Auto update feature in the web UI, which worked flawlessly. When studying the Upgrade Guide (https://doc.pfsense.org/index.php/Upgrade_Guide) prior the upgrade I could not find any information about it. Is there a way I can update the guide myself? Otherwise maybe someone with writing rights to the CMS wants to update the manual. Cheers Thinker Rix P.S. Maybe an update to this page would be convenient, too: https://doc.pfsense.org/index.php/Can_I_upgrade_my_pfSense_through_the_web_interface%3F My immediate suggestion is to edit a copy of the page (it’s a wiki, so “view source”), perform a ‘diff’ and send the result to coreteam-at-pfsense-dot-org. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] naive suggestion: conform to US laws
On Oct 12, 2013, at 1:35 PM, Chris L c...@viptalk.net wrote: On 2013-10-12 01:40, Jim Thompson wrote: I'm not willing to endure this uninformed Alex Jonesian crapfest. Nice position to take, except Alex Jones was right. Sigh. As much as this doesn’t belong on the pfsense list… I actually know Alex, or did, 13 year ago. I got friendly enough with him back in the mid-late 90s that we had each other’s cell phone numbers. Back then Jamie and I were involved with Fringeware. http://en.wikipedia.org/wiki/FringeWare_Review http://www.austinchronicle.com/issues/vol16/issue26/screens.fringeware.html Fringeware became an advertiser on Alex Jones' radio show (on KLBJ, before he got booted). On the front-end, I was a respected advertiser. Meanwhile, others associated with Fringeware were culture-jamming him on the back-end. the result: #discordia Oh, the memories this brings back. (As you’ll see, the FBI showed up to demand something, didn’t have a warrant, and was shown the sidewalk.) http://www.wingtv.net/thorn2006/jarhead.html http://www.austinchronicle.com/news/2000-07-14/77932/ Clayton, btw is a dear friend. Easily one of the most brilliant people I’ve ever known. I hope he speaks at my funeral. Other fun was had at Fringeware. We supported the Yes Men (http://en.wikipedia.org/wiki/The_Yes_Men) We actually hosted their website, as well as that of RTmark for a period in the late 90s on the same machine used for smallworks.com (which was originally the corporation behind the firewall named “Netgate”), fringeware.com, etc. One of their pranks was that they setup a website named www.gwbush.com. (http://en.wikipedia.org/wiki/The_Yes_Men#George_W._Bush http://theyesmen.org/hijinks/gwbush http://www.rtmark.com/bush.html) which resulted in Bush’s famous There ought to be limits to freedom,” quote. http://www.rtmark.com/bushpr2.html The great untold story on this is that all these websites were hosted in a shitty office building on Shoal Creek Blvd, one floor up from the then offices of Karl Rove Associates” even as they fought to shutdown gwbush.com. The #irony was delicious, and they never succeeded. :-) Anyway, you might want to study up on STRATFOR, or Mary Maroney, who was the editor and chief of Infowars magazine until earlier this year. Maroney formerly worked for Stratfor and Parker Media here in Austin. If you don’t know who they are, then I suggest more research on your part. Have fun, but be careful when you enter the rabbit hole. Snowden and Manning are both late-comers to the party: http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_mayer?currentPage=all http://www.technologyreview.com/news/519661/nsas-own-hardware-backdoors-may-still-be-a-problem-from-hell/ http://cryptome.org/nsa-ssl-email.htm http://news.cnet.com/8301-31921_3-20017671-281.html http://www.wired.com/images_blogs/threatlevel/2013/09/15-shumow.pdf (see also: http://www.wired.com/threatlevel/?p=85661) http://arstechnica.com/security/2013/01/secret-backdoors-found-in-firewall-vpn-gear-from-barracuda-networks/ http://dl.packetstormsecurity.net/papers/general/my_research1.pdf http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.154.825 / http://www.cs.ucf.edu/~czou/research/Chipset%20Backdoor-AsiaCCS09.pdf (now consider all the cheerleading for Intel Ethernet chips on the various pfSense lists…) Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
On Oct 10, 2013, at 4:34 PM, Yehuda Katz yeh...@ymkatz.net wrote: Since we keep coming back to FreeBSD as it pertains to security: 3) FreeBSD is very mature, and very well reviewed. I've looked into FreeBSD to my personal satisfaction. OpenBSD may be abrasive as a community at times, but their work product is pretty impressive in terms of being clean and funcitonal. I was very happy with how they handled that whole IPSec fiasco in 2011. I've been following pfSense for a while now, and I've used it off and on for years. I'm very satisfied by the quality and oversight of the coding. But by all means dig as long as your curiosity holds out. you can never be 100% sure of the security of any software, but sufficiently sure is absolutely worth looking into. FreeBSD is not the distribution in the BSD family that is best known for security. Indeed OpenBSD has a specific focus on security (which has been studied, as has the relationship between the BSDs), but FreeBSD focuses on being more inclusive of a variety of hardware at a cost of not being 100% open source. That is a tradeoff, but it does not mean that FreeBSD is not secure, it just means ... well I have not found a study about that yet. Go ahead and believe the marketing/hype (“best known”) about OpenBSD if you like. the simple fact is, if security issues are found in any of the BSDs, the fixes for them quickly propagate between all of them. In the end, OpenBSD is no more ‘secure’ than FreeBSD or NetBSD. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 10, 2013, at 5:42 PM, Paul Mather p...@gromit.dlib.vt.edu wrote: I first started using mailing lists back in the mid/late 1980s, You’re not the only one. :-) I too was entertained by the n00b trying to tell grandpa how to use email. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.1: which FreeBSD version?
On Oct 10, 2013, at 6:25 PM, Jim Pingle li...@pingle.org wrote: You shouldn't need the -archive bits since 8.3 is still a supported release. Until next April, anyway. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
On Oct 10, 2013, at 4:49 PM, Giles Coochey gi...@coochey.net wrote: On 10/10/2013 15:04, Chris Bagnall wrote: What made you change from AES to Blowfish, and is there any evidence to suggest that Blowfish is more 'secure' than AES? My understanding is that AES was championed by an agency which has received recent bad-press.;-) This is not an answer. Blowfish was a contender to actually become AES wasn't it? yes, but even Bruce Schneier, Blowfish's creator, is quoted in 2007 as saying At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead.' https://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful/ I agree that I might see better performance with AES as it is supported in hardware by many chipsets, and when selected all the contenders marked AES as second best (after their own submissions of course...). I'm not saying it is insecure, I'm just weary of the following: non-technical reasons Is there any mechanism to insert ciphers into Pfsense that are not currently supported? You have the source code. I, for one, am uninterested in non standards-compliant (and thus interoperable) implementations. jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
(TIC mode: on) I think it’s obvious that: - ESF is a front for the NSA - the acquisition which closed last year was really just about gaining control of a critical component of Internet infrastructure. - the delays getting 2.1 out the door were exclusively about getting some last-minute backdoor code installed. AYBAB2U, baby! (TIC mode: off) On Oct 9, 2013, at 5:56 PM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-10-09 18:20, Paul Kunicki wrote: I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response Exactly, Paul, you got my point! although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? @your doubts about the NSA/FBI/put the name of your government's surveillance institution here bothering with smaller companies such as Electric Sheep Fencing LLC (formerly BSD perimeter) and their niche product pfSense: Please take these 2 things into account: 1. Recently they forced the small encrypted-email-service Lavabit to comply with them (hand out their SSL-masterkeys install a black-box at their premises). Lavabit did not agree - and they shut him down. https://en.wikipedia.org/wiki/Lavabit. Officially they wanted to force Lavabit to just hand out Edward Snowden's emails (bad enough), but in reality they wanted to gain access to all emails of Lavabit by receiving the SSL masterkeys and by placing the blackbox at their premises, which rendered the whole service useless. 2. Routers/Gateways/Firewalls are highly interesting for big brother. Read e.g. this article NSA Laughs at PCs, Prefers Hacking Routers and Switches (https://mailman.stanford.edu/pipermail/liberationtech/2013-September/011287.html) So, combining those 2 facts - the fact that the NSA/FBI/etc. prefer to infiltrate routers with the fact that they very well bother knocking the doors of small businesses with niche products, I guess my question is quite legitimate! Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 6:38 PM, Thinker Rix thinke...@rocketmail.com wrote: My main question was not if the code includes bad things, but if the company behind pfSense has been approached (yet) by authorities to comply with their Orwellian global police state phantasy. already answered. Twice. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 6:46 PM, David Burgess apt@gmail.com wrote: On Wed, Oct 9, 2013 at 10:38 AM, Jim Thompson j...@netgate.com wrote: So asking the question is stupid(*), because a lie is indistinguishable from the truth. I disagree on that point. Even if one is sure to get a no answer, regardless of the truth, it is still useful to ask the question for at least two reasons I can think of: 1. To get the response on record. The responders can be held accountable should it ever come out they knowingly lied. 2. To examine the response for credibility. A simple yes or no answer might not yield much, but such is rarely the case. If the answer is delayed, unclear, couched in a bunch of rhetoric or handwaving, delayed or avoided, then any or all of these things will be taken into account by those asking the question or observing the response. This is a principle that is understood by courts of law, psychologists, interrogators, and people of intuition. IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. It doesn’t contribute anything to the project. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list