[pfSense-discussion] IPv6 needed, IPv4 exhaustion - was Re: [pfSense-discussion] Re: Low end, cool CPE.

2010-11-18 Thread Paul Mansfield
On 12/11/10 13:43, Eugen Leitl wrote:
>> - IPv6 support, native or tunnel to tunnelbroker.net type thing.
...
> The point is: We've been asking for "IPv6" for too long.  That's just
> one bit in a packet header.  We need to start asking for the features we
> expect, which is a lot more than that bit.

Leo Vegoda of IANA said on 13th Nov that a new block, 105/8, was
recently released to AfriNIC, with previous allocations this year being

1/8
14/8
27/8
31/8
36/8
42/8
49/8
50/8
101/8
105/8
107/8
176/8
177/8
181/8
223/8


leaving only 11 unallocated /8's. so, that means none left by this time
next year.

oh, and it means people should check their bogon filter updaters are
working!

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



[pfSense-discussion] Re: Low end, cool CPE.

2010-11-17 Thread Eugen Leitl
- Forwarded message from Joel Jaeggli  -

From: Joel Jaeggli 
Date: Tue, 16 Nov 2010 19:36:10 +0800
To: Eugen Leitl 
CC: Jason Lewis , NANOG list 
Subject: Re: Low end, cool CPE.
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) 
Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6

On 11/12/10 11:30 PM, Eugen Leitl wrote:
> On Fri, Nov 12, 2010 at 10:10:30AM -0500, Jason Lewis wrote:
>> Everytime I'm in the market for a device like you describe, it comes
>> down to the limitations of consumer devices.  You can't get all those
>> things in a low cost solution.  I end up rolling my own.  My latest
>> system is this 
>> http://www.supermicro.com/products/system/1U/5015/SYS-5015A-PHF.cfm



>> , with Endian http://endian.com/en/community/download/ and an
>> additional dual port nic.  With all the parts (HD,NIC) it's under
>> $400.
>>
>> It's an atom board, so you could put whatever you wanted on it.  I
>> have a 50mbps net connection and it doesn't have any issues.
> 
> Works well on GBit/s as well. I haven't measured the throughput
> yet, though. Should be ~500 MBit/s, assuming a single Atom core
> is about equivalent to a Pentium 3 at the same frequency.

An atom should easily be able to forward some high fraction of a gig
between two pci-e 1x connected interfaces certainly in the soho context
such a box can do ipsec at farily reasonable rates as well.

Regarding equivalence to a PIII an atom is a scalar rather than super
scalar device. it is slower clock for clock than a pIII but there are
also multicore variants and of course they run faster at loewr poper
consumption rates than the equivalent PIII  derived embedded processor
such as the intel a800

> 

- End forwarded message -
-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



RE: [pfSense-discussion] Re: Low end, cool CPE.

2010-11-12 Thread Nathan Eisenberg
> The work Seth is doing will be in 2.1 sometime next year.  He has made a lot
> of progress in a very short amount of time.

And please don't misunderstand - I am absolutely thrilled about it.  But it 
probably does not meet the OP's needs quite yet.

Nathan


-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] Re: Low end, cool CPE.

2010-11-12 Thread Scott Ullrich
On Fri, Nov 12, 2010 at 5:51 PM, Nathan Eisenberg
 wrote:
[snip]
> But still - no IPv6 support (though a 3rd-party patch is now available to 
> beat it in, it's not up to par yet, and it's not in 'stable').  :(

The work Seth is doing will be in 2.1 sometime next year.  He has made
a lot of progress in a very short amount of time.

Scott

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



RE: [pfSense-discussion] Re: Low end, cool CPE.

2010-11-12 Thread Nathan Eisenberg

> I'm running the current stable pfSense (1.2.3 I think). Very happy with it. 
> It's a
> fully featured distribution that is incredibly well put together.

But still - no IPv6 support (though a 3rd-party patch is now available to beat 
it in, it's not up to par yet, and it's not in 'stable').  :(


-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



[pfSense-discussion] Re: Low end, cool CPE.

2010-11-12 Thread Eugen Leitl
- Forwarded message from Charles N Wyble  -

From: Charles N Wyble 
Date: Fri, 12 Nov 2010 08:07:14 -0800
To: na...@nanog.org
Subject: Re: Low end, cool CPE.
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
rv:1.9.2.11) Gecko/20101006 Thunderbird/3.1.5

On 11/12/2010 01:24 AM, Eugen Leitl wrote:
> On Thu, Nov 11, 2010 at 05:41:00PM -0800, Leo Bicknell wrote:
>> I've run into a number of low end CPE situations lately where I
>> haven't found anything that does what I want, but I have to believe
>> it is out there.  I'm hoping NANOG can help.
> An ALIX with pfSense 2.0 (BETA4 at the moment) would fit most
> of the above. IPv6 support is coming (is mostly there in the
> kernel, but interface only alpha).
>

PPPOE is currently broken in 2.0 BETA4. :(
> If you want to run the snort package I'd however pick a
> Supermicro Atom system with 2 onboard NICs and add a dual-port
> Intel NIC, and run pfSense from a small SSD or an USB stick.
> Albeit a rackmount, the system would be quiet enough for SOHO.

Yes. I agree. Have SNORT run as a transparent bridge and have a separate  
management interface. Use vlans on that interface
to handle whatever you need to do (dedicated vlan for snort, one for your 
management network, one for secure wifi, one for guest
wifi etc).

>
>> Basically think about a sophisticated home user, or a 1-5 person
>> small office.  Think DSL, Cable Modem, maybe Cell Card or ISDN as
>> backups.  Looking for an "appliance", very much fire and forget. I
>> probably won't get all the features that I want, but in no particular
>> order:
>>
>
>> - Able to deal with "backup" connectivity, eg. Cell Cards which you
>>only want to use if the primary is down.
>> - User friendly features, e.g. UPNP, NAT-PMP, etc.
>> - Good manageability.  ssh to a cli would be a huge bonus, at least
>>the ability to backup a config.
> Very well supported. http(s) and ssh both.

Well the SSH interface is very limited. You can login and do some basic  
checks. However everything is driven from a single
XML config file that gets parsed by PHP scripts during the init process  
and then writes out all the UNIX configuration files.
However all the things I've ever done from the CLI on a Linux box are  
readily available from the pfSense web interface (arp table
checks, traceroute,ping,iperf,tcpdump).

I only use the CLI when I have broken something.
> _ Nice firewall features.
>> - IDS features are cool.

It has a SNORT package that's pretty nice. Also has some other AV type  
stuff and a proxy. I haven't gotten the proxy/av to work yet, but
haven't put much time into them.
>> WiFi is not strictly required, but would be cool. Things like "guest"
>> WiFi would be an added bonus.

It supports a lot of wifi cards. I put a USB wifi stick in my pfsense box 
and configured it as an AP from the web UI.

I'm running the current stable pfSense (1.2.3 I think). Very happy with  
it. It's a fully featured distribution that is incredibly
well put together.

- End forwarded message -
-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



[pfSense-discussion] Re: Low end, cool CPE.

2010-11-12 Thread Eugen Leitl
- Forwarded message from Bjørn Mork  -

From: Bjørn Mork 
Date: Fri, 12 Nov 2010 13:55:27 +0100
To: na...@nanog.org
Subject: Re: Low end, cool CPE.
Organization: m
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.2 (gnu/linux)

Leo Bicknell  writes:

> - IPv6 support, native or tunnel to tunnelbroker.net type thing.

This is far too diffuse.  You'll get a "yes, we've got IPv6".

You should at least add
 - IPv6 packet filtering and policy management (at least simple access
   lists) 
 - DHCPv6-PD client running over PPP or ethernet (possibly bridged DSL)
   WAN interface(s)
 - Ability to split the delegated prefix into a /64 for every LAN and
   loopback interface, preferably fully configurable
 - Configurable RA on LAN interfaces, using the dynamically allocated
   prefixes
 - (wishlist) configurable ifid's on the LAN and loopback interfaces as
   an alternative to using EUI-64
 - WAN link addressing using whatever is available of SLAAC, DHCPv6
   IA_NA or link local.  Specifically: Using SLAAC for the WAN link
   should be possible without sacrificing any router functionality on
   the CPE.
 
and probably a lot more.  DNS resolver handling needs a chapter on it's
own  

The point is: We've been asking for "IPv6" for too long.  That's just
one bit in a packet header.  We need to start asking for the features we
expect, which is a lot more than that bit.



Bjørn

- End forwarded message -
-- 
Eugen* Leitl http://leitl.org";>leitl http://leitl.org
__
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org