Re: [pfSense] pfsense on watchguard xtm 810?
Thanks. that worked. It was a bit hard without console :) Eero On Fri, Feb 16, 2018 at 9:00 PM, Melvin wrote: > I've had good luck in similar cases by installing on a generic machine > then putting the media in the target box. > > On Feb 16, 2018, 13:40, at 13:40, Eero Volotinen > wrote: > >Hi List, > > > >I need to install pfsense 2.4 on watchguard xtm 810. there is issue as > >it > >does not boot from usb stick, only from cf or sata. > > > >Any idea how to install pfsense on it? it works with 2.3 nano-vga > >image, > >but such is not available for pfsense 2.4 > > > >-- > >Eero > >___ > >pfSense mailing list > >https://lists.pfsense.org/mailman/listinfo/list > >Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Configs or hardware?
Well. Does it require so much power, that I cannot run it on intel core2 quad Q9400, 2.66Ghz processor (4 cores) ? Eero On Fri, Feb 16, 2018 at 4:40 AM, Walter Parker wrote: > On Thu, Feb 15, 2018 at 6:11 PM, Jim Thompson wrote: > > > > > > > > On Feb 15, 2018, at 6:47 PM, Kyle Marek wrote: > > > > > > On 02/15/2018 05:33 PM, Jim Thompson wrote: > > >> Mr. Marek, > > >> > > >> I think you may be missing the point that this is about 2.5 and the > > RESTCONF interface, not any kind of VPN. > > > > > > I became aware of this after reading the follow up post. > > > > > >> Yes, there are constant time implementations of AES, they’re quite > > slow, as alluded here: > > >> https://www.netgate.com/blog/more-on-aes-ni.html < > > https://www.netgate.com/blog/more-on-aes-ni.html> > > >> > > >> Read the whole thing, please, and please remember that this was our > > attempt to explain what is coming for future pfSense, well before it > would > > occur. > > >> > > >> There is a whole rewrite that needs to occur for 2.5. All the PHP > goes > > away, and, as we did with the 2.3 -> 2.4 transition, which eliminated > > support for 32-bit Intel), and we promised to continue to release 2.3 > > images for 32-bit Intel for at least a year past the date of > 2.4.0-RELEASE, > > we are also on record for support the 2.4 series for at least a year > after > > the 2.5.0-RELEASE. > > > > > > As I understand, pfSense uses OpenSSL to implement these functions that > > > utilize AES-NI. Is slow bulk throughput the only reason why OpenSSL's > > > software implementations are not being allowed? > > > > > >> So many people want to make this about Netgate attempting to sell more > > appliances. This is not true, and anyone looking critically at the > > assertion would see the fallacy of it. I will attempt to outline why. > > >> > > >> It’s now early 2018, and, unknown to us (or anyone else in the FreeBSD > > community) before December last year, Meltdown and Spectre are here. > While > > the appliance model of pfSense is, as far as we can tell, unaffected by > > these (unless you load software from strange places), we’re committed to > > fixing them anyway. This will include support for 32-bit Intel on the > 2.3 > > series as FreeBSD (our upstream) implements and releases same. > > >> > > >> And, none too subtly, the Spectre attacks are (non-crypto) > cache-timing > > attacks. Point-in-fact, the AES cache-timing attack that I referenced > last > > May is, indeed, referenced on the first page of the Spectre paper. > > >> https://spectreattack.com/spectre.pdf > > > > > > I understand that Netgate offers support for non-Netgate hardware. > > > > True, but the “support” I’m talking about here is that we continue to > > maintain, build and test new releases of 2.3 and 2.4 for a period of > time. > > These are available to everyone, without charge. > > > > > > > >> What did anyone running 2.3 on a 32-bit Intel or AMD CPU pay Netgate > > for this continued support? > > >> > > >> Nothing. > > >> > > >> > > >> > > >> So assume that a miracle occurs, and a year from now we have a > > 2.5.0-RELEASE on 15-Feb-2019. This would mean that the 2.4 series of > > pfSense software would continue to be supported until at least > 15-Feb-2020. > > >> > > >> What did anyone running 2.4 on a 64-bit Intel or AMD CPU that doesn’t > > implement AES-NI pay Netgate for this continued support? > > >> > > >> Again, nothing. > > > > > > I'm failing to see why any additional effort is needed to support > > > non-AES-NI AES implementations considering OpenSSL is implementing it. > > > > If AES-NI is not available, OpenSSL will either use Vector Permutation > AES > > (VPAES https://www.shiftleft.org/papers/vector_aes/vector_aes.pdf) or > > Bit-sliced AES (BSAES https://cryptojedi.org/papers/aesbs-20090616.pdf), > > provided the SSSE3 instruction set extension is available. SSSE3 was > first > > introduced in 2006, so there is a fair chance that this will be available > > in most computers used. Both of these techniques avoid data- and > > key-dependent branches and memory references, and therefore are immune to > > known timing attacks. VPAES is used for CBC encrypt, ECB and "obscure" > > modes like OFB, CFB, while BSAES is used for CBC decrypt, CTR and XTS. > > > > The bit sliced (constant-time) implementation in OpenSSL could be used, > > but the GUI model with RESTCONF is very (very) different. Except for > the > > various “monitoring” widgets and graphs, a web browser running against > > today’s pfsense is all but silent until something like an “Apply” button > is > > pushed. With RESTCONF, things are much more “chatty”. > > > > This means that there is more load on the box to keep things encrypted. > > The bit sliced implementation in OpenSSL is slow, especially on older > > processors. I’ve run it on a J1900, and it’s glacial. > > > > As I explained in the blog post, we’re going to move 2.5 to the RESTCONF > > interface. We don’t have the resour
Re: [pfSense] Configs or hardware?
On Feb 19, 2018, at 10:10 AM, Eero Volotinen wrote: > Well. Does it require so much power, that I cannot run it on intel core2 > quad Q9400, 2.66Ghz processor (4 cores) ? What a curious question. It does not require "so much power" but it does require a minimum hardware spec, which that CPU will lack (no AESNI). I can understand why people would be unhappy that their hardware becomes unsupported by a new release, but I also understand it's common in the computing industry and makes a lot of sense for Netgate to do this (reduced support costs; increased developer focus; etc.). It's nice, also, they've laid out a roadmap for doing this and telegraphed clearly how they plan to support older hardware and for how long. It's not like they just decided yesterday over a couple of pints at the pub to throw everyone without AESNI-capable CPUs under the bus right now. I still have a CF NanoBSD-based pfSense installation running on Netgate hardware, and I appreciate they are still supporting 2.3, giving people like me time to migrate off to something else. Cheers, Paul. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Configs or hardware?
On Mon, Feb 19, 2018 at 10:42 AM, Paul Mather wrote: > On Feb 19, 2018, at 10:10 AM, Eero Volotinen > wrote: > > > Well. Does it require so much power, that I cannot run it on intel core2 > > quad Q9400, 2.66Ghz processor (4 cores) ? > > > What a curious question. It does not require "so much power" but it does > require a minimum hardware spec, which that CPU will lack (no AESNI). > > I can understand why people would be unhappy that their hardware becomes > unsupported by a new release, but I also understand it's common in the > computing industry and makes a lot of sense for Netgate to do this (reduced > support costs; increased developer focus; etc.). It's nice, also, they've > laid out a roadmap for doing this and telegraphed clearly how they plan to > support older hardware and for how long. It's not like they just decided > yesterday over a couple of pints at the pub to throw everyone without > AESNI-capable CPUs under the bus right now. > > I still have a CF NanoBSD-based pfSense installation running on Netgate > hardware, and I appreciate they are still supporting 2.3, giving people > like me time to migrate off to something else. > > Cheers, > > Paul. It's also worth mentioning that the Q9400 is turning 10 years old this year. I am a very enthusiastic proponent of reusing old computer hardware instead of throwing it away, but there still comes a point in time at which it's time to move on, and ten years is a very long life for commodity computing hardware. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Configs or hardware?
Maybe. I think that hardware can still do full gigabit nat and firewalling. -- Eero On Mon, Feb 19, 2018 at 7:12 PM, Moshe Katz wrote: > On Mon, Feb 19, 2018 at 10:42 AM, Paul Mather > wrote: > > > On Feb 19, 2018, at 10:10 AM, Eero Volotinen > > wrote: > > > > > Well. Does it require so much power, that I cannot run it on intel > core2 > > > quad Q9400, 2.66Ghz processor (4 cores) ? > > > > > > What a curious question. It does not require "so much power" but it does > > require a minimum hardware spec, which that CPU will lack (no AESNI). > > > > I can understand why people would be unhappy that their hardware becomes > > unsupported by a new release, but I also understand it's common in the > > computing industry and makes a lot of sense for Netgate to do this > (reduced > > support costs; increased developer focus; etc.). It's nice, also, > they've > > laid out a roadmap for doing this and telegraphed clearly how they plan > to > > support older hardware and for how long. It's not like they just decided > > yesterday over a couple of pints at the pub to throw everyone without > > AESNI-capable CPUs under the bus right now. > > > > I still have a CF NanoBSD-based pfSense installation running on Netgate > > hardware, and I appreciate they are still supporting 2.3, giving people > > like me time to migrate off to something else. > > > > Cheers, > > > > Paul. > > > It's also worth mentioning that the Q9400 is turning 10 years old this > year. > > I am a very enthusiastic proponent of reusing old computer hardware instead > of throwing it away, but there still comes a point in time at which it's > time to move on, and ten years is a very long life for commodity computing > hardware. > > Moshe > > -- > Moshe Katz > -- mo...@ymkatz.net > -- +1(301)867-3732 > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold