On Thu, Mar 8, 2018 at 10:12 AM, Vick Khera wrote:
> On Thu, Mar 8, 2018 at 11:10 AM, Zandr Milewski
> wrote:
>
> > As someone who has spent easily 100 hours troubleshooting, rebuilding,
> and
> > restoring UFS based Netgate boxes that have to function in
On Wed, Mar 7, 2018 at 2:31 PM, Peder Rovelstad
wrote:
> > That is an urban legend. One of original developers of ZFS was
> > interviewed
>
> OK, then. Not my data. Best of luck.
>
> I've had other ZFS servers without ECC that have run successfully for
several years. I
On Wed, Mar 7, 2018 at 7:36 AM, Peder Rovelstad
wrote:
> OH, and w/o ECC memory, it's a time bomb.
>
> That is an urban legend. One of original developers of ZFS was interviewed
and asked about the "Scrub of Death", he said that ZFS doesn't fail in that
way. ZFS is no
this a case of drive by nerd sniping or do you know
something that will cause my specific use case to fail at some point in the
future?
Walter
> On 3/1/2018 1:49 AM, Walter Parker wrote:
>
>> Forgot to CC the list.
>>
>> On Wed, Feb 28, 2018 at 10:13 PM, Walter Parker <walt.
Forgot to CC the list.
On Wed, Feb 28, 2018 at 10:13 PM, Walter Parker <walt...@gmail.com> wrote:
> Thank you for the backup script.
>
> By my calculations, 2G should be enough. If I limit the ARC cache to 1G,
> that leaves 1G for applications & kernel memory. As I'm not s
Hi,
I have 2.4.2 installed on an SG-2220 from Netgate [nice box]. I just bought
a 6TB powered USB drive from Costco and it works great (the drive has its
own power supply and a USB hub). I want to use it take ZFS backups from my
home server.
I edited /boot/loader.conf.local and
mportant enough to you switch gets addressed in 2.5
> but not in 2.4 might occur (gosh that’s an awful sentence, Jim).
>
> > I understand that a lot of people are effectively threatening to switch
> > to OpnSense due to this, but I fear that I will *have to* if I can't
> > replac
rdware by the time support for software AES ends entirely.
>
> See:
> https://ark.intel.com/Search/FeatureFilter?productType=
> processors=LGA771=true
>
>
> I thank you for addressing this with me. I appreciate your conduct with
> me despite my comment.
>
> > Jim
>
Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
ago...
How long does a project need to wait before it can require a feature found
on all major x64 processors? Waiting 8-9 years seems reasonable to me.
Given the fact that the project is only supporting 64-bit and
On Wed, Jan 3, 2018 at 2:25 PM, Steve Yates wrote:
> I'm not a developer but I would think it's dependent on FreeBSD releasing
> the update, plus testing by pfSense/Netgate. However, I would think
> there's not much concern with PCs running pfSense, since raw code would not
>
On Fri, Dec 22, 2017 at 8:25 PM, Antonio wrote:
> Hi,
>
> I'm not sure how you move traffic between the above interfaces. I was
> under the impression that all you needed was a "Default allow LAN to any
> rule" and job done. Yet i'm struggling to get devices of different
>
On Thu, Nov 16, 2017 at 4:22 AM, Brian Candler wrote:
> On 16/11/2017 10:30, Brian Candler wrote:
>
>> Unfortunately in the pfSense (2.4.1) GUI, I can't see a way to configure
>> this.
>>
>> I would like either:
>>
>> - an extra setting for "dynamic update zone", which is
};
notify yes;
};
On Sun, Aug 6, 2017 at 7:05 PM, Jim Pingle <li...@pingle.org> wrote:
>
> On 8/6/2017 9:47 PM, Walter Parker wrote:
> > How do I get the Acme package to let me update the sample.com
> > <http://sample.com> zone, to add the host for
>
8 PM, Jim Pingle <li...@pingle.org> wrote:
> On 8/6/2017 8:03 PM, Walter Parker wrote:
> > I think I'm missing something simple with my Acme Client setup in
> pfsense.
> > I followed the following steps and I'm get a TSIG error (note NSUPDATE
> > worked when run by han
I think I'm missing something simple with my Acme Client setup in pfsense.
I followed the following steps and I'm get a TSIG error (note NSUPDATE
worked when run by hand).
- dnssec-keygen -a HMAC-MD5 -b 512 -n HOST fw.sample.com
- Copy secret from Kfw.sample.com.*.key (note this secret has
One thing to consider with a DNS query to mapping system is the effect of
DNS caching. Many systems now have local caches, so you will only see the
DNS lookup once. For the traffic flows. you might want to look at netflow.
It can be setup to send the data to a collector system and you will be able
I moved from IPCop to pfSense years ago. It was good enough then. It is
better now. Without an idea of what you customization are, we can't tell
you how many rules you might need to add to get the same functionality from
a pfSense setup.
On Tue, Nov 15, 2016 at 8:19 AM, Ryan Coleman
On Thu, Sep 1, 2016 at 3:06 PM, compdoc wrote:
> >>Coming back tonight to do memtest, SpinRite on the SSD, etc...,
>
> Spinrite on an ssd is a terrible idea. It's an ancient program thats even a
> bad idea to use on hard drives.
>
> It doesn't even work on drives larger
Hi,
I've be doing a bit of remodeling in the household and I noticed an
interesting issue with the temperature of the the router (an SG-2220). If I
put the router flat, it heated up to 53 Celsius (9AM mid 70's Fahrenheit
room temp). WHen I turned the router in the side, it dropped from 53 to 46
Not that I have seen.
I had an idea for authenticated NTP awhile back, but was waiting until I
had upgraded to 2.3 before I looked at what it would take to add. This
weekend I had the time to build a test environment, so I might try doing it
over the next few months.
Walter
On Mon, May 30,
from that config and things
worked just fine.
Walter
On Sun, May 29, 2016 at 4:44 PM, Dave Warren <da...@hireahit.com> wrote:
> On 2016-05-29 17:35, Walter Parker wrote:
>
>> You could try copying the the entries from the old XML and paste it in the
>> new XML file.
>
You could try copying the the entries from the old XML and paste it in the
new XML file.
Walter
On Sun, May 29, 2016 at 3:32 PM, Dave Warren wrote:
> Howdy!
>
> I am looking at replacing my 2.2.something pfSense box with a fresh
> install of 2.3. Is it possible to restore
In IPv6, Link Local fe80::1:1 is like what IPv4 does when there isn't a
DHCP server (it auto assigns an address from 169.254.0.0/16 ). The IPv6 RFC
documents two ways to generate these link local address. The second method
generates addresses that are not dependent on the MAC address. Unlike the
Hi,
I just plugged a small WDC USB 2.0 hard drive into my pfSense firewall as
an external, second drive and everything booted:
da1 at umass-sim1 bus 1 scbus7 target 0 lun 0
da1: Fixed Direct Access SCSI device
da1: 40.000MB/s transfers
da1: 238475MB (488397168 512 byte sectors)
da1: quirks=0x2
Hi,
I just upgraded from my old ALIX router that I brought from Netgate several
years ago (which has worked great for the past several years).
The new box is nice, it is much faster. I restored my old 2.2.5 config on
the new system and I have a few questions:
Where are the RRD graphs (I don't
For a list of Packages in 2.3, see
https://doc.pfsense.org/index.php/Package_Port_List
For a list of packages removed from 2.3, see
https://doc.pfsense.org/index.php/2.3_Removed_Packages
Walter
On Wed, Apr 13, 2016 at 3:17 PM, Steve Yates wrote:
> I should restate/clarify
On Tue, Feb 23, 2016 at 3:19 PM, Giles Davis wrote:
> On 19/02/2016 17:12, David Burgess wrote:
> > I'm a little surprised at your experience. A few years ago I built a
> > PFSense unit with an Intel motherboard, 1st gen Core i3 CPU, and a
> > single onboard Intel (em) GBE
There is an optimization coming for pfsense. There is a new user space
routing daemon. netmap I think, that can reach line rate on 10G NICs (14.88
Mpps). There was a BSDCon that talked about a future version of pfsense
using this system. It uses ipfw, so there a bit a work to adapt it to
pfsense.
no longer supported by the
> developer.
>
>
> > On Oct 16, 2015, at 1:11 AM, Walter Parker <walt...@gmail.com> wrote:
> >
> > Years ago, there was a package for pfSense that graphed total bandwidth
> for
> > the Day, Month, Year using bar charts. It would s
Years ago, there was a package for pfSense that graphed total bandwidth for
the Day, Month, Year using bar charts. It would show the top days with
bandwidth and total usage for the month.
It was not bandwidthD or the RRD graphs. I can't find it anymore. What was
it called and why was it removed?
, Philipp Tölke pt+pfse...@fos4x.de wrote:
Hi Walter,
thanks for your answer!
On 19.06.2015 01:24, Walter Parker wrote:
If your network is large enough to have a monitoring package (like
Nagios), some of them support certificate checking.
Can nagios access the certificates on the pfSense
There is a serverfault question about this:
http://serverfault.com/questions/380778/vmware-seems-to-throttle-scp-copies-what-can-be-the-reason?rq=1
SCP does (did) have performance problems. They fall into two groups.
First, over a WAN the internal buffer was a bit too small for high
speed (100
After renabling my account, I saw this email (but not the earlier emails
from today).
Walter
On Wed, Apr 8, 2015 at 11:58 AM, Mike Montgomery onezero1010...@gmail.com
wrote:
I got the same re-enable email to my gmail account.
On Wed, Apr 8, 2015 at 2:48 PM, WebDawg webd...@gmail.com wrote:
Thank you.
On Wed, Apr 8, 2015 at 12:16 PM, Chris Buechler c...@pfsense.com wrote:
This should be fixed. mailer-daemon@ ended up as a list member in
mailman, AFAICT from day one of this list, but in the past few days
ended up being spoofed to send a couple viruses to the list. Those
messages
Using a chart like
http://www.engineeringradio.us/blog/wp-content/uploads/2013/01/Subnet_Chart.pdf
you
can see the different /28 and /29 subnets that exist on a /24 network.
You would bind the .248/29 network to the WAN interface (use a /29 to leave
a few extra addresses).
Then you would bind an
I installed it on an ALIX with a 4GB card without issues. I'd suggest
getting a serial cable so that you can see the output from the system as it
boots (make sure you a null modem cable or adapter).
Walter
On Mon, Mar 9, 2015 at 5:11 AM, Kostas Backas kos...@i-system.gr wrote:
Hello,
I have
I had a problem like this, so I replaced the cheap converted with one
made by a California company (it was much nicer, real drivers and
instructions for $5 more). I got no output until I remembered that I might
need a null modem adapter. Once I added that to mix everything worked like
a charm
, 2015, at 6:27 PM, Walter Parker walt...@gmail.com wrote:
For the real time monitor, if you switch from WAN to LAN, you can see who
is doing spikes. For the other items, you can see how much bandwidth each
internal IP addresses has used in one of those packages. Unless you have
servers in a DMZ
of programming might
radically differ from yours :)
If I can find the time, I'll see if I can find any notes.
Walter
On Mon, Feb 16, 2015 at 2:58 PM, Volker Kuhlmann list0...@paradise.net.nz
wrote:
On Tue 17 Feb 2015 10:33:21 NZDT +1300, Walter Parker wrote:
In Realtime, you can use the dashboard
In Realtime, you can use the dashboard app.
For plugins, BandwidthD and Darkstat have some information.
I've used netflow on other systems to get this sort of information, but for
pfSense you would have to setup a second box that ran the netflow
visualizer to see the traffic information from one
/index?itemnumber=16-101-837
Both are viable options.
Jason
Sent from my iPhone
On Feb 5, 2015, at 11:11 AM, Walter Parker walt...@gmail.com wrote:
I've used pfSense in a VM on my ESXi application server. This is mostly
to firewall the Windows VMs from the Internet.
If you want fail
I've used pfSense in a VM on my ESXi application server. This is mostly to
firewall the Windows VMs from the Internet.
If you want fail-over, I'd suggest getting one of the new Netgate (
http://store.netgate.com/NetgateAPU2.aspx or
http://store.netgate.com/1U-Rack-Mount-Systems-C84.aspx) or
First, pfSense is from FreeBSD, not OpenBSD. Second xBSD uses libc by
default, not glibc. glibc is a GNU/Linux port of the libc from UNIX
systems. I wouldn't expect to see recent glibc errors in xBSD, as there are
separate code bases at the system level.
Walter
On Tue, Jan 27, 2015 at 10:45 AM,
Hi,
I just put pfSense 2.2RC on my filewall and I noticed that the PHP code
that generates the resolv.conf file will add the line options edns0 to
resolv.conf if the the unbound config has the edns option set.
I didn't see any way in the GUI to set this option. I'm I missing
something, or has
Just thought I'd note that Paul Venezia, who does the Deep End column for
Infoworld, just gave a positive heads up to pfSense and the APU1 DIY kit
from Netgate.
http://www.infoworld.com/article/2861574/network-security/you-should-be-running-pfsense-firewall.html
Walter
--
The greatest dangers
your comment
about get it now before it has any issues.
Brian
On 11/30/2014 3:07 PM, Walter Parker wrote:
If you are getting the Netgate kit, I'd suggest just getting the Intel
m525 SSD that they offer. This is a modern SSD with wear leveling that
keeps software like a squid cache from
If you are getting the Netgate kit, I'd suggest just getting the Intel m525
SSD that they offer. This is a modern SSD with wear leveling that keeps
software like a squid cache from burning out the drive early. It will fit
and work without having to build a custom cable and have to tape a drive to
I'd be a little worried about the SD card and squid, but not the current
ADD solution from Netgate.
On Nov 27, 2014 2:05 PM, Brian Caouette bri...@dlois.com wrote:
I've been looking at the kit at Netgate for $199 to replace my poweredge
2850 for pfSense. My concern is the sd/flash memory and
I use imgburn to burn all of my pfSense CDs (and Windows, Linux and FreeBSD
DVDs). I second the recommendation. If you have picked the correct image,
it should boot unless there is something strange with the HP hardware. The
fact that a Windows disk boots doesn't prove that hardware isn't strange
First time I would do is make sure that you have added static IP address
reservations for those the MAC addresses using the DHCP server page for
each piece of IP gear that your children have. If you click on All Leases,
it will show you every device that has tried to get an address. You can
take
To see which client is eating your bandwidth, when using Traffic Graph,
switch from WAN to LAN. Then the dynamic list of hosts will show client IP
addresses and not your link address.
On Wed, Sep 24, 2014 at 7:55 AM, Muhammad Yousuf Khan sir...@gmail.com
wrote:
Exactly this is how i learn that
A suggestion: Null route all facebook addresses. That usually kills any
traffic. Be aware that it kills all traffic to those addresses (HTTP,
HTTPS, SMTP, POP3, DNS).
FYI, getting snotty to people that are asking for help usually turns them
off of wanting to help you...
Walter
On Wed, Sep 24,
Yes, check to make sure that the WebConsole interface (on 443) is not
conflicting with with your other rules.
Check for allow/deny rules in both Squid and pfSense to make sure that you
don't have a conflict.
On Tue, Sep 9, 2014 at 1:34 PM, Satvinder Singh
satvinder.si...@nc4worldwide.com
On 07/10/2014 05:29 PM, Walter Parker wrote:
I disagree that this is a vulnerability/weakness. If this is truly your
only issue with the network, I'd call it good and done if you are not the
DOD/NSA.
If you are, then you need to start again with an even more secure
foundation.
Walter
I think you might have a misconception in your request. Whe you say:
To resolve this issue I need to mangle forwarded IP packets by
incrementing their TTL by 1. This would effectively hide the above
included results. If anyone knows how to do this either through the web
interface or through
I disagree that this is a vulnerability/weakness. If this is truly your
only issue with the network, I'd call it good and done if you are not the
DOD/NSA.
If you are, then you need to start again with an even more secure
foundation.
Walter
On Thu, Jul 10, 2014 at 2:25 PM, Blake Cornell
HTTPS was designed to cause a transparent proxy to fail (that was one of
the major design goals, no third party [such as squid] could read to the
traffic). As mentioned before, to make this work, you must either drop the
requirement that the proxy be transparent (Note, explicit proxies can be
auto
There is a way to auto configure the proxy settings on modern browsers, so
that you don't have to manually configure them individually
WPAD and Proxy auto-config
http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
http://en.wikipedia.org/wiki/Proxy_auto-config
Walter
On Wed, Jun 18,
Given than pfSense 2.1.3 uses FreeBSD 8.3 as the base OS, wouldn't
http://ftp1.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/perl5/ be
better location to use for packages?
Walter
On Wed, May 21, 2014 at 11:57 AM, Moshe Katz mo...@ymkatz.net wrote:
On Wed, May 21, 2014 at 2:39 PM,
The amd64 is for all 64 bit machines (amd64 and Intel EMT64)
The x86 is for all 32 bit machines (Intel and AMD)
According the spec sheet,
http://www.dell.com/downloads/global/products/pedge/en/2850_specs.pdf, that
is a 64 bit machine.
Note, because AMD developed 64 for the x86 first, the BSDs
different from AMD64. I’ve never touched an
Itanium-driven machine.
On May 19, 2014, at 18:06, Walter Parker walt...@gmail.com wrote:
The amd64 is for all 64 bit machines (amd64 and Intel EMT64)
The x86 is for all 32 bit machines (Intel and AMD)
According the spec sheet,
http://www.dell.com
pfSense has menu options that allow to move/create /tmp and /var in RAM.
These can be found in SystemAdvancedMiscellaneous.
Then logging would be written to the RAM disk.
Note that the logs will be lost when the power goes out. You will need to
setup a scheduled job that does backups if you wish
a rule for each of these
domains will be painfull after a while i assume. But on the other hand, i
will be using this reverse proxy node as the first entry point to my DDoS
protection network, so not sure whether DPI is a good thing here or not.
On Sat, Apr 12, 2014 at 11:40 PM, Walter Parker
How about configuring the firewall to block everything and then then create
a rule that forwards/allows only port 80 and 443 to the reverse proxy
server. Configure the reverse proxy server to only support HTTP traffic (on
port 80 and using SSL on 443). Then you don't need to do DPI. I'd say you
years, but a simple windows version...
http://oss.oetiker.ch/mrtg/
*From:* List
[mailto:list-boun...@lists.pfsense.orglist-boun...@lists.pfsense.org]
*On Behalf Of *Walter Parker
*Sent:* April-07-14 2:06 PM
*To:* pfSense Support and Discussion Mailing List
*Subject:* Re: [pfSense
I upgraded my ALIX system running 2.0 to 2.1.1. The base upgrade appeared
to go fine, I got the screen that said the system was upgrading all of the
packages, but after the system restarted, none of the pacakges on the old
system were listed as installed on the new system.
But the service screen
The big problem that I see people have that that want to do networking
based on hostnames rather than IP addresses. Such as how named virtual
hosting works on Apache. But the problem is that the hostname is translated
to an IP address on the client side and the only thing the server sees is
the IP
From the status menu, select System Logs
From the system logs page, click on Settings
Scroll down to Remote logging Options
Enable Remote logging
For the remote Syslog Servers, enter the address of your syslog server (any
Linux or FreeBSD server running a copy of syslog that will take outside
By default, PFSense blocks WAN to LAN traffic. If you want WAN to LAN
traffic, you will need to allow it (add rules on both the WAN and LAN
sides). But you might want to notice something else. If PFSense is
operating as a straight up router where you don't want NATing of the LAN
packets, then you
when plugged in.
Brian
On 1/14/2014 12:50 PM, Walter Parker wrote:
By default, PFSense blocks WAN to LAN traffic. If you want WAN to LAN
traffic, you will need to allow it (add rules on both the WAN and LAN
sides). But you might want to notice something else. If PFSense is
operating
reason its not being passed to the lan.
On 1/14/2014 1:13 PM, Walter Parker wrote:
From the PFSense UI, select Firewall-NAT. Then click on the Outbound tab.
Then select the Manual Outbound NAT rule generation radio button (this
turns off Automatic outbound NAT rule generation). Then delete
Once you create a gateway, you can not rename it from the GUI. I had to
delete and re-create my gateway in order to rename it.
On Tue, Jan 7, 2014 at 12:02 PM, Matthias May matth...@may.nu wrote:
Am 07.01.2014 20:52, schrieb Joe Landman:
Hi folks:
I am trying to match a spec we've been
Hi,
I have a pfSense box with multiple WAN connections (on on TW and one on
Comcast)
I appear to got MultiWAN working for outbound traffic, in that:
I can ping/traceroute from either interface and the traffic routes out and
comes back.
But inbound traffic only appears to work if it comes into
I've been asked if pfSense has multiple routing tables. Specifically, there
is kernel option in FreeBSD:
options ROUTETABLES=2
Which enables you to setup a second routing table for a second interface.
Does pfSense use multiple ROUTETABLES? If not, why not and does the
existing policy based
Hi,
I've got a pfSense router with a WAN connection that has 4 interfaces:
WAN - A 200 mbs connection. This is on a /20 subnet and the other side is
the default route.
LAN - This is a static routed /24 network from the company providing the
200 mbs WAN connection
COMCAST - This is a static
I have a pfSense 2.0.3 box with 5 interfaces, two of which are on
motherboard ethernet controllers using the NVIDIA nForce4 CK804 MCP9
Networking Adapter chipset.
These two connections connect to the upstream IP (WAN) and to the old IP
space for the local network (LAN).
I've been seeing the the
As I see it, there are are two things that can happen here
1) NSA breaks into pfSense without knowledge of the staff = The only
solution is source code and binary review. This is not an option for people
like Thinker Rix or other non coders. The mostly spot for this to happen is
upstream from the
Who would you trust more that ESF? Why,specifically, would you trust
another group of people to be more trustworthy? I admit to have a USA bias,
but for the issue in question, I don't there being a much better choice.
The UK has less freedoms in this matter. But then this is turning into a
case of
). But that is me, maybe you
prefer to decide to move first and then figure out where you are going
after you have left (rather than planning where you are going before you
leave).
Walter
On Fri, Oct 11, 2013 at 12:11 PM, Thinker Rix thinke...@rocketmail.comwrote:
On 2013-10-11 21:20, Walter Parker wrote
. It is probably no exaggeration to
state that this 20th century version of the Trojan horse is quite likely
the greatest sting in modern history.
On Fri, Oct 11, 2013 at 12:49 PM, Adrian Zaugg a...@ente.limmat.ch wrote:
On 10/11/13 8:20 PM, Walter Parker wrote:
Unless, of course, you are willing
So, if I have an ALIX that I would like to upgrade, how much would I have
to increase /tmp and /var by to have the upgrade run to completion without
filling the partitions?
Walter
On Fri, Oct 11, 2013 at 2:25 PM, Jim Pingle li...@pingle.org wrote:
On 10/11/2013 4:58 PM, Jens Kühnel wrote:
The big problem with asking the question Has the NSA required you to add a
back door? is that no small company that wants to say in business can or
will say yes (If they do, no one will trust/use the product unless forced
themselves). The company will agree/be forced to say no. How does one tell
About that made in the USA thing, the NSA has deals with overseas companies
as well...
Plus, the GCHQ and several other foreign spy agency's have done similar
things, so if you starting asking, you discover that the major governments
are trying to do this and have succeed more often than we would
To answer your question about throwing the first stone. Your question reads
a bit like the Are you a criminal/commie? questions. Many people would
object to the question at the start because it implies that the people
being asked the question has done something wrong. Watching the reactions
to
Walter,
On 2013-10-09 21:53, Walter Parker wrote:
To answer your question about throwing the first stone. Your question
reads a bit like the Are you a criminal/commie? questions. Many people
would object to the question at the start because it implies that the
people being asked the question has
I'd suggest installing pfSense at a home location for benefits that pfSense
provides. The ability for you to see what is going on on your network is
much greater than with any of the consumer routers.
If you get a little Netgate SBC, you can have a ofSense router with the
same size and power
86 matches
Mail list logo