Re: [pfSense] best ipsec cipher for aes-ni on sg-8860

2017-12-09 Thread Adam Thompson
I had found an older thread saying that the "XCBC" hashes were OK, since they were effectively "free" as long as you used one of the AES-GCM ciphers. Same thread (can't find it now, sorry) also indicated that the GCM mode ciphers were more, uh, completely??/rapidly?? accelerated than CBC. Can't v

Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-04 Thread Adam Thompson
Well, that explains why the rest isn't working. Fix DNS and you problems will (hopefully) go away. -Adam On December 4, 2017 2:41:25 PM CST, Pete Boyd wrote: >On 04/12/2017 20:39, Adam Thompson wrote: >> Do you have functional DNS from the CLI? > >No, I can't ping

Re: [pfSense] 2.3.5 to 2.4.2 on SG-2440 failed accessing repository

2017-12-04 Thread Adam Thompson
The "no address record" error is interesting... Do you have functional DNS from the CLI? -Adam On December 4, 2017 2:29:09 PM CST, Pete Boyd wrote: >On 04/12/2017 20:11, Steve Yates wrote: >> If you ssh to the device and pick the option to update from its >console menu, does it update there? >

Re: [pfSense] Using LAGG interfaces with CARP to allow future router replacements

2017-11-28 Thread Adam Thompson
Yes, there's downtime to set up LAGs. So this won't help avoid all downtime. Since the SG-2440 just went EOL, I would expect the SG-4860 will also go EOL soon, perhaps next quarter (Q1’18). There is a small performance hit. It's not large - certainly not large enough that I ever cared to measur

Re: [pfSense] 2.4 Bricked my APU4 Netgate

2017-11-25 Thread Adam Thompson
If you're going to even consider blaming widely-used software for hardware problems, then absolutely, yes, please do this, if only to stop the accusations. If you don't reboot regularly, now's a good time to change that policy, too. We aren't running NetWare 3.1 any more. No reboots = no patche

Re: [pfSense] problems with lagg interfaces?

2017-10-17 Thread Adam Thompson
No, you misunderstood the last response. You have not provided enough information yet to determine what the problem is. Three things have been suggested: 1. It *might* be a bug *similar* to one someone else encountered using different hardware (which does not even exist on your firewall), 2. You

Re: [pfSense] pfSense virtualisation

2017-10-10 Thread Adam Thompson
The only thing I would caution against is having your only gateway to the Internet running on a single host or cluster - this makes troubleshooting VERY difficult when the host or cluster fails. Been there, done that. So I have one H/W gateway running the internet pipe, then all the internal fi

Re: [pfSense] pfsense 2.4rc wirespeed?

2017-09-03 Thread Adam Thompson
The speedteet server code is not optimized for high upload speed measurement. When running speedtest from a machine on the same subnet, in the same rack in the same data center as the speedtest server (I worked for an ISP) you will still get funny results. Or even two VMs running on the same h

Re: [pfSense] IPsec NAT/BINAT not working

2017-08-24 Thread Adam Thompson
I always thought that this behaviour was because of the way IPSec is bolted on to the network stack in FreeBSD 9, that IPsec literally took over the packet before it could get NAT'd. Certainly, I was recently surprised to discover that IPSec VPN tunnels take precedence over local connected inter

Re: [pfSense] Internal Certificate and Internal Network.

2017-08-17 Thread Adam Thompson
Error messages. Log files. Configuration data. Network topology. Route tables. We have nothing to work with yet. -Adam (Yes, I know I'm being hypocritical here because I've done the same thing. Thank you for not reminding me...) On August 17, 2017 10:51:43 AM CDT, Kleber Carvalho wrote: >He

[pfSense] IPSec to overlapping subnet - unexpected behaviour

2017-08-11 Thread Adam Thompson
Any ideas how I install an IPSec tunnel to a remote subnet that overlaps with a local subnet while not completely killing the local subnet? This isn’t _quite_ as insane as it sounds at first glance: The SPD (i.e. Phase 2) selectors on my side are from a single /32 IPv4 address on the LAN tha

Re: [pfSense] pfSense 2.4 with ZFS, will it solve corrupt systems

2017-08-05 Thread Adam Thompson
True, but it's also a journaling filesystem (effectively, even if that's not quite the curvy technical term for it) so is far less prone to random corruption on hard (unexpected) shutdowns / reboots. Best of both worlds is to use ZFS boot off mirrored disks, but that also increases cost and only

Re: [pfSense] IPv6 1:1 NAT problems

2017-08-02 Thread Adam Thompson
act, my main guest WiFi network runs > *only* IPv6. > Most of my guests only care about Gmail and YouTube, and those have > been > IPv6 enabled for ages. It's an experiment to see how many visitors can > get away with not noticing that they have no IPv4 connectivity. > > Mosh

Re: [pfSense] IPv6 1:1 NAT problems

2017-08-02 Thread Adam Thompson
So? Neither do I. I don't have native IPv6 at the office either. But both are fully IPv6-connected. That's what Hurricane Electric tunnels are for. (And SIXXS, formerly, but they've decided that IPv6 penetration has reached a point where they're not needed anymore. Hahahaha...) http://www.

Re: [pfSense] IPv6 1:1 NAT problems

2017-08-02 Thread Adam Thompson
Sadly, yes. Partly due to providers like OVH who don't "get" prefix delegation. Also, how else do you multi-home without running BGP? (Keeping in mind that the overwhelming majority of networks around the world have no access to BGP.) That's one of the specific use cases for Network Prefix Tra

[pfSense] IPv6 1:1 NAT problems

2017-08-02 Thread Adam Thompson
(If you work for Netgate – would a paid support subscription include helping me diagnose the problem here, and get this working? I’m not 100% clear if this is in scope or not.) I’ve encountered an – apparently – unusual problem when trying to enable 1:1 NAT for IPv6. I’m also having a simi

Re: [pfSense] IPv6 problem at OVH

2017-08-02 Thread Adam Thompson
; services listening on x.x.x.1, x.x.x.2, x.x.x.3 etc, works like a charm. > > JC > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam > Thompson > Sent: August-01-17 12:57 PM > To: list@lists.pfsense.org > Subject: [pfS

Re: [pfSense] IPv6 problem at OVH

2017-08-02 Thread Adam Thompson
I can't speak to their other platforms, but the Private Cloud offering is based on VMware, and does not permit the use of MAC addresses other than the one assigned to the VM. So CARP immediately fails there. Amusingly (not), there's even special plug-in in the VMware client that is supposed to

[pfSense] IPv6 problem at OVH

2017-08-01 Thread Adam Thompson
Wondering how anyone else manages (or would manage) this scenario: * Private Cloud at OVH. (Runs VMware, which isn't terribly relevant AFAICT.) * OVH provides a single VLAN that is connected directly to their router * ALL public IP addresses are terminated on that VLAN (i.e. bound directly to

Re: [pfSense] pfsense twitter account making rude comments.

2017-02-23 Thread Adam Thompson
Not just default - many MUAs (gmail, outlook, virtually every web-based service) don't correctly handle or in some cases even _permit_ the traditional method at all. Much like IRC and two spaces a a period, in-line or appended replies are now historical relics, broadly replaced by things that c

Re: [pfSense] SG-1000 and VPN

2017-01-25 Thread Adam Thompson
Jim, Asking you to speculate here... Assuming someone *is* working on drivers for the chip's crypto capabilities, when that finally happens, do you have any notion of how much faster IPsec will get? Are we talking 2x or 100x? -Adam On January 25, 2017 7:45:49 PM CST, Jim Thompson wrote: >Stev

[pfSense] IGMP querier?

2016-05-06 Thread Adam Thompson
In pfSense 2.3, how do I cause the firewall to generate IGMPv2 or v3 Query packets? I know there's an IGMP proxy feature, but that's kind of useless without a querier. I don't actually need the firewall to do multicast routing, I just need a querier so snooping works on one of my subnets. Thank

Re: [pfSense] USB3 to ethernet adaptor

2016-05-02 Thread Adam Thompson
On 16-05-02 06:20 AM, Rafael Aquino wrote: De: "Frans Meulenbroeks" Has anyone experience using USB3 to ethernet adapters ? I need an extra interface but my HW (Intel NUC) does not have room for another card). Anything recommendable? Best regards, Frans. Hi there, I´ve tried once an USB Multi-

[pfSense] DNS secondary server on 2.3?

2016-04-28 Thread Adam Thompson
OK, I'm lost... In v2.3, what service, and/or where in the GUI, should I go to make pfSense act as a slave (authoritative) DNS server? On a related note, in Services / DNS Resolver / General Settings, what does "DNS Query Forwarding" do? There's no description, so I assume if it's *not* set, u

[pfSense] IKEv2 with LDAP or RADIUS?

2015-10-27 Thread Adam Thompson
I just watched the last hangout that jimp did on Remote Access VPNs, and I'm wondering: is there no way to do user authentication against a back-end LDAP or RADIUS server when using IKEv2-EAP-MSCHAP2? Thanks, -Adam ___ pfSense mailing list https://list

Re: [pfSense] Access Point Recommendations?

2015-08-23 Thread Adam Thompson
Oh, god, not again... Search the list archives from about a month ago. The consensus was, roughly, that the Ubiquity UniFi products were pretty good but had some quirks. As i recall, everything else discussed was either: -insanely expensive, or -crap (or both), or -only works well for one or two

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

2015-07-24 Thread Adam Thompson
I'm 95% sure the answer is "wait for the developers to fix those issues" and/or "become a developer and fix those issues" :-). Configuration of lighttpd is controlled by the pfSense management framework, so once you discover the correct invocation, you could locally modify the PHP file that ge

Re: [pfSense] Access Point Recommendations?

2015-07-24 Thread Adam Thompson
On 07/24/2015 01:09 AM, Dave Warren wrote: On 2015-07-23 21:24, Adam Thompson wrote: On 2015-07-23 10:46 AM, Karl Fife wrote: Your point about having a one-off solution is a great one. Installing a single UniFi AP would be unnecessarily complex. The TP-Link TL-WA801nd is a BGN-only device

Re: [pfSense] Access Point Recommendations?

2015-07-23 Thread Adam Thompson
recommendation at all, but stay away from EnGenius devices. OK hardware & good price, but (e.g.) my AP comes with an open DNS resolver that can't be disabled, and they don't seem to think it's a problem at all... -- -Adam Thompson athom...@athompso.net +1 (204) 291-7950 - cell +1 (

Re: [pfSense] SG-4860 vs. support pricing question

2015-07-21 Thread Adam Thompson
On 07/21/2015 09:37 AM, Jim Pingle wrote: On 07/20/2015 07:09 PM, Adam Thompson wrote: But I do have one issue/question/comment about the pricing of that bundle: there are still only 2 support incidents bundled. It seems that if I bought two 4860s and tie-wrapped them to my own shelf, I’d

[pfSense] SG-4860 vs. support pricing question

2015-07-20 Thread Adam Thompson
I had to buy a new shelf) but would get 4 support incidents included with my purchase. Also, the price for a 2-incident support pack is $399, but I can buy a SG-2220 for only $299 and get the same # of support incidents. Have I missed something? Is this intentional? -- -Adam Thompson

Re: [pfSense] Multiple IPsec Mobile phase1s?

2015-07-20 Thread Adam Thompson
I figured out part of the answer to my own question: Manually navigate to “https://pfsense/vpn_ipsec_phase1.php?mobile=true” to create Mobile IPsec phase 1 entries. No idea what that breaks, yet. -- -Adam Thompson athom...@athompso.net From: Adam Thompson Sent: ‎Monday‎, ‎July‎

[pfSense] Multiple IPsec Mobile phase1s?

2015-07-20 Thread Adam Thompson
clients without clicking that button. Help… -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] odd issue with pfsense and juniper

2015-07-10 Thread Adam Thompson
My first instinct is to look at PVST+ interoperability issues because of the multi-vendor network, but we need a LOT more detail on the network topology to even make intelligent guesses. You've essentially said "I've got this car, with four Goodyear tires, and my trailer makes a funny noise. FY

Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2

2015-06-17 Thread Adam Thompson
See my comment on another email, but I discovered that works fine if you import each cert in the chain and then select the intermediate signing cert as the CA. -Adam On June 17, 2015 10:43:20 AM CDT, Steve Yates wrote: >Ermal Luçi wrote on Wed, Jun 17 2015 at 10:22 am: > >> On Wed, Jun 17, 2015

Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2

2015-06-17 Thread Adam Thompson
The "issue" with OpenVPN is merely that I have to prime each client system with both software and configuration file(s), which isn't always possible or feasible in my environment. -Adam On June 17, 2015 10:22:04 AM CDT, "Ermal Luçi" wrote: >On Wed, Jun 17, 2015 at 4:40 PM, Steve Yates wrote:

Re: [pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2

2015-06-17 Thread Adam Thompson
Whoops, that wasn't aimed at me in the first place. Nonetheless, I have a pretty good example of why OpenVPN "requires" a self-signed cert in CB's answer to issue #4756. -Adam On June 17, 2015 10:41:28 AM CDT, Adam Thompson wrote: >The "issue" with OpenVPN is

[pfSense] IKEv2 agile VPN from Win7/Win8 to pfSense 2.2.2

2015-06-17 Thread Adam Thompson
the requirements. Are there any tricks that aren't obvious? Thanks, -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Single IP - DMZ a single port

2015-06-06 Thread Adam Thompson
...this is what you wind up with normally, until/unless you create a rule explicitly allowing the DMZ host to talk to the LAN, so yes, it's definitely possible. -Adam On June 6, 2015 8:18:35 AM CDT, "Marc R. Meshurle Jr." wrote: >Here's a question - I have a single IP with my ISP and want to t

Re: [pfSense] reverse proxy situation

2015-05-31 Thread Adam Thompson
oxy or a user proxy. I'm >confused >after reading your mail a few times. > >Brgds, Espen >31. mai 2015 15:35 skrev "Espen Johansen" : > >> Exclude varnish its primarily made for frontend LB proxy. >> >> søn. 31. mai 2015, 15:32 skrev Adam Thompson :

Re: [pfSense] reverse proxy situation

2015-05-31 Thread Adam Thompson
x27;t easily done with haproxy. >I could be wrong but if you're looking for SSL offloading (I ensure all >traffic goes over SSL) varnish and squid would be out of the >picture. Travis Hansen >travisghan...@yahoo.com > > >On Saturday, May 30, 2015 8:25 PM, Adam Thompson

[pfSense] Snort FATAL error

2015-05-30 Thread Adam Thompson
bug? -- -Adam Thompson athom...@athompso.net +1 (204) 291-7950 - cell +1 (204) 489-6515 - fax ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold

[pfSense] reverse proxy situation

2015-05-30 Thread Adam Thompson
P mapping), is there any compelling reason to use one over another on pfSense 2.2 today? FWIW, this firewall is relatively underpowered (PowerEdge 1750, dual 2.4GHz P4-era Xeons). -- -Adam Thompson athom...@athompso.net +1 (204) 291-7950 - cell +1 (204) 489-6515 - fax __

Re: [pfSense] pfSense Hardware Sizing Captive Portal Usage

2015-05-27 Thread Adam Thompson
More or less: if you can run pfSense at all, you won't run out of memory for state tables. Captive portal does consume additional memory, but not large amounts. For several hundred users behind a captive portal, I would err on the side if caution and use a system with at least 2GB of RAM, prefera

Re: [pfSense] Weird issue not sure if it's PFSense or not

2015-05-26 Thread Adam Thompson
This could be the Android IPv6 problem, if the amazon devices are using v5.0 or newer base software. -Adam On May 26, 2015 12:28:51 PM CDT, Mamun Ahmed wrote: >Hi everyone, > >I am at a loss as to why this has recently started happening? My setup >is as follows: > >BT infinity broadband vdsl r

Re: [pfSense] NPt not working at all - no idea why

2015-05-20 Thread Adam Thompson
Doh. Of course, I saw the problem about two ohnoseconds after posting... I picked the WAN interface, not the *tunnel* interface. Works fine now... *blush* -Adam On 05/20/2015 08:09 AM, Adam Thompson wrote: I've got a site that uses ULA IPv6 addresses (fd60:7f9c:65d8::/48), and a r

[pfSense] NPt not working at all - no idea why

2015-05-20 Thread Adam Thompson
I've got a site that uses ULA IPv6 addresses (fd60:7f9c:65d8::/48), and a routed subnet courtesy of HE ( 2001:470:1f11:103d::/64). Unsurprisingly, that's routed to this site over an HE tunnel on gif0. IPv6 from pfSense itself appears to work just fine; I can successfully communicate from pfSe

Re: [pfSense] ipsec and routing

2015-04-24 Thread Adam Thompson
It's not a routing issue, it's a bug/mis-feature in FreeBSD's IPSec stack. See https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN for more info. -Adam On 04/24/2015 09:37 AM, Gregory K Shenaut wrote:

[pfSense] updating & testing packages?

2015-04-18 Thread Adam Thompson
pull request on the github project? -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] sun qfe status?

2015-04-18 Thread Adam Thompson
On 2015-04-13 05:32 PM, Volker Kuhlmann wrote: On Sun 12 Apr 2015 09:22:32 NZST +1200, Adam Thompson wrote: I recall seeing reports of problems with Sun 'qfe' (quad-port hme) interfaces on this list previously; does anyone know what the current status is? Do they work properly in

[pfSense] pf(4) relative performance: opinions?

2015-04-11 Thread Adam Thompson
n adequate stress test :-/. Comparison data? *Educated* guesses? Thoughts? Although it's pointless to ask, please try to keep baseless fanboi-type opinions to yourselves. I'm already a fan of pfSense, and I've explained above why I couldn't use it

[pfSense] sun qfe status?

2015-04-11 Thread Adam Thompson
I recall seeing reports of problems with Sun 'qfe' (quad-port hme) interfaces on this list previously; does anyone know what the current status is? Do they work properly in 2.2.1 i386? Thanks, -Adam -- -Adam Thompson athom...@at

[pfSense] NTP failure in 2.2.1?

2015-04-08 Thread Adam Thompson
- surprise - a timeout. Yet NTP from *behind* the firewall works fine. Anyone else seeing this problem? Any ideas? -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project

Re: [pfSense] pfSense as GUI and stripped OS for dedicated Cacheing name server

2015-03-31 Thread Adam Thompson
On 03/31/2015 02:35 PM, Jim Thompson wrote: We have plans in this area, but they’re not ‘pfDNS’. The pedant in me insists that should be "dnsSense", not "pfDNS". Or even "bindSense" or "unboundSense", or... etc. I'd rather you guys focused on improving the routing capabilities, personally. (

Re: [pfSense] Assign IP Address with /32 Mask on WAN Interface

2015-03-30 Thread Adam Thompson
Sadly, I know several xDSL providers who offer a default gateway not in the client's subnet. (LOL: my phone auto-corrected "subnet" to "fuckety". No kidding.) Linux and Windows and MacOS can deal with this level of brain-deadness, *BSD cannot. However, the good news is that if your network is

Re: [pfSense] GRE between 2 pfsense boxes

2015-03-30 Thread Adam Thompson
Performance and flexibility. OpenVPN is good at getting unicast IP traffic from A to B, but it's difficult to, say, run OSPF over it. It also need ridiculous amounts of CPU time to encrypt, especially painful in situations that don't need encryption. So, yeah, there are a LOT of use cases wher

Re: [pfSense] Running as a VM, multiple WAN subnets

2015-03-02 Thread Adam Thompson
So if you don't wind up using them for CARP, use them for something else. Get a smaller subnet from your provider and give back the original subnet. If you have multiple subnets, the provider-facing one should not be used for published services; in fact those addresses don't even have to be publ

Re: [pfSense] Running as a VM, multiple WAN subnets

2015-03-02 Thread Adam Thompson
Steve, Unless you want to impose significant limitations on yourself, you will need a total of 3 IPs for every CARP interface. I've run systems with single-IP CARP, and unless you have absolutely no choice, it's not worth the headache. The unanswered question is how your provider will do routing,

Re: [pfSense] serial port sadness

2015-02-27 Thread Adam Thompson
Jim, do you read User Friendly? The arc about putting Sid in the Home for Obsolete Programmers, in particular? ;-) But, yeah, having spent my early career in narrowband (serial of all shapes and sizes and speeds) it's a nightmare of incompatible connectors and protocols. USB is freaking awesom

Re: [pfSense] polling pfsense status for a combined dashboard

2015-01-27 Thread Adam Thompson
thing I can find that covers is it this: https://doc.pfsense.org/index.php/Remote_Config_Backup -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] polling pfsense status for a combined dashboard

2015-01-27 Thread Adam Thompson
SNMP support exists, although not everything is available that way. Otherwise the doc wiki has a page on authenticating automated web requests - RTFM. -Adam On January 27, 2015 10:55:00 AM CST, Wolf Noble wrote: >I'm sure this has been asked, but I've not found anything in the few >minutes I po

Re: [pfSense] hi every body

2015-01-27 Thread Adam Thompson
pfSense can do that, 600 users is OK. Up to 1gbps is OK on almost any server-grade hardware. VPN is built in. IDS/IPS requires installation and configuration of the Snort add-on package. Firewall is built in. Monitoring and logging are built in, but may or may not meet your needs. pfSense can

[pfSense] VFA VPN throughput?

2015-01-20 Thread Adam Thompson
Jim/other: Do you have any guidelines for sizing VPN throughput when using the pfSense Certified VFA ? -- -Adam Thompson athom...@athompso.net ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold

Re: [pfSense] 4 Byte ASN

2015-01-08 Thread Adam Thompson
hich don't appear to have made it into the FreeBSD port yet. I run a pair of BGP routers using CARP to an upstream peer who only wants to configure a single IP address and a single session. Works OK in practice under OpenBSD, not sure how well the pfSense package (FreeBSD port) handles

Re: [pfSense] 4 Byte ASN

2015-01-08 Thread Adam Thompson
OpenBGPd works quite well with CARP interfaces, actually... My primary commercial IPv4 transit uses exactly that. But that functionality might need a newer version of OpenBGPd than we have right now... The package is getting a little long in the tooth. -Adam On January 8, 2015 9:23:10 AM CST, Se

[pfSense] BGP in 2.2

2014-12-12 Thread Adam Thompson
0 days, we were moving away from OpenBGPD to (IIRC) quagga/zebra... but OpenBGPD is the only BGP implementation I'm seeing now. What happened there? Third, is there still no way to run BGP and OSPF on the same system?? -- -Adam Thompson a

Re: [pfSense] Gold hangout - what time?

2014-11-25 Thread Adam Thompson
On 14-11-25 10:14 AM, Espen Johansen wrote: https://blog.pfsense.org 25. nov. 2014 17:11 skrev "Adam Thompson" <mailto:athom...@athompso.net>> følgende: I'm looking, but I can't find anywhere what *time* the Gold hangout is going to be (or was...) today

[pfSense] Gold hangout - what time?

2014-11-25 Thread Adam Thompson
I'm looking, but I can't find anywhere what *time* the Gold hangout is going to be (or was...) today. Anyone know? -- -Adam Thompson athom...@athompso.net Cell: +1 204 291-7950 Fax: +1 204 489-6515 ___ List mailing list List@lists.p

Re: [pfSense] terrible performance on NFS & CIFS

2014-11-07 Thread Adam Thompson
of the world). For now, I've simply moved the server semi-permanently; this was an unusual and temporary configuration to begin with. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] terrible performance on NFS & CIFS

2014-11-06 Thread Adam Thompson
27;s a hassle probably not worth the >effort in >> terms of gains. Some people do it as a means to increase iSCSI >traffic >> performance but others say the throughput gain is dubious at best. I >would >> make sure some doofus didn't enable jumbo frames on your N

Re: [pfSense] terrible performance on NFS & CIFS

2014-11-06 Thread Adam Thompson
gt;make sure some doofus didn't enable jumbo frames on your NFS server and >if >so then turn it off and check the MTU setting in the network stack on >the >NFS server as well. > >I may not know what the hell i'm talking about though so someone else >can >feel fre

Re: [pfSense] Disconnected

2014-11-06 Thread Adam Thompson
Been there, done that. My firewalls now run on hardware :-). The other possibility is to run redundant firewalls in *different* ESX clusters so that a failure in one doesn't take you completely offline. -Adam On November 6, 2014 10:44:06 AM CST, Brian Caouette wrote: >Problem is I can't even ru

[pfSense] terrible performance on NFS & CIFS

2014-11-05 Thread Adam Thompson
know there's an option to disable pf scrub, but that's only supposed to affect NFSv3 (AFAIK), and this also affects NFSv4-over-TCP and CIFS. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://li

Re: [pfSense] pfsense h/w

2014-10-24 Thread Adam Thompson
use UBNT's competitor, MikroTik, as a good example of how to build decent products the wrong way, but Brocade was my target here. You're a paragon of open-source stewardship in comparison! -- -Adam Thompson athom...@athompso.net ___ Li

Re: [pfSense] pfsense h/w

2014-10-23 Thread Adam Thompson
shitstorm. I like getting paid for my work, too! (Or wonder in silence what it must be like to work in the same place as Jim Thompson.) Can't be any worse than my last corporate job. In fact, would probably be *much* better... I don't hav

Re: [pfSense] pfsense h/w

2014-10-23 Thread Adam Thompson
tionship between Netgate, ESF, and pfSense is. Even I'm a little bit vague on the finer points. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

2014-10-23 Thread Adam Thompson
our, but the "secret sauce" is knowing precisely where to direct that labour to maximize the value to his paying customers. The rest of us get enough value from the software as it is. -- -Adam Thompson athom...@athompso.net ___ List m

Re: [pfSense] pfsense h/w

2014-10-23 Thread Adam Thompson
One nit: yes, I can sell something called "pfSense", as that's the freely-downloadable software under a (IIRC) BSD license. I can't sell something called "NetGate". I can't produce a derivative work and call it pfSense. (This is a gray area, admittedly.) But, at least here, I'm quite sure I can

Re: [pfSense] OT: Good network switch for 10 machines?

2014-09-23 Thread Adam Thompson
+1 for HP ProCurve, except for the stuff they inherited from 3Com... I've also had reasonably good luck with Netgear and D-Link managed switches. The Cisco SMB stuff seems OK hardware-wise, but the software is questionable. Note that all three of these options come with lifetime, free, firmware upd

Re: [pfSense] Adding Ethernetports

2014-09-19 Thread Adam Thompson
There's also the unofficial VMware ESXi white-box HCL, but it hasn't really been updated since v4.x. Agreed that if this is anything more than a test system, stick with the HCL and a support contract. Been there, done that, have the scars to prove it ... -Adam On September 19, 2014 12:18:31 PM

Re: [pfSense] Adding Ethernetports

2014-09-19 Thread Adam Thompson
You don't have a pfSense problem at all, you have a VMware problem. Suggest you visit any one of hundreds of VMware support forums or lists to find out how to manage virtual networks. There are also a lot of old threads on the pfSense forum discussing this. -Adam On September 19, 2014 11:28:28 A

Re: [pfSense] Returned mail: Data format error

2014-09-08 Thread Adam Thompson
Yes, but not often. -Adam On September 8, 2014 7:45:10 AM CDT, Bob Gustafson wrote: >Is anyone else on this list getting bounce notices? > >On 09/08/2014 01:50 AM, Bounced mail wrote: >> The message was not delivered due to the following reason: >> >> Your message was not delivered because the de

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Adam Thompson
that will allow this with out 2 interfaces. Most require 2 >> physical, but some will allow for 2 or more vlans. Again, do not do >it. >> >> 16. aug. 2014 22:13 skrev "Adam Thompson" > <mailto:athom...@athompso.net>> følgende: >> >> On 1

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Adam Thompson
effectively eliminating 99% of the security a firewall gives you. (And, yes, it is possible to directly attack private IP addresses on most ISPs.) If you're determined to deploy this model, you'll have to run a bare OS that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and c

Re: [pfSense] Change WAN interface address to new subnet

2014-08-07 Thread Adam Thompson
etime. If you can cause the new firewall to proactively overwrite each local host's ARP cache (e.g. by pinging each host from the firewall) then you can probably get that down quite a bit. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Change WAN interface address to new subnet

2014-08-06 Thread Adam Thompson
ling list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- -Adam Thompson athom...@athompso.net Cell: +1 204 291-7950 Fax: +1 204 489-6515 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] How can this be done?

2014-07-31 Thread Adam Thompson
lic WiFi network, especially through some sort of login web page (like you do at public hotspots) then connecting a firewall to it is probably not going to work well, if at all... -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] ZFS warning message on local console during boot

2014-07-30 Thread Adam Thompson
Stefan: just ignore the message. It's there because ZFS is in the pfSense kernel, even though it isn't used today. If you don't mount any ZFS file systems, and you don't tweak any of the values, all it does is use up a bit of memory. -Adam On July 30, 2014 4:40:04 PM CDT, Stefan Baur wrote: >

Re: [pfSense] ZFS warning message on local console during boot

2014-07-30 Thread Adam Thompson
Faster caching when using squid and/or some of the other packages? But, yes, it would be a bit silly, regardless. -Adam On July 30, 2014 9:43:01 AM CDT, Vick Khera wrote: >On Wed, Jul 30, 2014 at 9:50 AM, Paul Mather >wrote: >> Personally, I think ZFS on i386 has become a losing proposition as

Re: [pfSense] Disable antispoofing on an interface

2014-07-17 Thread Adam Thompson
7;s almost certainly going to be a Default-Deny rule, which means you're missing a firewall rule somewhere. Do you have a rule allowing all protocols from OPT1 to LAN? -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Disable antispoofing on an interface

2014-07-17 Thread Adam Thompson
If you run (from memory, here!) "clog -f /var/log/filter.log" while the packet is arriving, you should see what rule is blocking it. You may want to set up a capture in your terminal emulator, as there will likely be a lot of unrelated output and it'll scroll off-screen quickly. -Adam On July 17

Re: [pfSense] Disable antispoofing on an interface

2014-07-17 Thread Adam Thompson
Not really possible. If tcpdump cann't show you the packet, then the problem is occurring before pfSense... i.e. in the WAN optimizer. On July 17, 2014 12:01:12 PM CDT, NetSys Pro wrote: >Adam, >Thanks for your reply.First of all, as I said before, I had already >posted the same question on the

Re: [pfSense] Disable antispoofing on an interface

2014-07-17 Thread Adam Thompson
How do you know pfSense is dropping the packet? Does it show up in a packet capture on OPT1? -Adam On July 17, 2014 5:12:07 AM CDT, NetSys Pro wrote: >Hello Adam,Anything else I could try? >Thanks > >Subject: Re: [pfSense] Disable antispoofing on an interface >From: athom...@athompso.net >Date:

Re: [pfSense] Disable antispoofing on an interface

2014-07-14 Thread Adam Thompson
I suspect you need to be looking not for anti-spoofing but for anti-bogon rules. Can't remember what pfSense calls it offhand. -Adam On July 14, 2014 6:19:22 PM CDT, NetSys Pro wrote: >Hello everyone, > >First of all, please note that I have already posted the question below > >on the pfSense fo

Re: [pfSense] Squidguard Issues

2014-06-06 Thread Adam Thompson
On 2014-06-06 08:38, Brian Caouette wrote: > For the past few days I was experiencing issues were squidguard did not always work. Finally this morning I stumble into the problem. It turns out that if you enable the save bandwidth feature in chrome you can access all the adult sites. If you shu

Re: [pfSense] vmware

2014-05-28 Thread Adam Thompson
On May 28, 2014 10:33:59 AM CDT, Brian Caouette wrote: >4.1 appears to be the newest this hardware can use. > >On 5/28/2014 11:19 AM, Ryan Coleman wrote: >> 4.1? >> >> in /5.x/ you can assign VLANs to NICs and then different NICs to VMs. > >> I don't know about 4.1. >> >> On May 28, 2014, at 10:11

Re: [pfSense] Pix Replacement?

2014-05-24 Thread Adam Thompson
tially including pre-built hardware), talk to Netgate or ESF; both hang out here (in fact, the two entities are closely related). -- -Adam Thompson athom...@athompso.net Cell: +1 204 291-7950 Fax: +1 204 489-6515 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense performance

2014-05-21 Thread Adam Thompson
e probably won't make all that much difference at the scales you're talking about, but I admit I've never tried transparent mode at >1Gbps. -- -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org https

Re: [pfSense] My son is able to bypass my captivate portal

2014-05-11 Thread Adam Thompson
On May 11, 2014 1:37:01 PM CDT, Mehma Sarja wrote: >My Samsung Chromebook bypasses my router/OpenDNS because it has it's >own >DNS entries. > >Yudhvir > > > >> Basically it takes a DNS call the first time and goes elsewhere. then >it >> corrects itself. If he’s got a different DNS set up then eith

Re: [pfSense] ICMPv6 filtering recommendations with pfSense?

2014-05-08 Thread Adam Thompson
On May 8, 2014 12:05:34 PM CDT, Brian Candler wrote: >On 08/05/2014 11:51, Olivier Mascia wrote: >> On the WAN interface, I’m currently allowing full ICMPv6 in, albeit >only from Global Unicast and Multicast addresses. >> That is: only from 2000::/3 and ff00::/8. >I don't think you'll see any pack

  1   2   3   >