Re: [pfSense] Force CA certificate installation as tsueted root CA on WiFi clients

[Chris Bagnall]

On 30/1/18 5:22 pm, Izaac wrote:

Q: How can I automatically undermine the basis of the SSL PKI by forcing my
CA (which, by design, generates certificates for arbitrary sites and
thereby main-in-the-middles all communications) onto third parties that
happen to be traversing my network?
A: You can not -- at least not legally or ethically.


This is a good - and often overlooked - point. Ask yourself why you are 
trying to do this.


You are undermining the basis of secure communications, and opening up 
your users to considerable risks whenever they access online banking, or 
indeed any other service that expects a secure connection to transfer 
sensitive data.


Is it really worth it just to block a few undesirable websites?

Assuming you're in a corporate environment, might not a simple 
'IT/Internet Policy' addendum to employees' contracts cover this far 
more effectively?


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

[Chris Bagnall]

On 4/11/17 11:41 pm, Jon Gerdes wrote:

We all need to have a deep think about what https *really* *really*
means.
* The aim of SSL/TLS is to ensure confidentiality from one point to
another
If I put up a website and I want to guarantee that the connection
between my website and the end user is secure then I would not be happy
if I found out that someone was breaking that link.  Using splice is an
attempt to break that link.
Have a deep think about what you are trying to do - whatever it is.


What Jon says is absolutely spot on. Remember, we (collectively, as 
network designers) are building networks that are going to be used by 
real people; we can't exist in a vacuum.


Think *very* carefully about what you are trying to achieve by breaking 
into HTTPS connections, why you think that is a good idea, and (most 
importantly) the risks involved.


Think about how your users are going to feel when they find out you're 
doing this - if you've not already told them.


Check very carefully whether you are opening yourself up to additional 
legal liability (depending on jurisdiction) - take proper legal advice 
if necessary. If you are breaking into your users' online banking 
sessions, for example, and one of them is compromised because something 
was inadvertently leaked by your proxy, you might find yourself in a 
whole world of legal unpleasantness.


Kind regards,

Chris
--
C.M. Bagnall, Director, Minotaur IT Limited
For full contact details please visit www.minotaur.it
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] HTTP/HTTPS filtering with Pfsense+Squid+Squidguard for cell phones

[Chris Bagnall]

On 11 Oct 2017, at 21:05, Adam Cage  wrote:
> Dear Chris, I need the Squid proxy to filter traffic working with
> Squidguard. The guest cell phones will be authenticated to my WiFi, and
> after that they can go to HTTP/HTTPS web sites with zero configuration
> because I can't tell my guests to setup a CA certificate, a proxy IP and
> port in their phone's browsers or whatever at all. So I need a transparent
> proxy.

What you’re asking isn’t possible without installing a certificate on the 
client device(s) - and with good reason: you’re effectively performing a 
man-in-the-middle attack; something SSL/TLS was designed to prevent.

In order to proxy SSL traffic, you need to effectively decrypt it at the proxy, 
then re-encrypt it using a new private key. Obviously you can’t re-encrypt it 
using the original key, because you don’t have access to the private key, hence 
the need for your own certificate installed on the client device.

So you have two choices: either install the certificate on the client, or 
accept that you aren’t going to be able to do more than the most basic 
filtering on HTTPS traffic - that is to say, by IP address or FQDN.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Old pfSense versions

[Chris Bagnall]

On 1 Aug 2016, at 02:24, Larry Rosenman  wrote:
> earlier this week:
> On 07/13/2016 05:06 AM, Herwig Unterrichter wrote:
> I am having troubles finding a certain older pfsense release, in particular
> 2.2.4, the memstick am64 image.
> Is there some kind of archive server where i can get access to all previous
> releases?
> https://atxfiles.pfsense.org/mirror/downloads/old/

Superb, thank you! Not sure why that post didn’t come up when I searched the 
(list) archives :-)

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Old pfSense versions

[Chris Bagnall]

Greetings list,

Until fairly recently, there used to be a comprehensive set of old 
versions/builds available at:

http://files.pfsense.org/mirror/downloads/old/

However, that url is now returning 404. Has the archive been moved?

I ask because 2.0.3 is the last version that runs reliably (i.e. doesn’t run 
out of RAM) on the older ALIX boards with 128MB, and I need to do a CF card 
replacement on one tomorrow...

Thanks in advance!

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Removing obsolete packages

[Chris Bagnall]

On 27/7/16 2:46 pm, Jim Pingle wrote:

At the moment there is no automated way to do that, but you can edit
them out of your config.xml. Either by editing in-place using "viconfig"
if you're daring, familiar with vi, and don't mind the potential for
danger. Or the safer route is to download a backup, edit them out, and
then restore the backup.


Thanks Jim, I thought that'd probably be the case, but thought I'd best 
check in case there was a cunning plan I wasn't aware of :-)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Removing obsolete packages

[Chris Bagnall]

Greetings list,

Is there a procedure for removing obsolete packages from installs?

Many moons ago, I upgraded a production install from 2.2.x to 2.3. The 
install in question had apcupsd on it to control, unsurprisingly, an APC 
UPS, but I believe apcupsd ceased to be maintained, and that 
functionality is now done through nut. Not a problem per se, I just 
installed nut, and the UPS is indeed being happily managed, but I still 
see references to apcupsd in the menus and service status.


I'm well aware this is my own silly fault: I failed to follow the usual 
advice about removing packages before performing an update, then 
re-installing them afterwards. :-)


It would, however, be rather nice to remove the obsolete references.

Suggestions gratefully appreciated.

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] USB3 to ethernet adaptor

[Chris Bagnall]

I’m a little late to the discussion, but herewith my two penneth...

> Echoing what others have said, most of the USB network cards I have used
> have not been so reliable.

Broadly speaking, I’d concur with that sentiment. I have had moderate success 
with this one:

https://www.amazon.co.uk/gp/product/B00484IEJS

It’s only USB2, but, if my memory serves correctly, that’s a good thing, 
because the USB3 version definitely didn’t work under pfSense (admittedly some 
time ago - around 2.1 time - so things may have changed since).

I suspect any other USB ethernet device based on the same ASIX controller will 
likely work similarly…

> As far as cheap managed switches go

I’ll throw in a recommendation here for one of the cheap-ish HP ‘web managed’ 
switches - something like the 1810-8G if you want all gigabit ports, or if you 
don’t need more than 100Mb on your WAN interfaces, the older 1700-8 is also a 
good option. I’ve used both in scenarios where I’ve needed to connect more than 
2 WANs to a PCEngines ALIX or APU.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Help with provider assigning multiple IP addresses over PPPoE

[Chris Bagnall]

On 14 Nov 2015, at 20:19, C. R. Oldham  wrote:
> My ISP provides access over PPPoE and has given me 2 static IPs via the
> following configuration (public IPs sanitized)
> Usable IP addresses:xxx.yyy.149.218
> Gateway address:xxx.yyy.149.217
> Subnet mask:255.255.255.252

> I cannot figure out how to make pfSense expose the xxx.yyy.149.218 address
> to the public Internet.  I don't have any trouble adding NAT rules that
> forward the .217 through to my internal network.  Can someone give me a
> clue?

It’s quite a common setup - I get something very similar at home (albeit with a 
/29). pfSense has already been assigned the .217 address via PPP, as it should. 
The ‘easiest’ way of getting use out of the other address is to go to Virtual 
IPs and add it there, with type Proxy ARP.

You’ll then be able to use it on the 1:1 NAT page to assign it to a specific 
internal RFC1918 address if you want, or you can just use it as another 
external IP choice when defining standard NAT rules.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-Wan Setup, High Availability and Traffic Segmentation

[Chris Bagnall]

On 13 Nov 2015, at 15:09, David White  wrote:
> I have a unique scenario:
> The higher ups require a multi-wan high availability setup, but assuming
> both ISPs are working, some traffic is required to use 1 ISP and some
> traffic is required to use the other.
> I've read in some pfSense docs on how I can setup a high availability,
> multi-wan setup, but those docs say nothing about segmenting the traffic.
> My idea is to setup 2 VLANS, and route 1 VLAN out of 1 gateway and 1 VLAN
> out the other, but configure them so that if 1 ISP or the other ISP goes
> down, both VLANS will go out whichever ISP is working.
> Is this possible?

Yes, it’s far from unique - most of our pfSense deployments are like this. The 
joys of rural locations where one internet connection is neither fast or 
reliable enough.

In a nutshell, you’ll define two gateway groups, something like this:

WAN1Preferred
 - Tier 1: WAN1 Gateway
 - Tier 2: WAN2 Gateway

WAN2Preferred
 - Tier 1: WAN2 Gateway
 - Tier 2: WAN1 Gateway

Then on your VLAN rules pages, change the default (allow all outbound) rule to 
use the appropriate gateway group.

In most of our deployments we segment traffic by type rather than VLAN though, 
usually to force latency-critical traffic (like SIP) away from ‘bulk’ traffic 
(like web browsing).

> Founder & CEO

Yet there are still ‘higher ups’? :-)

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2.4, Services: Dynamic DNS client

[Chris Bagnall]

On 8/9/15 1:04 pm, Vick Khera wrote:

You'd have to ask Dyn if they can make host names within your own domain
dynamic.


I believe they can. I have dyn.mydomain.com delegated to Dyn for 
precisely this purpose (but mydomain.com is managed outside dyn). I can 
then create client1.dyn.mydomain.com, client2, etc. etc. for those 
clients which don't have a static IP (or don't take internet from my 
$dayjob).



Personally, I set up my own personal domain (which I self-host in BIND9) to
work with the RFC 2136 client within pfSense. It involved having a
sub-domain to hold the dynamic parts for easier management.


This sounds like an even better idea. When I investigated it a couple of 
years ago, the config to get RFC2136 working with PowerDNS (which I use 
as authoritative NS) looked scary and complicated, and not something I 
wanted to attempt on a production system.


Would you be willing to share your RFC2136/bind9 config?

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfSense 2.2.4, Services: Dynamic DNS client

[Chris Bagnall]

On 8/9/15 2:24 am, Ryan Coleman wrote:

How do you get this to function with Dyn.com (formerly DynDNS.com 
)? I have the paid domain and I’ve gotten CenturyLink DSL 
modems to negotiate the IP without issue before but I cannot seem to figure out the 
configuration for pfSense.


I've just logged into one of our clients' pfSense boxes that's doing 
precisely this (albeit with Virgin Media cable here in the UK, but the 
dyn.com setup should be similar).


Service type: DynDNS (dynamic)
Interface to monitor: WAN (or change in multi-wan environment)
Hostname: FQDN you've set up on dyn.com
Username / Password: your dyn.com login

That's about it.

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Got an alert after updating to 2.2.4

[Chris Bagnall]

On 30/7/15 11:34 pm, Rainer Duffner wrote:

php: rc.bootup: New alert found: pfSense requires at least 128 MB of RAM. 
Expect unusual performance. This platform is not supported.
So, is the Alix deprecated?


I suspect it's more a warning about only 128MB RAM. From my experience 
(several dozen 128MB Alix units in the wild), 'interesting' things do 
indeed happen with 128MB RAM or less.


I prefer to leave those units with only 128MB on 2.0.3.

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Access Point Recommendations?

[Chris Bagnall]

On 17 Jul 2015, at 15:50, Jim Spaloss jspal...@gmail.com wrote:
 Ubiquiti Unifi.

+1 would recommend - with caveats.

The AC model is… flaky - or at least, it was when I tried it at the end of 
2014. Only about 50% of client devices would connect at a time - seemingly 
random - restart the AP and some different ones would connect. Performance was 
great for those that were connected, but I’d be hesitant about installing it at 
a paying customer’s premises.

As Todd says, the basic UAP is 24v passive PoE, not 48v 802.11af. There is, 
however, an adapter for around £12 that converts 802.11af into 24v passive PoE, 
which works well. You don’t need to use the provided AC adapter unless you want 
to.

The UAP Pro is excellent. Standard PoE from any 802.11af switch, good coverage, 
decent performance, and no problems with dozens of devices connected to it.

If you don’t need 5Ghz and you aren’t bothered about the non-standard PoE, then 
the UAP is cheap-as-chips (around £50 at last check). Otherwise go with the UAP 
Pro.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] WebGUI IPv6 Gateways bug?

[Chris Bagnall]

Greetings list,

Wondering if someone who's using v6 with a static gateway address (i.e. 
not dynamically assigned by DHCP6/SLAAC) would mind checking something 
for me:

  - go to System - Gateways
  - edit an IPv6 gateway
  - change something trivial (even just the description)
  - hit save

Do you get an error message like this:

	The gateway address a:b:c:d::1 does not lie within one of the chosen 
interface's subnets.


Obviously I've checked the interface configuration, and the range 
a:b:c:d::/64 is indeed defined for the interface in question.


Updating the IPv6 gateway by editing the config xml file and 'restoring' 
it works fine, so it looks like a WebGUI validation issue rather than 
anything service affected.


Just curious if anyone else has seen this.

(pfSense devs, if there's any additional info I can provide to help, 
please let me know)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Improving OpenVPN performance

[Chris Bagnall]

Greetings list,

I'm trying to improve OpenVPN performance on a site-to-site link I have 
between 2 pfSense boxes.


  - upstream at each site is provided by a VDSL connection delivering 
~18Mbps

  - both pfSenses are PCEngines APU w/ 4GB RAM

I am currently only getting around 7Mbps each way via the OpenVPN 
tunnel, measured by running iperf back and forth between Linux servers 
at each end behind the pfSense.


I've tried the following:
  - switch between BSD cryptodev and no hardware crypto acceleration
  - disable / enable compression
  - disable encryption entirely

In each case, tunnel throughput is between 7 and 7.5Mbps.

Can anyone suggest what might be limiting it, or what (if any) OpenVPN 
parameters I should try playing with?


Thanks in advance.

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Improving OpenVPN performance

[Chris Bagnall]

On 1/7/15 3:37 pm, Seth Mos wrote:

You mean 18Mbps downstream? Not upstream?


No, I mean 18Mbps upstream. Downstream is way higher - around 75Mbps at 
each site.


On 1/7/15 3:40 pm, Jon Gerdes wrote:

If your ~18Mbps is a real measured figure then consider:  UDP vs TCP,
MTU, TUN vs TAP.  You don't mention what you are using already.


Apologies, knew I'd manage to miss something out... OpenVPN currently 
running:

  - UDP
  - tun
  - I have not manually specified an MTU in OpenVPN settings

pfSense is using an MTU of 1492 on the WAN (since they're PPPoE), though 
the VDSL modems at each site do support 1508 'baby jumbos' - not sure if 
pfSense does, though. The only comments I can find on that topic are on 
the forum dated 2-3 years ago.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

[Chris Bagnall]

On 29/6/15 4:41 pm, Ryan Coleman wrote:

I don’t know why I cannot access ANY of it from my other network, though… I 
have to be outside the building to see it.


System - Advanced - NAT Reflection perhaps?

Might be worth playing with some of the options in there...

(but personally, I'd just set a local DNS override so 
www.test.d3photo.com resolves to the server's internal LAN IP)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

[Chris Bagnall]

On 28 Jun 2015, at 02:38, Ryan Coleman ryan.cole...@cwis.biz wrote:
 which is the preferred mind you because it would give me all three additional 
 IPs (gateway, network address and broadcast) as addressable…

No it won’t. Your network is 18.25.125.16/29. You still have to follow the 
normal rules about gateway, network and broadcast - you can’t get around that. 
If you need more than the 5 usable addresses, you need to ask your service 
provider to give you a /28. This is not a pfSense limitation.

So in the example I gave, I used .17 for pfSense’s OPT1 interface. This gives 
you .18 - .22 inclusive for your stuff. .23 is the broadcast.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Using on Fiber

[Chris Bagnall]

On 5/6/15 3:37 pm, Ryan Coleman wrote:

And those of you with VMware experience… if I run the virtual firewall I would 
need to have at least a VMware Essentials license to come close to the 
throughput, right? Since the IOps are capped at something like 10MB/sec in the 
free version.


I can't comment on the Netgate hardware, having never used it, but 
regarding virtualisation, have you considered KVM instead of VMware 
(especially if the latter is limited to 10Mbps)? I've had BSD VMs 
running under KVM achieving fairly close to gig throughput in the past...


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bundling multiple OVPN client connection into one fat pipe...

[Chris Bagnall]

On 30/3/15 6:58 pm, WebDawg wrote:

I have done this, there is overhead involved, and bonding tap connections.
I tried this with very latent and slow connections, and I did not have good
luck with it


I've tried this on even relatively fast (80/20 FTTC) connections, and 
performance is still a far cry from the combined total of the 
connections involved. Based on my limited testing it was very much a 
case of diminishing returns: adding a second connection to the mix 
increased overall throughput by around 40%, but adding a third 
connection to that mix only increased things by about 10%.


I had similar experiences using PPP bonding, and using Mikrotik's own 
EoIP tunnels, so pfSense isn't the limiting factor. As I understand it, 
the problem is usually packets arriving out of order at the far end 
leading to retransmissions of the apparently 'missing' packets.


In my experience, a mix of load balancing and policy-based routing 
nearly always works better than link aggregation on variable-speed WAN 
connections.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] blocking torrents and web based https proxies

[Chris Bagnall]

On 27/3/15 3:56 am, WebDawg wrote:

May I ask why you would like to block it all?


+1. It looks like the OP is looking for a technical solution to a 
social/political problem. I can understand it if your users are primary 
school children, but surely once your users are university age, you 
really shouldn't need to be filtering them at all...


If you are doing it from a bandwidth conservation exercise, then you may 
find more success in using the traffic shaper to 'down-prioritise' 
traffic on the non-standard (i.e. 25, 80, 443, 110, 143, etc.) ports.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Pretend to be google's DNS

[Chris Bagnall]

On 5/3/15 7:02 pm, Vick Khera wrote:

It seems like you should figure out why your client VPN software is broken,
and fix that.


This. Out of interest, is there a particular reason why you need to use 
Google's public DNS at all - especially now that pfSense 2.2 has a 
'proper' DNS resolver (rather than just a cache).



My personal solution was to just make the internal hostnames resolve
globally. I mean, who really cares if anyone knows that my workstation IP
address is 192.168.7.80?


But that doesn't always work, especially if (for example) 
mail.yourdomain.com resolves to 192.168.10.20 locally, but 1.2.3.4 
externally :-)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] serial port sadness

[Chris Bagnall]

On 24/2/15 12:08 am, Jeremy Bennett wrote:

I've got a USB to serial adapter (which has worked in the past), a Windows
7 computer and Teraterm, but whenever I connect everything up I just get
the cursor blinking at me.


Agree with others that the most likely culprit here is the USB to serial 
adapter itself. Having said that, I've never had a Prolific one fail, 
and I've a chain of a dozen shops using them extensively (their point of 
sale supplier uses serial connections to open the cash drawers).



Set the port to 9600, N, 1 as instructions indicate (usb to serial usually
is showing up on COM7).


It's worth adding that the ALIX boards use - IIRC - 38400 on their BIOS 
and only bounce to 9600 when pfSense takes over from the BIOS. Though 
even with a speed mismatch, you'd still expect to see junk characters 
appearing, not just a cursor.



What else can I try?


The ones that come to mind, given you've already tried a different 
adapter are (not in any particular order):


a) different terminal program: on Windows I use PuTTY (which will talk 
serial quite happily); on a Mac I use ZTerm; on Linux I use screen 
(someone's already posted the syntax for that I see)


b) different drivers for the adapter - IIRC there's a Prolific open 
driver project that might be worth a look.


c) different (i.e. non-Windows) OS.

d) try the USB/serial adapter and cable on another serial device and see 
if it works with that - many managed switches have serial ports, for 
example.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Dual Port NIC ports

[Chris Bagnall]

On 21/2/15 11:33 pm, Tiernan OToole wrote:

biggest disadvantage I can think is if you lose one card, you lose booth ports


+1. If you have multiple physical cards at your disposal you might as 
well use ports on different cards - at least that way if something dies 
it'll be easy to diagnose whether it was the whole box or just one NIC.


As Tiernan says, assuming both cards are connected to suitably fast PCIe 
or PCIX interfaces, it's not going to make much difference to 
performance one way or t'other.


(personally I'd avoid the Marvell ports if I could - I had very poor 
performance with Marvell chipsets a few years back)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bulk Editing settings on the PFSense dashboard

[Chris Bagnall]

On 21/2/15 10:54 pm, Tiernan OToole wrote:

Meh…. Sounds like a bit of a pain… is there no command line options?


The pfSense config file is pretty standard XML, so you could always 
knock something together in your scripting language of choice to batch 
add the config sections you need.


I've done it in the past in a few lines of PHP when adding a large range 
of NAT rules for a client (one port to each machine, but 50+ machines on 
their LAN).


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] OpenVPN on Multi WANs (v1.2)

[Chris Bagnall]

Greetings list,

I have a scenario where I need to make pfsense's OpenVPN server 
available on both WANs in a multi-WAN environment.


Read the Wiki I hear you cry: 
https://doc.pfsense.org/index.php/Multi-WAN_OpenVPN :-)


Alas, it's not quite that easy - the site in question's pfSense unit is 
running 1.2.3. The box itself is an old ALIX board with only 128MB RAM 
and a small compact flash card. It's not going to run 2.x. The site is 
also a round trip of almost 1200 miles from me, so until the unit really 
dies (or until the building's owner goes out there to do some work 
themselves), upgrading the unit to 2.x capable hardware isn't really 
practical.


Can anyone cast their mind back to the pre-2.x world and remind me how 
(if indeed it's possible) to run OpenVPN on the second WAN interface?


Thanks in advance.

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Multi-WAN port forwarding

[Chris Bagnall]

On 12 Feb 2015, at 20:33, Tiernan OToole tier...@tiernanotoole.ie wrote:
 The steps I took was:
 Firewall/NAT, Add, interface = WAN1, proto TCP, src addr and port are both *, 
 dest = 5060, nat IP (internal ip of the voip box), nat ports 5060
 Did this for each WAN connection and again for other ports… but the VoIP 
 firewall the ports aint open… What am I doing wrong?
 It works on port 80! Why not SIP?!

What did you select for “Filter Rule Association” ?
If I recall correctly, selecting ‘pass’ won’t work in a multi-WAN environment; 
you need to let it create a linked filter rule.

(as an aside, unless you specifically want SIP calls from the internet at 
large, you might want to lock down your incoming SIP rules to only allow 
connections from your SIP supplier - there are just too many SIP attacks out 
there these days to leave it open to the world unless you really need to)

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Installation question

[Chris Bagnall]

On 10 Jan 2015, at 03:09, k_o_l k_...@hotmail.com wrote:
 I’ve installed a second hard drive in my firewall the primary is running 
 2.1.5 and the secondary 2.2RC. How do I setup the firewall to allow my to 
 choose between the two at boot?

This is normally a function of the BIOS. If you go into the BIOS setup menu, 
you should find an option called ‘boot order’ or similar. Modify that to select 
your drive of preference to boot from.

Some more modern BIOSes have a function key you can hit on startup to bring up 
a boot menu (often F10) that’ll allow you to select a boot disk on the fly, 
rather than having to go into the full menu system each time you want to make a 
change.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Enforcing policy routing gateway

[Chris Bagnall]

On 10 Jan 2015, at 03:30, Tim Eggleston tim.li...@eggleston.ca wrote:
 I use policy routing (Gateway under Advanced Features) to send traffic from 
 certain hosts down a VPN which is originated on the pfsense machine. This 
 works great.
 However I noticed today that when the VPN fails, the traffic falls back to 
 the default gateway. In my scenario, this is not desirable; the traffic has 
 to go down the VPN or not at all.

You may find that your ‘via VPN’ rule is being bypassed when it sees the VPN’s 
gateway as being offline. AFAIK this is expected behaviour.

Check the setting of System - Advanced - Miscellaneous - Skip rules when 
gateway is down.

From the description:
“By default, when a rule has a specific gateway set, and this gateway is down, 
rule is created and traffic is sent to default gateway.This option overrides 
that behavior and the rule is not created when gateway is down

Toggling this might achieve what you’re after.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] More ports

[Chris Bagnall]

On 14/12/14 2:09 am, Stefan Baur wrote:

Plus the app broadcasts the admin password for the switch in plaintext
on the entire network. So in-place reconfiguring is a really bad idea.


Oh dear gods, how on earth did that one get through QA? :-)

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN

[Chris Bagnall]

On 10/12/14 6:36 am, Chris L wrote:

That’s actually your fault for using 10/8, not Comcast's.
Even if they were to use something like 10.58.223.0/24 they’d still conflict 
with your 10/8.


There are so many different brands and models of consumer router on the 
market these days in the 10/8 and 192.168/16 range that we've pretty 
much given up on them for all new installs, instead dropping things into 
the other RFC1918 range: 172.16/12 (we usually use variants on 
172.20.x/24 where x is reasonably random).


I don't think we've seen more than 1 or 2 consumer routers that default 
to anything in the 172.16/12 range - yet.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Client-Side 1:1 NAT for IP address conflicts w/ VPN

[Chris Bagnall]

On 10/12/14 3:30 pm, Giles Coochey wrote:

http://tools.ietf.org/html/rfc6598


Unfortunately, there are people who stick their networks (erroneously) 
on 100.64/10 as well - including at least one government department in 
the UK - who shall remain nameless for the avoidance of ridicule :-)


I suppose it's marginally less 'bad' than the many large networks that 
squat on what was in the past bogons space, but that's now in active 
service as IPv4 addresses become ever scarcer resources.


On 10/12/14 3:13 pm, Karl Fife wrote:

Ultimately, it's a crap shoot, and the solution is to use IPV6 and 6:4
NAT for legacy.


If only someone could have forseen that IPv4 would run out sooner or 
later... oh wait, we did, didn't we, about a decade ago. :-)


(as an aside, is anyone using 6:4 in more than a dev/lab environment and 
managed to *not* encounter brokenness yet? Last time I tried running v6 
only at home, tayga and DNS64 worked okay for general web usage, but 
Steam seemed to break completely)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Aliases are auto-deleted

[Chris Bagnall]

On 9/12/14 12:24 pm, Volker Kuhlmann wrote:

I found the problem. My ISP changed the WAN gateway to be mostly
non-responsive to pings. But only mostly, so pfsense plays yoyo with it.


Funny you should mention that. I've seen similar on a few of our pfSense 
deployments of late, with several different ISPs. So it might be a 
'thing' ISPs are doing these days - perhaps an overzealous rate limiter 
in one of the usual suspects' LNS products? I generally get around it by 
using one of their DNS servers as a monitoring target (except when those 
also block ping - grrr).


(nearly all our pfSense deployments are multi-WAN, so disabling gateway 
monitoring isn't a solution here, alas)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Revisiting PCIe LTE/4G modems

[Chris Bagnall]

 So I'm hoping to get a possible alternative solution made that would employ 
 APU1 boards and adding a wifi and an LTE/4G device (I see from my board here 
 in front of me there's a SIM slot below the SDXC slot)…
 What success have the users here had with PCIe LTE/4G radios in their 
 devices? I'm looking, preferably, for something that is Verizon compatible as 
 that is our carrier here.

Would also be interested if anyone has any thoughts/suggestions on this (though 
I’d be looking for something UK-network-compatible :-) )

Ryan, if it’s any help, I’ve used Huawei USB modem dongles in the USB ports in 
the ALIX boards connected to an external antenna in the past without issue - I 
see no reason why that shouldn’t work with the APU as well. Though I agree an 
internal solution would be considerably more elegant.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

[Chris Bagnall]

 I'm suffering in my efforts to install 2.1.5 onto my box, so can I change the 
 box?
 A proven hardware platform, available in the UK with at least 6 physical 
 network ports, I can probably justify buying. 
 Suggestions anyone?

We’ve used these:
http://linitx.com/product/fx5624-intel-celeronm-600mhz-6-nic-firewallrouter-platform-2xgigalan-4x10100/12508

and these:
http://linitx.com/product/fx5625-intel-atom-18ghz-8-nic-firewallrouter-platform-8-intel-gigalan/13468

Pretty frequently with pfSense and not had any problems.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

[Chris Bagnall]

 I'm trying to use a http://www.mini-itx.com/store/~FX5624 which I think is 
 the same box as your first link, if you can install onto here easily and 
 frequently then it must be me doing something wrong, aaagh

Certainly looks like the same unit. Are you trying to install onto a CF card 
(those units have a CF slot) or are you trying to do a full install onto an SSD 
or HDD?

Most of ours are done using the embedded install using a CF card, as follows:
 - download 32-bit embedded image *with* VGA console
 - use dd on a Linux or Mac system to write it to a suitable CF card 
(instructions on pfSense wiki)
 - insert CF card and boot box
 - configure interfaces from command line in the usual manner

In the several dozen we’ve deployed, I don’t think any of them have been more 
complicated than that. Of the two failures we’ve had in several years, both 
have been down to a dodgy CF card, not the unit itself.

Hope that helps.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfsense h/w

[Chris Bagnall]

 I thought there was a very large restriction in packages using CF compared to 
 HDD, is that not the case (I'm coming from 1.2.3 so this might have changed)

That may well be true - I must confess I’m of the school of thought that a 
firewall/router should do firewalling and routing, and not a lot else, so my 
experience with packages is at best limited :-)

 I did try a CF card, that started to boot but immediatley hung


I’ve had that on occasion - nearly always down to an incorrectly (or 
incomplete) written CF card. I don’t know what OS environment you’re used to 
using day-to-day, but in my experience I could never persuade the windows 
physdiskwrite utility to work reliably on Win7. If you’re not using a *nix 
machine to write your CF card, I’d strongly suggest doing so if you can.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Issue with SMTP - Spam behind NAT

[Chris Bagnall]

On 9/10/14 12:05 pm, Mikey van der Worp wrote:

Today I have come to you with the question on how to block users from spamming 
with smtp/25, behind NAT and the IP of PfSense ( NAT). We do not wish/want to 
block the entire SMTP traffic in the private range to the world, because there are 
important clients behind the pfSense, who actually behave normally, we thought 
about forcing all the SMTP traffic to be redirected trough the pfsense machine, so 
it can be scanned/blocked. (even when the user decides not to do this and want to 
use their own SMTP server).


I'd have to caution *against* doing the above. Many people have their 
mail clients set to use TLS for outbound mail (quite sensibly), and that 
will invariably break if you try to intercept traffic to port 25 and run 
it through your own filtering mail server.


It's the bane of my life when we have clients staying in hotels that do 
this :-)


Worth adding from a user privacy perspective, it's pretty bad manners to 
intercept outbound mail traffic, especially if your users aren't 
explicitly consenting to this being done.


If you want to prevent outbound spam from your users, I'd suggest 
setting up an SMTP smarthost that sends mail on behalf of your users 
(I'm sure there are probably pfSense packages for this, but I'd do it on 
another server, personally), educate your users about using this 
upstream SMTP server, give them time to change mail settings etc., then 
block port 25 outbound and specifically open it for clients that need 
(legitimately) to use it.


The important thing is explaining to users what you're doing, why you're 
doing it, and how they can 'opt out' of it if they want/need to.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Issue with SMTP - Spam behind NAT

[Chris Bagnall]

On 9/10/14 12:21 pm, Rizul khanna wrote:

Hello, please let me know the process for unsubscribing from all the
mailing lists of pfsense.


Follow the link at the bottom of every list email.

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] bogon networks

[Chris Bagnall]

On 28 Sep 2014, at 12:19, Andrew Mitchell andrew.k.mitch...@att.net wrote:
 My apologies. 192.40.140.0/23

I'm not sure what pfSense uses as its Bogons source, but my reference has 
usually been:
http://www.team-cymru.org/Services/Bogons/http.html

Your IP block isn't in there, from what I can see...

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

[Chris Bagnall]

On 26/9/14 11:43 am, Hannes Werner wrote:

I wonder what the reason for not getting
https://redmine.pfsense.org/issues/1629 fixed?
Many gave up waiting for this, but it seems there must be a proper
reason for it. May I ask what the problem is not being able to use
pfSense with Asterisk?


Worth mentioning here that many of us are using Asterisk behind pfSense 
without any issue at all.


The triggers for this issue seem to be, specifically:
 - PPPoE WAN interface
 - dynamic WAN IP
 - SIP service provider

We (one of my $dayjobs is a VoIP service provider) have dozens of 
clients using Asterisk with PPPoE WAN without any problem, but they're 
all using static WAN IPs provided by the ISP(s) in question.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

[Chris Bagnall]

On 26/9/14 12:06 pm, Giles Coochey wrote:

I can think of many reasons, why running a service such as Asterisk, on
an IP address  that you have a temporary lease for (thus only have a
passing relationship with, before it is passed to someone else), would
be pretty bad practice.


I think Giles has put it far better than I did :-)

In short, Asterisk is temperamental with dynamic IPs _in general_, it's 
not necessarily specific to pfSense (though I appreciate this bug report 
relates specifically to pfSense).


I've seen the same symptoms with Asterisk servers behind Draytek 
routers, for example - as with pfSense, it's usually solved with a state 
table reset.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] States Issue with Asterisk behind pfSense

[Chris Bagnall]

On 26/9/14 12:42 pm, Hannes Werner wrote:

are you saying that people with dynamic IP shouldn't use pfSense
behind an Asterisk service?


Firstly - it's not my place to say anything of the sort - I have no 
connection to the pfSense team (apart from as a satisfied user). I 
suspect one of the pfSense devs will reply to this thread at an 
appropriate time.


The point I was trying to make is that this is not exclusively a pfSense 
problem. Asterisk (and SIP in general) is far from perfect when behind a 
frequently changing dynamic IP.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Https blocking

[Chris Bagnall]

On 24/9/14 6:21 pm, A Mohan Rao wrote:

If u really a expert so then pls resolve bmy problem. I have do all the
things but still people can access blocked website in pfsense.


Sites like Facebook have thousands of servers across the world, split 
across numerous netblocks and content delivery networks. You never will 
be able to completely block them, at least not without spending hundreds 
of man-hours keeping up to date with IP lists, DNS names, etc.


Then you have to consider the easy availability of proxies designed 
specifically to allow people to access blocked sites.


And even assuming you are able to block them, many sites share their CDN 
infrastructure (Akamai, Limelight Networks, to name just two big ones), 
so you have to consider the dangers of overblocking inadvertently 
preventing your users from accessing necessary sites who happen to use 
the same CDN.


There just isn't a panacea in this.

You are trying to find a technical solution to a social/political problem.

If your management doesn't understand that getting you to spend hours 
upon hours playing 'whack-a-mole' blocking each social networking 
netblock isn't productive use of your time, then perhaps asking them to 
provide a whitelist of sites that employees *can* access, then simply 
blocking anything not on that list might be a more sensible way of going 
about this.


On a personal note, I'd add that if your management are so determined to 
prevent people having a few moments to keep up with their 
friends/personal life, I'd have to question whether I really wanted to 
work for them...


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] OT: Good network switch for 10 machines?

[Chris Bagnall]

On 23/9/14 6:46 pm, RB wrote:

I'd suggest at least a managed switch that can do LACP.


This.

Given how small the price difference often is between unmanaged and 
semi-managed (aka 'smart') switches these days, it just doesn't make 
sense to buy unmanaged any more. You never know when things like VLANs, 
LLDP and LACP might just come in handy, and even if you never use them, 
a managed switch will also allow you to do other interesting things like 
graph per-port (and sometimes per-port-VLAN) usage, which can be useful 
for detecting misbehaving network hardware elsewhere.



I've
had decent results with the Linksys/Cisco SMB switches and the ZyXel
GS1900 range.


One of our clients uses the Zyxel switches to good effect. Their 24 port 
PoE versions are certainly competitively priced.


I tend to use HP where possible. At the lower cost end of the market, 
something like the 1810-24G (web managed) is a good bet, or move up to 
the 2510/2520 if you need more management functionality and/or a CLI. 
I've avoided the 1910 range; AIUI they're basically rebadged 3Com units 
after the HP/3Com buyout.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] OT: Good network switch for 10 machines?

[Chris Bagnall]

On 23/9/14 7:44 pm, Espen Johansen wrote:

A netgear pro switch


Be careful which model you get. Some of the newer/cheaper ones that have 
been sold as 'managed' recently don't have a web interface. They have 
some horrible management application that uses Adobe Air, only works on 
Windows, only communicates with switches on the same broadcast domain 
(so useless for any sort of routed environment) and is generally rubbish.


If you get one of the older FS72x/75x models, I think you're okay - it's 
the newer J ones that seem to have this 'feature'.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] [SOT] apu1c4/apu1d4 stability

[Chris Bagnall]

On 22/9/14 5:10 pm, mayak wrote:

in an earlier thread, i recounted issues that i had with the apu1c4 unit
silently dying -- this was the only thread that i saw here, so i assume
that i just got a bad unit.


I cannot give you a sample of 20 - they're too new for that - but I can 
say of the dozen or so we've used thusfar we've had no failures reported.


They do run noticeably warmer to the touch than the previous ALIX 
boards, and as others have posted here, it's important to attach the 
heat spreader correctly and ensure it has good contact with the chassis.


So if your install environment is particularly warm, or particularly 
poorly ventilated, then you might want to consider an alternative. All 
of ours are installed in reasonably well-ventilated 19 cabs.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] No logout in 2.1.5 i386

[Chris Bagnall]

On 19/9/14 4:41 pm, Ryan Coleman wrote:

Also what browser is that?


Looks like Firefox to me...


Disabled your add-ons (I see there are a few of them - could be an issue)?


This is definitely worth a try.

As an aside, one of the first things I do with a fresh pfSense install 
is to revert back to the 'traditional' skin with the menu fully expanded 
in a column on the left. I find it works much better with tabbed 
browsing (ability to work down the list and open each page in a new tab, 
especially with old/slow hardware like ALIX boards where page 
transitions can be time consuming).


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] VIP,MAC Arp

[Chris Bagnall]

On 18/9/14 8:13 pm, Nick Upson wrote:

We have a new /27 range to go with this new installation and here is the
problem, external ping/connectivity to the new IPs doesn't work except one
the .225 address, it seems the firebrick requires ARP in order to route
them. I have setup several different Virtual IPs (tried different types,
individually and as a range) and they don't work, the firebrick ARP table
only contains the .255 with a MAC address, the rest don't have one and so
are not used (I'm told).


In my experience (and one of our clients had a similar setup a couple of 
years back before they got FTTC), you want a Proxy ARP entry on your 
pfSense VIP page for the whole IP range, so assuming the subnet you've 
been given is a.b.c.224/27, just create a corresponding VIP rule.


Here's one of mine for a much smaller range:
a.b.c.176/29ADSL2   proxy arp

(note the choice of interface - make sure you choose the interface to 
which you've connected the Firebrick)


As an idle curiosity - is this an AAISP connection you're using? If so, 
their IRC channel is usually populated with some pretty clueful folks, 
some of whom run pfSense, so it might also be worth asking on there.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] questions about carp/xmlrpc

[Chris Bagnall]

On 9 Sep 2014, at 14:01, Albert Dengg alb...@fsfe.org wrote:
 the second question is also related to virtual ip's:
 is there a way to configure a failover for the second wan interface,
 if there is only one ip assigned to me by the isp?

My understanding (and this isn’t limited to pfSense - I’ve seen the same thing 
using linux-ha, heartbeat, CARP, etc.) is that you need a minimum of 3 (usable) 
IPs to achieve what you’re looking for, so in effect you’ll need your service 
provider to offer you a /29 range (assuming their gateway is assigned one of 
those IPs).

I suppose you could fake it by running NAT on whatever equipment your ISP 
provides, but then you’ll end up with a double NAT situation, and that’s 
horrible :-)

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] questions about carp/xmlrpc

[Chris Bagnall]

On 9 Sep 2014, at 14:46, Albert Dengg alb...@fsfe.org wrote:
 that however still leaves with the problem of the interface mixups
 for my internal networks, where the sync tries to assignt the
 virtual ip's to the wrong interfaces….

Is your hardware (and interface names) identical across both your primary and 
secondary members?

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Triple WAN

[Chris Bagnall]

On 8 Sep 2014, at 18:07, Joe Laffey j...@laffey.tv wrote:
 Anyone using Load Balancing for a triple WAN setup? This work OK in pfSense? 
 What about older 1.2.3 systems?

I have a triple WAN setup at home, which worked fine in 2.0 and likewise now in 
2.1. There are limitations in 1.2.3 that complicate things slightly - inability 
to choose which gateway a DNS server uses is the big one, especially if your 
WANs come from different service providers with DNS locked down to only allow 
access from their IP ranges.

I also have several quad WAN setups in managed office buildings where short 
tenancy agreements prevent the occupants from signing up to 3 year fibre leased 
line contracts.

As a general rule, you’re (in my experience) better off not doing simple round 
robin load balancing. RR is done on a connection basis, so it’s still possible 
for one client machine to saturate all 3 WANs, thus reducing quality of service 
for other users. This is especially problematic if you have clients you don’t 
control (i.e. where you don’t have administrative veto over the crap they 
install on them) - it’s quite easy for someone to install a P2P app, or simply 
have malware that tries to propagate itself by creating lots of outbound 
connections.

I tend to work on the principle of sending your ‘I care about latency’ traffic 
down one connection: SIP, mail, SSH and various streaming protocols are the 
ones I normally separate - you may have others to consider. I then create a 
gateway group for the other two connections in a standard round robin load 
balance.

If you can easily separate your clients out on the LAN side, you can go a step 
further: in one of the offices we supply, floor 1 is balanced across WANs 1 and 
3; floor 2 is balanced across WANs 2 and 4.

These methods are all to prevent one single client saturating the connectivity 
into a building. You’ll have to do some experimentation to find out what works 
best in your environment.

One final word of advice: send HTTPS connections down a single WAN. Many 
‘secure’ sites will expire sessions if connections come from different IPs and 
your clients will get upset very quickly if they’re having to re-login to 
online services every few minutes.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Chris Bagnall]

On 27/7/14 7:06 pm, Matthias May wrote:

With intel cards on the same board you can get up to 650 Mbit/s, but i
expect it to be lower with additional rules.


Have you tried it with Intel cards (I assume you're talking mPCIe 
cards?) - and if so, what chassis did you use?


The ability to install Intel NICs on these boards would make them very 
compelling indeed - especially as there are more than a few scenarios 
where 3 NICs just aren't enough.



The strength of this board isn't, that it performs very fast, but that
it performs reasonably well without taking too much power.


I'd add it's much faster than the ALIX boards it replaces, for 
virtually no increase in cost. That in itself is a pretty substantial 
benefit.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Chris Bagnall]

On 22/7/14 11:17 pm, Nickolai Leschov wrote:

I didn't notice this page. So it looks like it's some kind of thermal paste
allows for adequate thermal conductivity between the CPU/south bridge and
the aluminum heat spreader, but the heat spreader is in dry contact with
the case?


The one I've just installed here in my home office has 'sticky' thermal 
pads on both sides of the aluminium heat spreader, and sticks to both 
the chips and the base of the chassis.


It gets warm in use, but not uncomfortably hot. Ambient temperature is 
about 22C at this time of year.



Now, how is the board held in place, inside the enclosure? Is it held in
place by 'screws and hex nuts'?


4 screws in the corners which go into binding posts on the chassis, not 
particularly dissimilar from most PC motherboards into cases.



What is the thing in the second-to-last picture near the thumb of the
presenter's right hand: is it the SIM card tray? Is it accessible from
outside, after the installation?


There is a SIM card tray, and like the SD card slot, no, it's not 
accessible externally after installation.


(as a matter of curiosity, does pfSense support this SIM card slot for 
anything 'interesting'? - one presumes it would need to be used in 
conjunction with a miniPCIe radio card of some persuasion)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Chris Bagnall]

On 23/7/14 2:10 am, Jim Thompson wrote:

Very little if this thread is related to pfSense.
Please stay on topic.


Respectfully, I disagree.

Given the APU is - as the de facto successor to the ALIX - likely to be 
a piece of hardware used in a lot of new pfSense installs, discussion 
about its merits and drawbacks (in a pfSense context) strikes me as 
being *entirely* on topic.


Certainly if heat dissipation is going to be a concern with this unit in 
long-term deployments, and given the 24/7/365 nature of firewalls, 
that's very relevant to pfSense and something for which we as a 
community need to be finding solutions.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Difference between APU4 and APU1C4

[Chris Bagnall]

On 23/7/14 4:11 am, Ryan Coleman wrote:

I may have fired off the message in a fit of frustration but you made it a 
public statement - if you wanted to be the “mom” and handle it you should have 
sent it privately instead of publicly.


I can't work out if the above is directed at me or Jim.

(I certainly don't have any intention of being anyone's mum)

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] 802.11ac Mini PCI Express adapter for pfSense

[Chris Bagnall]

On 21/7/14 4:27 pm, Kevin Tollison wrote:

I have used internal card in the past and they typically work well. We have
found that an external AP gives a lot more flexibility to an install.


+1 for external APs. Your environments may be different, but during 
installs we often find the best place for the pfSense box is in a comms 
cupboard or 19 wiring cabinet. Obviously those aren't always the best 
environments for effective wireless signals (especially those little 9U 
wiring cabinets - metal sides are a killer for signal strength).



I have used the ESR1750 AC router and get some pretty amazing throughout.


I've not used the EnGenius kit, but I'll throw in a suggestion for the 
Ubiquiti UniFi 802.11ac AP. Initial results seem fairly promising.


Having said that, you should be aware that you'll only get anything 
approaching 'ac' speeds with a really wide channel bandwidth. Most of 
the environments I've been involved with have so much wifi 'noise' from 
surrounding users that trying to find anything 20Mhz of clear channel 
space is a real challenge.


So unless you really *need* 11ac speeds and know you're in a fairly 
'quiet' wireless area, you might be better off with several smaller and 
cheaper 11n units rather than a single 11ac unit.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Squid Problem and DNS?

[Chris Bagnall]

On 16/7/14 3:25 pm, Brian Caouette wrote:

#1. Initial page lookups are really slow. When I enter a website it will
pause for 6-8 seconds then the page is instantly there. I have Googles
DNS set in general and currently have stock DNS Forwarder active. It's
set to use system defaults.


As a test, have you tried using your ISP's caching DNS servers instead, 
and does it make any difference?



#2. Squid is active and working but hit rate has been zero. It's been
running a week now. Prior install I would average a really poor .5 -2%.
I'm not sure what to do. I'm on Google over load now trying to find the
answers and so far my config seems to be in line with general
recommendations.


A great many websites these days rely on dynamic content and send 
cache-control headers to prevent proxies like Squid from caching things. 
You can play with Squid's settings to ignore some cache-control headers, 
but obviously there are risks of delivering your clients out of date 
content by doing that.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Squid in a Multi-WAN environment

[Chris Bagnall]

Greetings list,

I'm trying to persuade the Squid 3 package to use a load balancing 
gateway group, unfortunately without much success.


I'm afraid my google-fu is failing me:
 - this link from the official docs seems to relate to 1.2:
https://doc.pfsense.org/index.php/Troubleshoot_Outbound_Load_Balancing_Issues
 - I've picked out the floating rules advice from this forum post:
https://forum.pfsense.org/index.php/topic,60977.0.html
(but again, that's 2.0)

Has anyone had any joy in getting Squid to use a gateway group in 2.1.x, 
and if so, would you mind sharing how you went about it?


Thanks in advance.

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Squid3 with https filtering

[Chris Bagnall]

On 17/6/14 10:32 am, A Mohan Rao wrote:

actually i need to block https sites like https facebook or https youtube
etc with transparent proxy.


So in order to block Facebook and Youtube, you're going to put all your 
users at risk of SSL MITM attacks on every secure website they visit?


You would be better off - I'd have thought - simply blocking the 
relevant DNS entries and/or IP ranges used by those websites you wish to 
block. DNS is probably better - and there are lists out there of 
Facebook DNS names, since blocking by IP range might knock out the whole 
CDN, which may be used by other sites as well.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Migrating from /32 + /29 to just /29

[Chris Bagnall]

On 12/6/14 11:06 pm, Jon Gerdes wrote:

As far as I can tell, the only downside is I lose another address to act
as the gateway.
Can anyone spot any flaws with this method or is it a general practice?


Certainly assigning the first IP in a /29 to the PPPoE client is fairly 
standard practice in the UK (which I see you are). My $dayjob is an ISP 
and assigning the first IP to the PPPo{A|E} client is our normal config 
for anything from a /30 down to a /27.



I put the second address from the /29 onto an interface and the
remaining four onto my externally facing systems.


I believe (though haven't tried it in anger with the post-2.0 pfSense 
versions - I recall doing it years ago with a 1.2.x version) you can use 
an OPT interface for your WAN (instead of the default WAN interface), 
then bridge LAN and OPT1, thus only 'losing' one of your IPs to the 
firewall rather than two.



PS My real motivation for this is to avoid having to go back to split
horizon DNS again which would mean resurrecting BIND and a complicated
views setup - the horror!


As an aside, the inbuilt DNS forwarder works quite well for this 
scenario - leave your BIND configuration pointing to the public IPs, but 
use pfSense's dnsmasq to 'override' those lookups from the local 
network, replacing with their RFC1918 IPs as required.


(it's nice to be able to use a true /29 range if you can, but with RIPE 
IPv4 allocations as tight as they are these days, hang onto yours for 
dear life :-) )


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Monitoring

[Chris Bagnall]

On 3/6/14 7:21 pm, Brian Caouette wrote:

I just installed the NRPE package to pfSense. How its it used? Is there
a docs page to make this work with pf?


The first thing you'll need is a working install of Nagios somewhere - 
do you already have that in hand?


As an aside, another option to consider is just using SNMP alerts into 
your monitoring system of choice (I use Cacti, but you could use any of 
the usual suspects: OpenNMS, Zabbix, Nagios and no doubt countless others).


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Setup advice

[Chris Bagnall]

Brian Caouette wrote:

How much space should be allocated for pfsense and squid?


In the office here I have 30GB allocated for squid to use as a cache. In 
this case where the chaps in the workshop are often downloading things 
like Windows Updates, software packages, etc., the size was chosen to 
(try to) ensure things like those were picked up in the cache. I've also 
changed the squid caching algo so it'll prefer fewer large items to lots 
of little ones.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Chris Bagnall]

I concur with Ryan's readings with the 2950s - we use them as KVM host machines 
in a datacentre environment and they average around 250W under moderate load. 
That's with 4x SSDs in each.

Also worth mentioning that pfSense will barely use a gig of disk space; the 6x 
73GB SAS units specced by the OP will be largely unused.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Chris Bagnall]

On 20 May 2014, at 18:45, Brian Caouette bri...@dlois.com wrote:
 What software is available to do virtual machines?

We use KVM.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Poweredge 2850

[Chris Bagnall]

On 20 May 2014, at 21:37, Harlan Stenn har...@everett.org wrote:
 Where are you that you get electricity for .05/kWh?  Here in Oregon we
 have pretty great rates, and I think we're paying .10-.12/kWh.

I don't know where the OP hails from, but here in the UK (Scotland, 
specifically, at the moment), it's 0.16 GBP/kWh. At current exchange rate, I 
think that's around 0.25 USD.

I suppose if you had a PV array in your garden to power it, and you were using 
the 2850 to heat your home as well, it might be quite economical :-)

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Intel Pro/1000 PT Quad Port PCI-e Gigabit Ethernet

[Chris Bagnall]

On 9 May 2014, at 23:25, Dave Warren da...@hireahit.com wrote:
 I'm looking on eBay as well, it's worth the gamble vs buying new.

Not pfSense-specific, but I've used quite a few from eBay (both dual and quad 
port cards) in generic FreeBSD installs and not had a problem with them.

As others have said, they're so cheap (by comparison to new prices) on eBay 
that it's a gamble worth taking.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Upgrading Alix 2d13

[Chris Bagnall]

On 29/4/14 7:40 pm, Vick Khera wrote:

I've now upgraded 3 separate ALIX boards to 2.1.2 (one from 2.1.0, the
other two from 2.0.1) with zero failures.
Perhaps try upgrade from the console menu. Just make sure that the
upgrade URL is configured correctly for the i386 version of pfsense.


Also worth checking they're the new(er) ones with 256MB RAM - the older 
128MB ones do sometimes struggle to upgrade - though it's normally 
fairly obvious from the logs, you'll see things like x process killed.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Upgrading Alix 2d13

[Chris Bagnall]

On 30/4/14 12:31 am, Ryan Coleman wrote:

4GB CF cards are pretty cheap these days - I would just buy one in the store 
($20) or online ($10 or so) and image that, pop it in the firewall and import 
your config.


Agreed, if the devices are suitably close to you. A bit more of a 
problem if they're several hundred miles away from you :-)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] HP DL160 for pfSense in a datacenter

[Chris Bagnall]

On 23/4/14 4:46 pm, Vick Khera wrote:

I reconfigured them to use geom mirror instead, and everything has
been much better since. The FreeBSD kernel does a fine job managing
the mirror all by itself.


We have some DL160s with the same B110i controller running as Linux KVM 
host machines, and like you, told the controller to treat the disks as 
basic drives and use the OS to manage the mirror (in our case using 
mdraid, but the principle is the same).


Agree that these pseudo-raid cards are not worth the time of day.

Incidentally, we also did some testing with some Dell PE2950s a while 
back (with 'proper' battery-backed hardware RAID controllers), and still 
ended up with considerably better performance by telling the controllers 
to treat the disks as just disks, then using mdraid in the OS. Also has 
the advantage that in the event of hardware failure, you can move the 
drives to any other system and still access the data - something that's 
not always an option if you're relying on a proprietary RAID layout.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] pfSense Book (Buechler / Pingle)

[Chris Bagnall]

On 13/4/14 4:25 pm, Adam Thompson wrote:

As to the liberated comment, let us know when you've figured out how
to make a completely open eReader that doesn't sell for $1000.


Nexus 7 + fbreader (freely available)?
Opens all the usual suspects (pub, mobi, pdf, etc.)

If you don't mind one of the 1st gen Nexus 7s, you can probably pick one 
up for sub-£100.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] successor to ALIX is here

[Chris Bagnall]

On 2/4/14 9:17 pm, Thinker Rix wrote:

Unfortunately again only 3 NICs... and Realteks with bad performance.
I would love to see such a board one day with at least 4-8 NICs.


On that subject, we've recently been experimenting with these:
http://linitx.com/product/jetway-jbc373-intel-atom-d525-barebone-system-quad-gigabit-lan/13700

Initial results seem promising, they've got a CF slot, and they're not a 
great deal more expensive than the ALIX units were.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] RDP port forward based on destination name.

[Chris Bagnall]

On 28/3/14 4:03 pm, Walter Parker wrote:

I'd love it if there was simple solution, but I don't see one that would
compatible with today's internet. Much of the original design of the
internet was for a 1 to 1 mapping of IP addresses, rather than a 1 to many
mapping (which is why there is usually a lack of a disambiguation field in
the protocol).


IPv6 :-)

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] RDP port forward based on destination name.

[Chris Bagnall]

On 27/3/14 8:17 pm, Walter Parker wrote:

That's what I would recommend. The VPN can serve as a second gateway to
protect the RDP from the outside world, so you could pitch this solution as
higher security method of network access.


This.

There seem to be lots of dictionary attacks against RDP servers these 
days, to the extent that even a server with strong passwords can still 
end up DOSing a connection because of the bandwidth required to reject 
the login attempts.


As an aside, does anyone know of something similar to fail2ban or 
denyhosts for Windows machines? :-)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Android apps block

[Chris Bagnall]

On 24 Mar 2014, at 19:19, A Mohan Rao mohanra...@gmail.com wrote:
 I need to block whatsapp facebook etc android apps of pfsense users.

Given that you seem to want to block everything under the sun (though I still 
don't understand why), how about doing it the other way round? Why not decide 
what you *do* want your users to be allowed to do, permit that, then deny 
everything else?

I can understand blocking things to keep bandwidth requirements down when you 
have a limited amount to go around, as Ryan's trying to do, but I can't see why 
you'd block something like Whatsapp, which seems to be (admittedly, I don't use 
it, so I could be mistaken) a text chat tool - its bandwidth usage is going to 
be negligible.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Proxy filter

[Chris Bagnall]

On 20/3/14 8:42 pm, Rafael Akchurin wrote:

May be this will be of any help - 
http://sichent.wordpress.com/2014/02/22/filtering-https-traffic-with-squid-on-pfsense-2-1/


That approach does require that your users 'trust' the proxy and allow 
the necessary certificates.


It's all well and good if you're in a corporate or domestic setting 
where you have control over the clients in question, but it's not really 
an option if you're providing services to the general public.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Proxy filter

[Chris Bagnall]

On 20/3/14 7:14 pm, A Mohan Rao wrote:

I m using squid squid guard and light squid for user access websites
reporting with live but there is pfsense not read or show ftp server access
logs.
I also try as pfsense firewall client and to to any other ftp sites then
download files but in proxy filter tab not show my ip logs.
Pls guide where i watch ftp access logs


I might be misunderstanding the issue here, but Squid is an HTTP proxy - 
it's not going to do anything to filter or proxy FTP traffic at all.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Proxy filter

[Chris Bagnall]

On 20/3/14 7:19 pm, A Mohan Rao wrote:

Ok thanks but if i need how i maintain ftp traffic logs.


Not really relevant to the question, I appreciate, but I can't think of 
a good reason why you'd want to do that, unless of course you're running 
the FTP server, in which case your FTP server should have that ability 
in its settings.


You might be able to do something using a span port on a switch and some 
clever logging rules, but that's outside my scope. Perhaps there's 
another pfSense package that'll do what you want?


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Proxy filter

[Chris Bagnall]

On 20/3/14 7:22 pm, A Mohan Rao wrote:

Also i struggling to block https social networking sites like facebook etc
from last 1to 1.5 years. I used for block that domain through DNS
FORWARDER. But when user use open dns its working pls any idea its very
helpful for me.


You might find it easier to block OpenDNS than blocking the site itself. 
If you were to add a LAN rule that blocks traffic on destination port 53 
to anything apart from the pfSense interface IP, you'll probably be able 
to block most external DNS services. That won't, of course, prevent 
users from tunnelling their traffic through VPN services and the like.


Though as I said in my earlier email, I'm not sure I understand why you 
want to block things so forcefully. User education (e.g. explaining to 
colleagues why it's inappropriate to access Facebook during work hours) 
nearly always works better than technical blocks.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Gateway Group / Failover WAN setup question

[Chris Bagnall]

On 11/3/14 6:48 pm, Justin Edmands wrote:

The current rules all read * for the Gateway. Do all of my current LAN,
OpenVPN, and IPSec rules need to be altered to include the Gateway as the
new Failover1 rule?


Those that rely on the WANs, yes. Rules to allow traffic to pass between 
your VPNs and LANs do not need the gateway to be changed. It's worth 
noting that incoming rules (i.e. WAN rules) should not have their 
gateway changed either.



Do I need to clone each and every rule to have:
rule 1 of 2 say WAN_FailoverGroup1
  -and-
rule 2 of 2 say WAN_FailoverGroup2


No - you don't want two copies of each rule. Assuming you've two 
connections: WAN1 and WAN2, you'd define a single gateway group - let's 
call it 'Failover1to2' for example. WAN1 would be Tier 1 and WAN2 would 
be Tier 2. You would then modify each outbound traffic rule to use 
'Failover1to2' as the gateway.


If both connections are similar speed/performance, you might want to do 
a little policy-based routing. You could define a second gateway group 
'Failover2to1' which reverses the tiers. This might be useful for 
traffic you want to keep off your 'main' WAN connection (I use this to 
send SIP and SSH traffic over the second WAN here, so that performance 
doesn't suffer when the primary connection is heavily loaded).


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Blocking based on MAC

[Chris Bagnall]

On 1/3/14 2:37 am, Ryan Coleman wrote:

I just checked google and the “best” solution from a few versions ago is to 
reserve the MAC IP to something out of range.
I’d like to find a “simple” way to do that for my customer. Is there a better 
way to block a MAC?


At the risk of thinking outside the box for a moment, isn't this 
something that might better be accomplished at the switch level using 
802.1x MAC authentication?


Blocking a MAC in pfSense will only prevent it from routing - it won't 
block it from the LAN, nor will it prevent a savvy user manually 
configuring a static IP on the device in question.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Overzealous Multi-WAN state flushing

[Chris Bagnall]

Greetings list,

A few days ago I finally found time to upgrade my ageing pfSense 2.1-RC0 
at home to 2.1 final. Since that upgrade I've noticed that pfSense 
doesn't seem to be handling state killing on failed gateways very well.


A bit of background: I live in a rural location with poor broadband 
speeds, so I have 3 incoming ADSL connections which I feed into pfSense 
- WAN, WAN2 and WAN3. I then perform policy-based routing so that 
HTTP/HTTPS traffic goes out via WAN, SIP, mail and SSH out via WAN3, and 
everything else via WAN2. Of these 3 connections, WAN and WAN3 are 
pretty reliable, but WAN2 is much less so - an average of 2-3 
disconnections a day (less than 30 secs each time, but a disconnection 
nonetheless - I suspect it's an older copper pair than the other 2).


Shortly after upgrading to 2.1-release I noticed SSH terminal sessions 
would routinely drop every few hours. Checking the gateway logs, WAN3 
remains up throughout but WAN2 shows a disconnect at the time the SSH 
session drops. I've verified (by looking at connections on the remote 
box) that SSH is indeed using WAN3 as it should.


It looks like pfSense successfully detects the disconnect on WAN2, then 
basically flushes the whole state table (dropping the SSH sessions), 
rather than just flushing states involving WAN2.


I can work around the issue by ticking State Killing on Gateway 
Failure on the Advanced page, but from my reading of the description, 
this will effectively prevent failover of any existing states if their 
gateway genuinely goes down.


I have checked the XML config from my 2.1-RC0 backup and this option 
definitely isn't enabled there, so I have to wonder if something's 
changed under the hood between -RC0 and -release.


Has anyone else encountered a similar issue? Suggestions gratefully 
appreciated.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Unbound

[Chris Bagnall]

On 15/2/14 6:22 pm, Brian Caouette wrote:

I've been trying to use unbound with poor results. Currently it resolves
very very slowly. About 4 times longer then the default dns forwarder.
Once the site is found and loaded however browsing the site is
incredibly fast. Curious what might be the cause of the slow down on
initial lookup and how I might correct it?


OOI, what does Unbound offer you that the default DNS forwarder doesn't?

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Firewall Aliases: DNS resolving of domains broken

[Chris Bagnall]

On 14/2/14 3:37 pm, Thinker Rix wrote:

I have had entered some domain names there in the past, which always
worked flawlessly.
Recently I changed ISP and since then the domain names are not resolved
anymore to IPs, so that the traffic using those aliases gets blocked by
the firewall.
When resolving the IPs manually via the pfsense logs, it works fine. But
for some reason pfsense can not resolve the domain names inside the
aliases anymore.
Has anybody got an idea what the fault could be?


Are you manually specifying the ISP resolvers in your config, and is it 
possible they're still set to the old ISP's config? Probably a question 
for the devs: is it possible that lookups for aliases use what's on the 
general config page rather than anything overridden by PPP/DHCP?


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Firewall Aliases: DNS resolving of domains broken

[Chris Bagnall]

On 14/2/14 4:48 pm, Thinker Rix wrote:

Any ideas what could be the problem?


Have you tried entering the DNS servers your ISP supplies via PPP or 
DHCP (look on the Status - Interfaces page, they should be listed on 
there) manually on the General settings page, then disabling DNS via 
PPP/DHCP?


You might need to restart to force the URLs to be looked up again...

Would be interesting to see what effect that has on things.

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Setting PPPoE MTU

[Chris Bagnall]

On 29/1/14 10:57 am, Brian Candler wrote:

My uplink is using PPPoE into a DSL router in bridged mode. The
connectivity is fine, but the MTU is 1492 and I would like to bump this
up to 1500 (assuming the router will take ethernet frames which are 1508
bytes).


I looked at this about a year ago when we started getting clients with 
FTTC connections here in the UK (which are basically VDSL), and at the 
time it looked like RFC4638 support (baby jumbos) wasn't supported in 
pfSense.


I've just done a quick search for 'pfSense RFC4638' and found this 
thread from May last year:

https://forum.pfsense.org/index.php?topic=61876.0

which seems to indicate that the underlying BSD support is now there. 
Whether that means 2.1 supports RFC4638 is something perhaps one of the 
devs can answer?


As an aside, I wonder if it might be possible to 'bodge' it by 
increasing MTU for the parent interface. So, looking at one of of my 
pfSense's, for example, the PPPoE interface is on vr2, so I'd create a 
new interface (after creating the PPPoE interface on WAN) called 
'WANModem', and given that interface an MTU of 1508. Then go back to the 
PPPoE WAN page and increase the MTU there to 1500.


Creating a 'WANModem' or similar interface also allows you access to the 
web interface on your DSL modem, which can be useful for checking line 
sync speeds and the like, which might otherwise not be visible to a 
PPPoE connection.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Squid version for pfSense 2.1

[Chris Bagnall]

Greetings list,

I've recently been working on a project in which Squid would be beneficial.

So I thought a good starting point would be to try installing one of the 
pfSense Squid packages on my home pfSense, play around with the config, 
etc. before setting it up for the project in question. I note, however, 
that there are 3 separate Squid packages: squid, squid3 and squid3-dev, 
all of which say 'platform: 2.0'.


Which one is recommended for use with 2.1? I am not interested in using 
Squid in a filtering capacity (and certainly not wanting to go down the 
SquidGuard route) - I'm purely interested in Squid as a cache to improve 
(perceived) performance on low-speed links. I do not want to intercept 
SSL traffic.


Thanks in advance!

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Squid version for pfSense 2.1

[Chris Bagnall]

On 28/1/14 4:41 pm, Brian Caouette wrote:

I'm running the 3.x over here with no problems. I haven't really noticed
much of a performance gain however. I've been reading up on tweaking the
settings but so far our hit rate has only been 1-2%.


Thanks - I'll give that a try.

In this context, it's basically a method of caching things like Windows 
/ Apple updates for an IT company, especially when there are 4 or 5 
engineers all working on clients' machines simultaneously. Little point 
in downloading the same update for each machine over a ~2Mbps ADSL 
connection :-)



As for as SquidGuard I highly recommend it. The content filtering has
been unstoppable in our home. I challenged the kids to break it and so
far they've been stopped dead on all their typical porn sites. LOL


I'm far from convinced that censoring content is ever the answer, but 
that's an argument for another thread (and ultimately, your house, your 
rules :-) ).


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] MultiWAN with SSH

[Chris Bagnall]

On 13/12/13 5:48 am, Walter Parker wrote:

What do I need to do to get the firewall to use the COMCASTGW for responses
to packets sent to the COMCAST interface?


Unless you're using advanced outbound NAT, this should happen automatically.

You said:

I have a rule on the Comcast interface the allows all traffic , with the
destination of Comcast net and the the Gateway set to COMCASTGW.


That's probably your problem. I am assuming your comcast net is 
configured as a WAN. Here's an example from my WAN2 rules at home:


 IPv4 TCP*   *   WAN2 address222 *   none  
  SSH - pfSense

(this is my rule to allow SSH on WAN2 to pfSense's IP)
You'll note 'gateway' is * - not WAN2GW.

As an aside, if you want to easily create incoming rules in a multi-WAN 
scenario, it's often worth creating an interface group called 'WANs' or 
similar, then creating your incoming rules in there - saves duplicating 
them across multiple interfaces, especially if you have 3 or more 
interfaces.



Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] MultiWAN with SSH

[Chris Bagnall]

On 13/12/13 1:12 pm, Jim Pingle wrote:

* Don't use interface groups or multi-interface floating rules for WAN rule


I stand corrected. You learn something new every day :-)

As an aside, is there any way to 'fix' this? On a system with 4 or 5 
WANs, the ability to define inbound rules that apply to every WAN 
interface would be extremely useful and save a great deal of duplication.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Traffic Graph: Not reflecting reality?

[Chris Bagnall]

We recently relocated and are waiting to get our primary connection
installed, so in the mean time we're on a 3Mb/0.75Mb DSL line. However,
pfSense often shows 6Mb/s coming out of the LAN during a download.

Same problem here.


I am not seeing incorrect traffic graphs in 2.1, and I am using VLANs 
(LAN has its own NIC, but 3 WANs run in VLANs off a single NIC).


I haven't noticed problems with traffic graphs on any of our clients' 
systems either (some of whom are running everything through a single 
port to a managed switch).


For those seeing incorrect stats, has anyone tried slurping the data 
into Cacti or similar via SNMP, and does that also show incorrect figures?


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

[Chris Bagnall]

On 6/11/13 7:11 am, Thinker Rix wrote:

Unfortunately the motherboards I plan to buy supports only the
above-mentioned CPUs.
- Pentium
- 4th generation core i3
- Xeon E3-1200 v3


If your board supports a Core i3, it is *very* unlikely that it won't 
also support the i5 of the same generation (i.e. socket 1155, Sandy/Ivy 
Bridge cores) - given that i3 - i5 - i7 is an easy performance 
differentiator for system integrators, who will likely be using the same 
board across their range.


Out of interest, any reason you're not looking at the newer Haswell core 
chips (i.e. socket 1150) - from what I've read their power consumption 
is a fair bit lower than previous Sandy/Ivy Bridge cores?


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

[Chris Bagnall]

On 6/11/13 12:30 pm, Eugen Leitl wrote:

Anyone running pfSense on a HP Microserver G8?


I have - in the past - had it running on a G5 and a G6 if that's any help.

One of our clients is using it on a G7.

lspci on both mine show:
Broadcom Corporation NetXtreme BCM5723 Gigabit Ethernet PCIe (rev 10)

Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Question on FW log entries

[Chris Bagnall]

On 3/11/13 3:27 pm, Peder Rovelstad wrote:

Just a quick question for anyone who cares to reply, something I can't
figure out.  I have the default LAN - Any rule active on the LAN
interface, but I often see block entries such as those attached, in this
case from my kid's iPad to Google.   Other times I see blocks from internal
hosts to servers like Akamai, for example.  If the Any rule is active, why
would I see blocks?  Thanks for reading.


I too would be interested in this. It does seem to be specifically 
traffic going towards Google, and not general HTTP/HTTPS traffic to 
Google search - it seems to be specifically sync services and the like - 
in my case the source is nearly always either my Nexus 4 or Nexus 7.


Here's a snippet of my logs from the last few minutes:
Nov 3 15:31:36	 LAN	Default deny rule IPv4 (@3)	10.10.0.122:42880 
173.194.66.103:443	TCP:FPA
Nov 3 15:31:35	 LAN	Default deny rule IPv4 (@3)	 10.10.0.121:52018	 
173.194.66.106:443	TCP:FPA
Nov 3 15:31:21	 LAN	Default deny rule IPv4 (@3)	 10.10.0.122:54125	 
173.194.41.71:443	TCP:FPA


(N7 is on .121, N4 is on .122)

If it's relevant, Google sync, app store, etc. seems to work fine with 
both devices in question.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

[Chris Bagnall]

On 24/10/13 5:30 pm, Thinker Rix wrote:

I want to have:
- full Gigabit wire speed between the DMZ and the LAN zone (i.e. 2x
Gigabit at max)


Would have thought you'd be fine here.


- full 450Mbps between the WLAN and pfsense


Even with 450Mbps *radios* I'd be amazed if you get more than ~80Mbps 
out of your WLAN. Not a pfSense limitation, just a reality of WLAN 
claimed radio speeds. I generally expect to see ~55-65Mbps out of 2x2 
radios, so ~80Mbps out of 3x3 is probably realistic.


Unless you're in a really isolated area, using an 80Mhz channel (which 
is what you'd need for 450Mbps radio speed) will slaughter spectrum 
availability for your neighbours. Short of really needing that speed, 
try to stick with 20Mhz channels where possible. And if you're in a very 
congested WiFi area, you may even get better speeds out of 20Mhz (much 
easier to find one free 20Mhz channel than a free 80Mhz channel).



- maximal VPN speed without speed break due to hardware limitations,
i.e. as near to wire speed as possible


Depends on your choice of crypto algorithm and whether you can do it in 
hardware.



1. Would the Core2Duo CPU be sufficient for my requirements or should I
chose the 2,4 GHz Quad-core, the 2,89 GHz-Quad-core or maybe an even a
more powerful CPU or totally different setup?


When I was deploying a Quagga-based BGP setup in a datacentre a couple 
of years ago, the general consensus was that cores are more important 
than raw clock speed - so 4x2.4Ghz is better than 2x3.4Ghz - at least 
when using multiple interfaces. This was, however, with Linux hosts. One 
of the nice things about those Intel server cards is the ability to lock 
NIC affinity to CPUs/cores, so you can effectively task a core to one or 
more NIC ports.


Hopefully others will chime in as to whether the same is true with 
FreeBSD - I seem to recall there were SMP/multi-core efficiency issues 
with earlier FreeBSD versions - hopefully those have been ironed out by now.



2. Is there any other bottle neck that will prevent my performance
requirements?


Bonding is not a guarantee of doubled speeds. In my experience, bonding 
2 gigabit NICs will generally yield around 1.2-1.4Gbps raw throughput. 
You are very unlikely to get 2Gbps. Bonding is more about redundancy 
(failover) than throughput at this level. If you really need 1Gbps, 
you're going to have to consider 10GE kit.



3. When bonding the NICs, I was planning to use a port on each of the
PCIe cards so to have a little bit of redundancy should an expansion
card fail. Will there be significant performance losses due to this
spread over 2 expansion cards, so that it would be much better to bond
two NICs that live on the same expansion card and forget about the
additional redundancy?


No, I agree that bonding 2 ports on separate cards is the best option.

You're already thinking redundancy with the multiple NIC considerations, 
but in my experience, NICs don't really fail that often - at least not 
compared to fans, power supplies and other PC components. Consider 
whether a 2x pfSense cluster in CARP might be more to your needs if 
redundancy/failover is a critical requirement.


Looking at your hardware again, you've specced 12 NICs, but from what I 
can see from your config, you only need 8 (2 VDSL ports, 2 bonded ports 
for LAN, 2 bonded ports for DMZ, (assuming) 2 bonded ports for WLAN).



4x on-board Realtek 8111C Gigabit NICs


Personally I'd spec a board that has Intel or Broadcom NICs - the 
Realtek ones are just rubbish by comparison. There are no shortage of 
boards with 2 Intel NICs on them these days. look at some of the 
Intel-manufactured boards rather than third parties - they nearly always 
have Intel NICs. A few years back I used lots of DG965RY boards (Intel 
NIC, onboard video, so ideal for server environments).



PCIe 3ware 9650SE RAID Controller with 2 SATA disks RAID0 or 3 SATA
disks RAID5


Given pfSense uses 1GB space, why? A little SSD on the chipset's native 
SATA controller should be fine (see above, use CARP for redundancy).


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

[Chris Bagnall]

On 25/10/13 12:02 am, Thinker Rix wrote:

Ok, I see. Does this change with a router that has a Gigabit-NIC to
connect with pfSense, or isn't that the bottle neck?


I've never encountered even a 100Mbps NIC being a wireless bottleneck at 
2.4Ghz. The limitation is effective throughput through the wireless 
radios. Granted, you can get well over 100Mbps using licensed 
frequencies, but in the unlicensed 2.4 and 5Ghz spectrum you are 
unlikely to get 100Mbps (you might just manage it in a rural area with 
no other nearby spectrum users).



I will use a 802.11n router with 3 antennas that is able to operate
simultaneously in the 2,4 GHz and 5 GHz band, so it advertises up to
900Mbps (i.e. 450 Mbps in the 2,4 + 450 Mbps in the 5 GHz band) - I do
not know if it is able to use 80 MHz channels, but I read at wikipedia
that this is only available for the new 802.11ac generation and not for
the 11n that I own. Is that correct?


I suppose theoretically with 3 radios in the 2.4Ghz spectrum and 3 in 
the 5Ghz spectrum (so 6 radios total) you could potentially push higher 
speeds (possibly ~160Mbps total across both spectra).



Could I tweak an 11n to use 80 MHz channels, e.g. by using an
alternative firmware on the router such as dd-wrt?


I think with 3 radios, you could potentially use 60Mhz across 3 
channels, though you will need to be very careful (especially at 5Ghz) 
to make sure the frequencies you're using are legal - the 5Ghz spectrum 
is complicated - bands A B and C have different regulations and 
allowable power levels.



Ok, but which of the 3 CPUs that I have at my disposal would you chose
so to meet my requirements?


Well, if you've all 3 at your disposal and nothing else to do with them, 
then go with the fastest (2.93Ghz quad core). It is, however, probably 
an overkill (not that that's always a bad thing).



is FTP via dual WAN possible in the mean
time or is there still the restriction of using only one uplink


You should be able to use both, though assuming your 2 VDSLs have 
separate external IPs, you'll need to perform something like DNS load 
balancing on the A/ records to ensure external connections are 
spread amongst both connections.



So my question is: Ok, 2x Gigabit != 2 Gigabit. But do you think that it
will yet help to contribute to my objective to add a second channel to a
bond so that there will be 2x Gigabit = 1 Gigabit for the user
transferring bulk traffic plus additional 0,2-0,4 Gigabit for additional
VoIP, browsing, etc., or is it senseless to do that this way?


QoS often falls down because the speed of the connection you want to 
perform QoS over fluctuates (often *DSL WAN links). On a link where you 
can guarantee the speed will be constant, this probably isn't an issue. 
I'd probably perform QoS at the switch level (up-priority your VoIP 
VLAN, for example): this takes load away from pfSense and gives the 
switch something to do.


Taking a step back for a moment, it looks like your biggest limitation 
is going to be your upstream WAN bandwidth long before your LAN/DMZ 
bandwidth becomes an issue.



PCIe 3ware 9650SE RAID Controller with 2 SATA disks RAID0 or 3 SATA
disks RAID5

Is pfSense immune against sudden power losses, system crashes, media
surface failures, e.g. because it has read-only file systems or
something similar, so that adding RAID, parity, BBU, etc. is never
needed?


No, disk failure is a risk in any system.

However, I am pointing out that there's little point in spending large 
sums on redundant disks, NICs, etc. when you're relying on a consumer 
desktop motherboard as a single point of failure. Much better to spec 2 
lower cost systems and run them in CARP (or even warm spare, if you 
aren't comfortable with CARP yet).



As I have a RAID controller and
disks on stock I could use them without any cost


If they're going to cost you nothing, then I'd go with a pair in RAID1 
(not RAID0). RAID5 is pointless in this context: P(array failure) with 3 
disks in RAID5 is no better than a pair in RAID1.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

[Chris Bagnall]

On 24/10/13 7:31 pm, Adam Thompson wrote:

If I upgraded to a better-quality unit, or switched to licensed
spectrum, I could probably eliminate the variability and increase speed
simultaneously.


Indeed, we have Ubiquiti kit running point to point links in the 5Ghz 
unlicensed spectrum (band C) over around 18km which deliver ~65Mbps 
throughput. I think our distance record is just shy of 68km.



Within the Ubiquity line, the AirFiber apparently would get me to
~99.99% reliability at ~600Mbps, or ~99.9% reliability at ~1Gbps. Still
using unlicensed spectrum, using the built-in directional antennas.


Do check the 24Ghz spectrum rules carefully in your jurisdiction - 
certainly here in the UK the 24Ghz unlicensed spectrum is limited, and 
only allows fairly low power without a licence.



I do not have personal
experience with Alvarion, but I can unreservedly recommend Dragonwave.


I'd add Motorola Orthogon kit to that list, based on some offshore 
experience with it a few years ago.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] naive suggestion: conform to US laws

[Chris Bagnall]

On 11/10/13 2:37 pm, Seth Mos wrote:

And which country would that be? I mean the Brittish MI4? tapped the
Belgian telecom network for over a year to listen into the EU politicians...


Who is this MI4 of whom you speak? :-)

In very broad terms, UK to USA equivalents would be as follows:

GCHQ = NSA
MI5 = FBI (though the FBI has a much wider remit)
SIS (sometimes erroneously referred to as MI6) = CIA

On 11/10/13 2:37 pm, Seth Mos wrote:

In .NL all large ISPs have a mandatory wiretap in place that stores
datetime stamped headers of the internet traffic for discovery purposes
from the authorities. The best part of this, it is paid for by the
customers, since the ISP needs to pay for the system and storage.


There have been attempts to do similar in the UK, but ISPA (our industry 
body) has fought pretty hard against it. It seems to have died for now, 
but I've no doubt that future governments (or home secretaries) will try 
and resurrect it at every possible opportunity.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?

[Chris Bagnall]

I've deliberately stayed out of the political discussion, but interested in 
this more technical discussion…

On 10 Oct 2013, at 14:50, Giles Coochey gi...@coochey.net wrote:
 2. Cipher Selection - we're not all cryptoanalysts, so statements like 'trust 
 the math' don't always mean much to us, given the reports in the media, what 
 is considered a safe cypher? I recently switched from AES-256 to 
 Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 to pfs group 5, 
 and I reduced my SA lifetimes from 28800 to 1800. Could that be considered 
 overkill?

I believe there were discussions about 18 months ago to the effect that a 
weakness (cryptanalysis rather than brute force) had been discovered in SHA1, 
so going up to SHA512 can't be a bad thing.

You might want to look at RIPEMD160 (and derivatives) as well - very different 
development model from SHA derivatives, which you may or may not find more 
comforting.

What made you change from AES to Blowfish, and is there any evidence to suggest 
that Blowfish is more 'secure' than AES?

It's worth mentioning here that AES acceleration is well supported in hardware 
(even low-power platforms like the ALIX embedded boards have AES acceleration), 
whereas Blowfish will likely be done entirely in software.

 3. pfSense - In general do you consider pfsense secure??

pfSense is, essentially, a very well put together collection of other packages. 
The question isn't so much whether pfSense itself is 'secure', but whether 
those other packages which make up the security portions of pfSense (pf, 
OpenVPN, even FreeBSD itself) are themselves secure. Those are probably 
questions better aimed at the developers of those packages.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list