Confessions of a pfSense Newbie ...

[sfx2000]

If one makes a local version of a system configuration file, e.g. loader.conf -> loader.conf.local, is the original file loaded first and then the code in the local version, or just the local version?

Ole

loader.conf.local will take precedence over loader.conf, and will preserve changes across upgrades...

 

[Dennis Wood]

Not sure - but what was interesting - after I added those to lines, the nmbclusters line was added by pfSense (or FreeBSD perhaps?) - which does make a difference for the intel driver...

$ less /boot/loader.conf.local
kern.cam.boot_delay=10000
kern.ipc.nmbclusters="1000000"
legal.intel_ipw.license_ack=1
legal.intel_iwi.license_ack=1

Thanks for the tip. Both routers are running perfectly..particularly now at the business side with fibre.

 

[sfx2000]

Quick Tip - the Netgate RCE-V-2440's are back down to $349USD

http://store.netgate.com/ADI/RCC-VE-2440.aspx

Price bumped up for a bit - this round, they also include the console cable...

 

[L&LD]

Quick Tip - the Netgate RCE-V-2440's are back down to $349USD

http://store.netgate.com/ADI/RCC-VE-2440.aspx

Price bumped up for a bit - this round, they also include the console cable...

I can't speak for the software, but the hardware is not worth anywhere close to $349USD on this 'kit'.

 

[sfx2000]

I can't speak for the software, but the hardware is not worth anywhere close to $349USD on this 'kit'.

Actually if one looks at the build-quality and capabilities - it's pretty much about the same price as building out a MicroATX box with the same processor and ethernet NIC's...

Compared J1900 to the C2358 is like comparing a Core i7 to a Xeon - combine that with the AES-NI and the Intel i350 series 4 port ethernet interface - it's a different animal - purpose built for communications and networking...

So, yes, you might see this as a "kit", but it's a fairly powerful device with the right setup - and one is not locked into pfSense, it'll pretty much run any of the x86 oriented distros out there.

Netgate doesn't have huge production runs compared to consumer Router/AP's, so yes, the development cost is priced into the box...

I'm sure you'd have a different perspective if it had an Asus logo on the box, and ran AsusWRT...

Anyways, it's all good - different people have different needs, and I respect/appreciate your perspective...

 

[sfx2000]

The vnstat package on pf 2.3.2 is pretty handy if tracking against carrier caps...

I'm nothing if not consistent

 

[sfx2000]

I can't speak for the software, but the hardware is not worth anywhere close to $349USD on this 'kit'.

For some it might... check the numbers...

OpenVPN fans might appreciate this - numbers well beyond normal BHR's...

openssl speed -evp aes-128-cbc
Doing aes-128-cbc for 3s on 16 size blocks: 723082 aes-128-cbc's in 0.36s
Doing aes-128-cbc for 3s on 64 size blocks: 690868 aes-128-cbc's in 0.41s
Doing aes-128-cbc for 3s on 256 size blocks: 595815 aes-128-cbc's in 0.30s
Doing aes-128-cbc for 3s on 1024 size blocks: 387478 aes-128-cbc's in 0.22s
Doing aes-128-cbc for 3s on 8192 size blocks: 89002 aes-128-cbc's in 0.02s
OpenSSL 1.0.1s-freebsd  1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc      32192.87k   106784.73k   513780.68k  1813839.87k 31108453.72k

openssl speed -evp sha256
Doing sha256 for 3s on 16 size blocks: 1740235 sha256's in 2.99s
Doing sha256 for 3s on 64 size blocks: 1098165 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 515939 sha256's in 3.00s
Doing sha256 for 3s on 1024 size blocks: 165326 sha256's in 2.99s
Doing sha256 for 3s on 8192 size blocks: 22534 sha256's in 3.00s
OpenSSL 1.0.1s-freebsd  1 Mar 2016
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
sha256            9305.49k    23427.52k    44026.79k    56578.61k    61532.84k

 

[CrystalLattice]

According to Jim Salter, "pfSense is pretty... tweaky. I've actually been hammering at it on various hardware off and on for a couple of months now, and it's frustratingly inconsistent." He rated OpenWrt to be superior to it, DD-Wrt, & curated vendor builds. "I would recommend OpenWRT to anybody looking for high raw throughput numbers."

ref: https://arstechnica.com/gadgets/201...build-faces-better-tests-tougher-competition/

 

[sfx2000]

Netgate has released the "pfSense Book" for all pfSense users...

Useful Link -- https://www.netgate.com/docs/pfsense/book/

 

[jalyst]

Thanks for sharing!

 

[sfx2000]

According to Jim Salter, "pfSense is pretty... tweaky. I've actually been hammering at it on various hardware off and on for a couple of months now, and it's frustratingly inconsistent." He rated OpenWrt to be superior to it, DD-Wrt, & curated vendor builds. "I would recommend OpenWRT to anybody looking for high raw throughput numbers."

That's Jim's opinion, and that's ok...

He's working with a QOTOM J1900 box, and that's not going to be useful moving forward as it does not support AES-NI.

He makes a good point about being "tweaky" - pfSense is not the first choice for someone that networking isn't the top part of their job description - but with tuning, it's a very good platform. I use it, I recommend it, but with the caveats that pfSense eats babies, and there's a lot of ways to shoot oneself in the foot.

Should note that Netgate did fund much of the ARMv7 development for FreeBSD, and that's a big deal.

OpenWRT - I have nothing but great things to say about OpenWRT - it's more approachable to the person who's job title does not include networking, and they've done a great job at supporting many architectures and SoC vendors.

 

[coxhaus]

I wish they had released the book back when I was playing with pfsense. I gave up on pfsense since I don't think it works the best with a layer 3 switch. The pfsense folks really want pfsense to control everything and not allow the layer 3 switch to take over for local routing, VLANs and DHCP with a division of duties.

I never did try OpenWRT. It will be on my list if I ever venture back into a PC based router.

Jim's Homebrew looks very interesting and I would like to try it sometime if I can make it work without DHCP on the LAN side but on the WAN side. His little tutorial seems to skip the WAN side DHCP. I wonder what else it skips. I would also need routing for all my LAN based networks on my layer 3 switch. I have no idea how to intergrate ACLs to work with Iptables which I need. The other thing I would need is static DNS entries with some kind of DNS cache. Now that I think of all this it is probably beyond my skill set. I am not sure Jim's tutorial includes lots of these features. A stripped down router with less code would make it faster in a test to my way of thinking. I do like his testing, it hits home with weaknesses in small routers.

 

[kvic]

The other day I read a little bit more the story of OPNsense breaking from pfSense. Personally I would give OPNsense a try if I venture into xxSense.

Linux is fantastic and I'm familiar with. Being a router, specially for SOHO environment, kernel provides most of networking functionality. In there, Linux is getting very exciting with new network features. So likely I would stay with a Linux router.

 

[Xentrk]

The other day I read a little bit more the story of OPNsense breaking from pfSense. Personally I would give OPNsense a try if I venture into xxSense.

Linux is fantastic and I'm familiar with. Being a router, specially for SOHO environment, kernel provides most of networking functionality. In there, Linux is getting very exciting with new network features. So likely I would stay with a Linux router.

I looked into OPNSense as well. However, on my pfSense box, I heavily rely on the pfBlockerNG package for ad blocking and to create my ipv4 lists for selective routing. Last time I looked, there was no equivalent package in OPNSense.

 

[kvic]

I looked into OPNSense as well. However, on my pfSense box, I heavily rely on the pfBlockerNG package for ad blocking and to create my ipv4 lists for selective routing. Last time I looked, there was no equivalent package in OPNSense.

If it's not there, build it yourself and release it to the community. I had the impression you're attempting to start a little enterprise of some sort

A long while back someone on the pfSense forum asked the maintainer of pfBlockNG to add support for pixelserv-tls. First she asserted pixelserv-tls is a MITM attack. Then assured her audience that "under her watch she won't allow blah to happen"

I wasn't aware of the discussion until months or years later while doing a google search and bump into it.

Seriously though pfSense uses Unbound for DNS. Unbound is a very bad choice for adblock but pfBlockerNG has to use it. So it's wise to move away from it.

 

[sfx2000]

I wish they had released the book back when I was playing with pfsense. I gave up on pfsense since I don't think it works the best with a layer 3 switch. The pfsense folks really want pfsense to control everything and not allow the layer 3 switch to take over for local routing, VLANs and DHCP with a division of duties.

pfSense works great as a GW - and it does offer the VLAN support.

In my instance - I moved all the VLAN's over to a Layer 3 switch - DHCP was kept on pfSense, and there, it's pretty flexible.

 

[sfx2000]

If it's not there, build it yourself and release it to the community. I had the impression you're attempting to start a little enterprise of some sort

A long while back someone on the pfSense forum asked the maintainer of pfBlockNG to add support for pixelserv-tls. First she asserted pixelserv-tls is a MITM attack. Then assured her audience that "under her watch she won't allow blah to happen"

I wasn't aware of the discussion until months or years later while doing a google search and bump into it.

Seriously though pfSense uses Unbound for DNS. Unbound is a very bad choice for adblock but pfBlockerNG has to use it. So it's wise to move away from it.

Unbound is fine as a DNS... but you don't have to use it - dnsmasq is there if one doesn't want unbound.

All the GW/DNS based AdBlocker tech is essentially MITM, and Pixelserv-tls can be considered suspect to some, just like pfBlockNG and others (Pi-Hole for example) - don't get me wrong, I understand the intents there... but that's a rat hole outside of this thread.

 

[kvic]

Unbound is fine as a DNS... but you don't have to use it - dnsmasq is there if one doesn't want unbound.

Unbound is great as DNS resolver. I'm using it myself. But it's a very bad choice for adblock. Most pfsense users the default which is Unbound. I haven't checked pfBlockNG in detail but I doubt that it supports dnsmasq.

All the GW/DNS based AdBlocker tech is essentially MITM, and Pixelserv-tls can be considered suspect to some, just like pfBlockNG and others (Pi-Hole for example) - don't get me wrong, I understand the intents there... but that's a rat hole outside of this thread.

You don't get the punch line. While the maintainers of pfBlockNG / pi-Hole use a DNS resolver for adblocking as MIMT by their definition (as well as your definition to some sense). On the other hand, they accuse a little helper such as pixelserv-tls as MITM. That could only mean one thing...they don't get what's MITM or they selectively choose to be blind.

 

[sfx2000]

You don't get the punch line. While the maintainers of pfBlockNG / pi-Hole use a DNS resolver for adblocking as MIMT by their definition (as well as your definition to some sense). On the other hand, they accuse a little helper such as pixelserv-tls as MITM. That could only mean one thing...they don't get what's MITM or they selectively choose to be blind.

Oh, I totally get it - like I said - all these GW based items are MITM - some are on a slippery slope, but it is what it is. Yes, ads are a problem, not just from an annoyance perspective, but also a security view...

 

[coxhaus]

pfSense works great as a GW - and it does offer the VLAN support.

In my instance - I moved all the VLAN's over to a Layer 3 switch - DHCP was kept on pfSense, and there, it's pretty flexible.

Which switch are you using? Your DHCP statement makes no sense to me, it says to me your layer 3 switch is running as layer 2? Which means you are not running a layer 3 switch so calling it that is confusing to readers. It is not called a layer 3 switch if you don't run it that way.

Without the VLAN defintions on pfsense how are you using pfsense for DHCP? When you run your switch as layer 3 the network VLANs are only defined to the switch and pfsense will not be aware or care about the network VLANs on the switch other than having a static route statement pointing to the layer 3 switch so packets can be forwarded. You could also use a routing protocol but I doubt your network gear is that sophisticated. And routing protocols don't work that well on pfsense from my reading.