What are
/r/PFSENSE's
favorite Products & Services?
From 3.5 billion Reddit comments
The most popular Products mentioned in /r/PFSENSE:
The most popular Services mentioned in /r/PFSENSE:
pfSense
Cloudflare
Grafana
Speedtest by Ookla
Fast.com
WireGuard
OPNsense
OpenWrt
DNS leak test
PassMark CPU Benchmarks
Hosts by Steven Black
NordVPN
Server Fault
ipinfo.io
Pi-hole
The most popular Android Apps mentioned in /r/PFSENSE:
OpenVPN for Android
OpenVPN Connect
AnyMote Universal Remote + WiFi Smart Home Control
UniFi
The most popular VPNs mentioned in /r/PFSENSE:
The most popular reviews in /r/PFSENSE:
Amazon still offers a $0.00/hour tier for t2.micro for a year.
There is now a $0.01/hour t2.~~micro~~nano instance for pfSense on AWS. That's $7.20/mo for VPN where you control both ends.
(We'd have done $0.00/hour, but we weren't (then) at the right partner level. We've cleared that hurdle, and paid the fees, but it hasn't wound through the AWS maze as yet.)
I use Private Internet Access (PIA) with my pfsense setup to encrypt all my traffic on all devices in my network. PIA is not expensive and the speeds are good. There are a few guides online about how to setup PIA in pfsense. They are pretty straight forward if you find a good one.
The only problem with PIA is that Netflix and Hulu block you. What you can do to get around this is have certain ip's on your network go through the WAN instead of the VPN interface you will create. I do this for my Apple TV and PS4 for example.
> when you talk about pfSense you're really talking about the UI atop freeBSD.
Many people have this opinion, all of them are wrong. There are actually a lot of patches to FreeBSD base and some of the packages, in addition to the GUI. The "GUI" is also the configuration layer (the same PHP runs both).
In answer to OP: yes, there has been a fair amount of attention on the PHP GUI in the last year. You can see where people have reported bugs, we've fixed them, and made new releases.
This worked for me in pfSense without throwing any errors:
- Firewall -> Aliases -> IP -> Import
- Give the Alias a name. I.e CloudflareIPs
- Copy and paste the Cloudflare's IPv4 list and IPv6 list (if you use IPv6) and hit "Save".
- Create your firewall rule using the alias "CloudflareIPs" or whatever you named it to.
Done.
I got one of these and it NATs traffic at 360 mbps (my line speed) with about 2-3% CPU usage with Snort + pfBlockerNG. OpenVPN also runs at line speed of 360 mbps at 15% CPU usage. I feel like the i7-7200U would handle gigabit speeds.
https://www.amazon.com/Qotom-Q555G6-S05-Qotom-Industrial-Barebone-Computer/dp/B07KM7YY4Y/
You really don't want your router doing wireless, it is preferable to have a dedicated Access Point (AP) doing wireless. Unfortunately what people think of "routers" now are actually three devices in one, they are a router, switch (multiple lan ethernet ports), and access point (wireless). Personally I feel the combo devices do a bad job at all three of those which is why I prefer to have dedicated devices for each piece. If you plan on using an existing router and just want wireless I would suggest the unifi ac lite access point.
https://www.amazon.com/Ubiquiti-Unifi-Ap-AC-Lite-UAPACLITEUS/dp/B015PR20GY
If you need a router as well then I would use the access point and pfsense for your router. You could use a wired nic like this in an existing computer.
Pfsense does support wireless cards but trust me you don't want to go down that road for many reasons. Any time that topic comes up most users on this subreddit suggest against it myself included. I have tried building wireless into my pfsense build before and quickly abandoned it.
Microsoft legal department will have something to say about that.
They are advertising installed cracked software on their mini PC's as well.
> System: Free Operating System: Default installed our activated OEM cracked version(not genuine, works good)Windows English for free,
You mean the PTR Records shown?
What is PTR?
https://www.cloudflare.com/learning/dns/dns-records/dns-ptr-record/
"DNS PTR records are used in reverse DNS lookups. When a user attempts to reach a domain name in their browser, a DNS lookup occurs, matching the domain name to the IP address. A reverse DNS lookup is the opposite of this process: it is a query that starts with the IP address and looks up the domain name."
An IP of: 45.80.90.125 will have a PTR of 125.90.80.45.in-addr.arpa (the reverse of the previous IP with a in-addr.arpa appended at the end)
Nothing is compromised on your system.. PTR, DNSSec, RRSIG and others are all part and parcel of the current DNS protocol.. It is behaving exactly as it should be..
I'm not entirely sure what your end goal is, but have you considered using logstash? It's pretty much made for storing logs and uses elasticsearch as its datastore, so easy to query entries and such.
https://www.elastic.co/products/logstash
There is a guide to setting it up with pfsense here (and also an interface for visualising the logs):
https://elijahpaul.co.uk/monitoring-pfsense-2-1-logs-using-elk-logstash-kibana-elasticsearch/
I'd suggest on Android users take a look at "OpenVPN for Android" by Arne Schwabe. It's is Open Source, and gets patches frequently.
Link: https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en
The unifi ac-lite is $81 on amazon so out of your budget but it's just barely enough to cover my small ass apt.. your house is smaller than this?
The NordVPN client will automatically become the default outbound gateway once enabled. To change this behavior edit the NordVPN client setting under VPN>OpenVPN>Clients> - ENABLE 'Don't pull routes' [Bars the server from adding routes to the client's routing table]
Everyone's telling you to upgrade, so I'll chip in a little more detail as to why. The AMD Duron CPU was released 14 years ago as a competitor to the then-popular Pentium III and was one of the lowest power options in the category of CPUs that included the AMD Athlon, Intel Pentium III and Intel Celeron. It is a single-core, 32-bit CPU with clock speeds ranging from 600MHz in the earliest edition to 1.8GHz in the latest edition. Its Front-Side Bus clocked in at 100MHz or 133MHz.
In short, this thing isn't just "old", it's practically "ancient" in terms of the number of hardware generations that have occurred since its prime. And even in its prime, it was the bargain-basement option.
Just about anything you can find on ebay or craigslist these days will be better than what you've got right now. If you can afford to spend a few hundred dollars and don't mind assembling it yourself, you could build a nice Xeon-based system (such as with an E3-1225v3 CPU) with an Intel Pro NIC for $600-$800.
Just for kicks, I tried to find some benchmarks for you. This was a little tricky, since Passmark was in its infancy when this CPU was released. http://www.cpubenchmark.net/pt7_cpu_list.php shows only a couple of entries for the Duron -- the basic "AMD Duron" entry shows a passmark score of 268. By comparison, the Intel Xeon E3-1225v3 has a Passmark score of almost 7,000 and the best CPUs on the market today have Passmark scores approaching 14,000.
I'm impressed that you've gotten this machine to limp along to this point, but it's well overdue for retirement.
Your connection is not the only limiting factor. A lot of places have traffic shaping so even if you could theoretically hit 250 mbps down you'll never go beyond what they are limiting you to.
Generally speaking the best benchmarks are Steam downloads (huge CDN and basically unthrottled), YouTube's built in "Connection Speed" under Stats for Nerds (stream something like a 4K 60 FPS video), Fast.com, and Speedtest.net. Fast is mostly useful for Netflix and Speedtest is known to be inflated. Torrenting like you tried is also great but can provide mixed results with little use outside of other torrent downloads.
No. The minimum hardware requirements are just 1 GB of disk (not 1 TB, just 1 GB). Almost any type of disk is fine if you're just using it as a firewall/router replacement, since there's very little disk I/O after startup. Even a thumb drive can work, but they're usually not terrible reliable for long term.
If you look at the prebuilt hardware that pfSense sells, it's all with eMMC flash drives or SSD drives, but that's for reliability, not speed.
However there are optional packages that will create a lot of disk I/O and use a lot of disk space - squid, for example. If you're planning on installing them, then you need more space, and need to pay attention to disk performance.
You can install pfSense on a small, slow disk, and then also add a large, fast disk for squid (or other packages) if you like.
You might also sling the gold membership for those that want to support the project, but don't necessarily need to buy hardware (or have hardware lying around and feel the appliances are "too expensive") or are non-commercial entities.
$100 a year, for me, is much better spent than drinking and tinkling out Charbucks. Y'all probably have a much better profit margin on that than the hardware, too, right?
Private Internet Access I think allows that and it's fantastic.
I recently switched to NordVPN; while it's good, I wish I had stuck with PIA. They're both high quality though in my opinion.
I assume your threat model is just the ability to bypass MPAA/Netflix Geo-Restrictions?
Correct. We're aiming for early September with no fixed release date, in case there are unexpected events or security updates. You can give it a try right now, install 2.4.4 development snapshot. We could use the help with testing.
Set one as Tier 1 and the other as Tier 2. Both same Tier is for bonded connections and unless Mullvad has an option to bond over tunnels (unlikely due to invariable determination of bandwidth), it may cause asymmetric routing style issues.
With this, Tier 1 stays dominant and Tier 2 kicks in when Tier 1 falls. Tier 1 will take over when back. You can then policy route as needed.
Check out the Shuttle XPC Slim DS68U. Mine has been rock solid, the Skylake Celeron 3855U is about the same total performance as J1900 but almost double single-threaded performance, so great for VPN. The physical box is super industrial too.
So, first use case:
You can use PfSense to run a VPN server. This allows you to connect to your home network when out and about and makes you appear as if you are still on your home LAN. Handy for logging into servers and such like that you have at home without having to expose their ports to the internet. So this is entirely free as it's yourself that's running the server.
Second use case:
You can buy access to a VPN server hosted elsewhere from companies like PIA, Nord etc. You can then run a client on your PfSense that can route certain, or all devices on your network via this VPN server. The main use for this is privacy, your ISP can no longer see what you are doing as the traffic is encrypted before it leaves your home.
Personally I run both. I use my home VPN server to allow me to connect in to my home network to access my servers. I also run an OpenVPN client which connects to NordVPN, I have PfSense set up to route 3 or 4 devices via this VPN because I don't want my ISP to know what these devices are doing.
The Reddit Enhancement Suite extension provides that functionality.
Mod toolbox is another useful extension (for moderators).
They're must-have extensions if you value your sanity. :P
I don't think the roots support TLS atm... so these external Resolvers are still quering without TLS to fill requests from the roots themselves.
Some good reading:
https://www.cloudflare.com/learning/dns/glossary/dns-root-server/
https://blog.surf.nl/en/protect-your-privacy-with-dns-over-tls/
YMMV and keep in mind that these services only uses a few DNSBL feeds where there are almost a hundred different free and subscription feeds available.
Everything is a trade-off and nothing is going to give you 100% privacy.. just trying to make people aware instead of just listening to the sales pitches of these services. You can choose speed over security or over privacy but not what I would recommend. You will find over time that DNS Will get more hardened.
So I use grafana and influx within a container, I have them built through docker-compose
Here is what the compose file looks like: ```grafana: image: grafana/grafana container_name: grafana ports: - 3000:3000 restart: unless-stopped
influxdb: image: influxdb container_name: influxdb volumes: - ./influxdb:/var/lib/influxdb ports: - 8086:8086 restart: unless-stopped ```
I am using this dashboard: https://grafana.com/grafana/dashboards/10095
Install the telegraf package, then input the basics I did.
Check enable
TeleGraf Output: InfluxDB
InfluxDB Server: <synology nas ip:8086>
InfluxDB Database: pfsense
InfluxDB Username: root
InfluxDB Password: <whateveryousetyourpassword>
This should get you 99% of the way there, when you use the dashboard above it just asks for your WAN interface on setup and the rest just is setup.
In portainer you can add the compose info under stacks as just a single copy/pasta I believe, I do not use portainer much anymore but that should work. If not just build out each part with the corresponding pieces in a portainer image build like you normally do.
I'm surprised by this statement:
> The newest offspring, OPNsense (https://opnsense.org), aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can.
Is that just him being nice to the newest entrant in the fray? I would have expected him to recommend PFSense if anything. Given the reputation of the project and such.
I run an ELK stack fed by softflowd on pfsense (netflow input to logstash) to track per-device bandwidth usage. Logstash has InfluxDB output. You should be able to do something with that.
Blocking a /8 subnet removes a whole swath of people/companies/services that have nothing to do with Whatsapp.
Use a site like DNSdumpster.com to lookup all the subdomains for whatsapp.com and whatsapp.net and then surgically block only those IP's.
Or just look at the source, Whatsapp provides a current list of their service IP's at: https://www.whatsapp.com/cidr.txt
Keep in mind that if the app whatsapp can't connect via wifi, it will connect over the cell service, so I'm not sure what you hope to accomplish with a network/wifi block.
Don't forget the OEM versions of the Intel Pro 1000: (<$40) https://www.amazon.com/HP-NC364T-Gigabit-Server-Adptr/dp/B000P0NX3G/ref=sr_1_3?keywords=quad+port+nic&qid=1557054316&s=gateway&sr=8-3
You can definitely find them cheaper at times even on Amazon. One caveat, as always with older gear, is power consumption. IIRC these use somewhere in the mid teens as far as wattage goes. Modern cards are single digits.
You could also give NordVPN a try if you're still considering more options. It has p2p servers and works pretty well for me, they have a tutorial on how to set it up too
According to that support article you provided, it leaves the IPv4 Tunnel settings blank. So in theory, it should be getting an IPv4 address from NordVPN's DHCP server in the private virtual IP pool. You can also see a screenshot at the bottom where it shows the client statistics that it has your local IP and a virtual IP.
To answer your questions, no you should not need to mess with any DHCP settings. And no, you will not need to turn off DHCP server. As long as you get an IP from OPT1, then you should be good and that is of course if you follow the article step-by-step. Follow the guide, test it, check the connection log file under Status -> System Logs -> OpenVPN.
Good luck!
Best Regards, k0rbiz.
I don't have any suggestions, but i've been having issues with PIA accessing normal websites for the last several months. Websites like , Craigslist, and several others have been seemingly blocking the IPs of the west coast that I utilize and it's been driving me crazy! I've since switched to NordVPN and haven't seen any issues since doing so.
I can't give you a solid number, as I don't have that same CPU. An atom 330 (1.6ghz) in testing would push traffic at 330mbs. Thats simple iperf traffic with 5 rules (not complex.) It was literally desktop -> atom running pfsense -> server. It was maxing the CPU.
Take it with a grain of salt but this page shows the turion to be substantially faster than the 330.
Not sure how much overhead esxi 5.5 adds.
Edit: VPN usage will crater your throughput. Just a heads up.
telegraf and chronograf with influx db
​
https://www.influxdata.com/time-series-platform/chronograf/
​
The client is in the packages already
> I'm looking for the most simple and direct solution to help "grandma/your parents/your teenage daughter" navigate the internet safely.
Why not set them up with OpenDNS Personal? That's going to be much simpler.
If driver support is in 11.2, try our latest 2.4.4 snapshots.
https://www.pfsense.org/snapshots/
I know it says 11.1 but that's an error, we'll update it ASAP. pfSense development snapshots version 2.4.4 are based on FreeBSD 11.2-RC since June 1st. https://twitter.com/pfsense/status/1002558800900034560
The announce list was recently deprecated in favor of a "newsletter" (differnet delivery mechanism other than mailman), but all others are maintained. You can sign up for the newsletter here: https://www.pfsense.org/download/
I don't understand why this question keeps coming up without people finding Netgate gear. It's literally on the very front page of https://www.pfsense.org. Or in the section at the top titled Products. Or on the side bar of this very subreddit. I just don't get how people can "search and not immediately see anything".
They are the primary supporters/owners of pfSense, the product you buy from them is high quality and guaranteed to support the newest versions of pfSense.
I'm going to add to this, and hopefully not discourage.. You absolutely should be running a firewall on the only port you are given in a leased office. You said yourself that you think it is on its own separate VLAN, but you don't know for sure. And, even if it was, who is managing that VLAN? You could easily find out if there is other traffic that can be reached through that port which in turn would tell you whether or not other people could access what is connected in your office but that may be beyond what you are comfortable with; Wireshark.
From a security oriented standpoint it shouldn't matter whether you are on a VLAN or not. You should have absolute control of everything that is connected to your network internally. By placing pfSense as the first device on your only port you're drawing a line in the sand; everything behind pfSense is in your complete control. the only issue then becomes how to secure your data between the internet and pfSense. This is where an externally hosted VPN, such as PIA, could be used. That would allow for the encryption of ALL data that goes over your proverbial line which would prevent eavesdropping from the other offices / ports / system administrators in your building.
Congrats on your business venture!! Without trying to come across as a total douche nozzle, stick to offering services you have a firm grasp on to your customers. In other words, you may want to delay offering networking services until you are comfortable with all aspects related to a network you provide; think of the liability...
OK, based on the way you're describing it now, let me clarify if I'm understanding it correctly. You have a NordVPN client setup in your pfsense but you don't want your work laptop traffic to be routed through the NordVPN at all and essentially skipped through?
If that's the case, then yes, this can be pretty easily done, just create a LAN firewall rule and use an alias for your work laptop without a gateway that is before the firewall rule that sends everything else out the NordVPN traffic. This is actually exactly how I have my own pfsense as I selectively want only certain traffic going over my NordVPN, so I add and remove hosts from the firewall alias as necessary.
I use NordVPN through PfSense and it's quite easy. The only extra things I would add is to create a manual Outbound NAT rule for your DMZ traffic and then a firewall rule to force the gateway. These ensure that the traffic does not fall back to your primary connection if the VPN fails.
Auth issues are usually due to not importing the Nord Cert CA correctly or the TLS key.
Here's what I do differently in OpenVPN configuration:
- Tick "don't pull routes".
- Tick "Don't add or remove routes automatically".
- I have selected AES-256-CBC and disabled NCP as it's not needed.
Next up, create the VPN interface under "Interfaces -> Assignments". It'll show up as "ovpn# (description)" in the list. Once created, make sure you open it's settings and Enable the interface. Make sure to also untick the "Block private networks/loopback if ticked.
For your outbound NAT, add a new rule (at the top) with the following settings:
- Interface = VPN-Interface
- Source = DMZ-NET
- NAT Address = VPN-Address
- Ports = all
Finally, to ensure your DMZ traffic goes out the VPN interface, you need to create a firewall rule on the DMZ interface to force the use of the VPN gateway. It'll be something like this:
- Source = DMZ NET
- Destination = any
- Advanced Options -> Gateway = VPN Gateway which should be automatically created.
As for HAProxy, I feel like that's starting to massively complicate things? You may just need to enable the NAT Reflection Proxy mode (System -> Advanced -> Firewall & NAT). If you do, you'll probably need another firewall rule to compliment the above ones, matching your DMZ source traffic and setting the gateway to your WAN interface (to match your external DNS IP/Name).
you drop web ui connection because you don’t have a LAN. Which is the only place the web ui works by default. Your NordVPN connection can’t be your LAN.
You need:
WAN
LAN
OVPNC1- NordVPN
Watch:
Ignore the vpn configuration itself. Watch the way it’s setup within pfsense and apply it to your setup.
Also starting out with pfsense isn’t easy. You shouldn’t use a VM for starting. You shouldn’t use 1 NIC. You’re adding extra complications for yourself.
Use 2 NIC. One WAN, one LAN
Have you looked through this guide: ?
Replace AirVPN with your VPN provider. This guide assumes you also have a switch that is capable managing vlans. Add every device you want connected to VPN on a separate vlan.
If you don't have a vlan capable switch you can get a cheap tp-link one for $30 on amazon: ;qid=1496901694&sr=8-2&keywords=tp+link+smart+switch
I have a quad port NIC on my pfsense box and it only has two physical connections: WAN and LAN. WAN is connected to my ISP and LAN is connected to my vlan capable switch. pfsense manages all the routing.
Also the guide talks about mitigating dnsleaks so follow the instructions very carefully.
Quite simple:
- Run (carefully) wizarad built into pfsense:
VPN->OpenVPN->Wizards (choose Local user access).
- Go to System->Package Manager->Available Packages
and install openvpn client export package
Install this client for Android https://play.google.com/store/apps/details?id=de.blinkt.openvpn
Go to OpenVPN->Client Export and export config for user created at step 1 (Iinline Configurations, I prefer "Ohers" option)
Go to OpenVPN->Client Export and export config for user created at step 1 (inline Configurations, I prefer "Ohers" option)
Import downloaded config file in Android app and run it.
If you're fronted by CloudFlare you should create an alias with CloudFlare's IP ranges and change your port forwarding rule to NAT traffic only for those ranges. Then you can be assured any traffic coming in on those ports is valid traffic, already cleared by CloudFlare. All other traffic is discarded.
To take it further, next steps would be looking into authenticated origin pulls and a programmable reverse proxy for all sorts of ACL power.
The slides from the video are available here:
https://www.slideshare.net/NetgateUSA/pfsense-244-short-topic-miscellany-pfsense-hangout-august-2018
He goes through them at a pretty good pace in the video, but having the slides may be useful for people too.
I would consider getting pfSense Gold. You get access to a well maintained book as well as a large archive of videos - each 1-2 hours on a specific topic.
https://www.pfsense.org/our-services/gold-membership.html
You also get auto-config backups which are handy.
You're getting both hardware/software support AND warranty by buying with Netgate. If something should go wrong, they offer 24/7 support. Plus, you're supporting the pfSense community at the same time. Also, the SG-1000 comes with 1 year of pfSense gold. Benefits listed here: https://www.pfsense.org/our-services/gold-membership.html
I'll piggy back a question here, does only the SG-1000 come with gold, or do the other appliances?
For those without gold, you could setup a cron job on a Linux server that runs the following (after adding your SSH key to the router)
scp :/cf/conf/config.xml /path/to/folder/"date +%Y-%m-%d-%H:%M:%S"-router.domain.com-config.xml
I've also adapted the PowerShell example and utilized WinSCP to pull backups from Windows too:
https://winscp.net/eng/docs/script_download_most_recent_file
Then, I backup the directory to NextCloud.
Use this: http://www.observium.org/
It also monitors linux, windows, qnap, synology, hp, cisco, d-link , hP, juniper and many more. Installation is as simple as setting up an Ubuntu LTS server and running a few apt-get commands. Then you jump into the WebUI and add the device -- just add the hostname, port number and SNMP string and off you go.
The only thing missing is e-mail alerting on fault condition. But for this I personally use nagios. I spent a long time trying to find 1 tool that does everything well but it doesn't exist. You always have to compromise and I wasn't willing to.
I've tried ELK, graphite etc. It's stupidly hard to set up.
Someone already said, both realtek and USB ethernet are troublesome in PfSense.
I must say; I was the kind of kid that forced triangles through the square holes. So I took a look at your system and noticed M.2 slots in your system. I Googled a tiny bit and found this adapter.
One review states it works great with pfsense.
I am not sure if it would work in this system, since HP devices can be very finicky about what expansion cards you put in them. But who knows? It would give you at least 2x Gigabit if it works.
This one is the same thing but without the memory and ssd, and also sold by the manufacturer instead of a middle man:
Buy and add your own memory/msata and it will be cheaper. I bought one about a week ago and got it setup just a few days ago. It's awesome. Read some of the reviews on amazon.
Edit: correct link added.
- openvpn client enable > Don't pull routes
- Goto Diagnostics > DNS Lookup > add your site, once you get your site > click on make Aliases for example for you will get google_com
- goto Firewall > Aliases > IP > you will find the new aliases google_com (remember this)
- goto Rules > LAN > New > Action > Pass > IPv4 > Any
- Source > Single Host or Alias > choose google_com
- Extra Options > Show Advance > Gateway > NordVPN interface > save
​
try rebooting in case you have enabled dont pull routes for first time
I switched to AirVPN. One of the nice features is they have DNS aliases that point to groups of servers and IPs are added/removed as servers go up/down. Worse case is you reconnect back to the same address and you'll connect to another working server.
I'm set to an alias that points to all US servers, they have area, country, region and world groups.
As a bonus, all of their servers support port forwarding and you get to statically assign up to 20 ports to you, so (say) vpn-ip:45182 will always point to you no matter where you connect.
A safe start is instead block every outbound port except for what is allowed (or simply create an alias with allowed ports and only manually add that alias for outbound NAT).
Force DNS either locally or to a specific external resolver and also use suricta to filter out by traffic signatures.
Simply blocking ports isn't enough due to many services now running on alternative ports eg, Private Internet Access on 443 and 53 also.
I travel with NordVPN on my phone, my tablet and my laptop. I don't need more devices to pack mule around and have to tinker with when I'm on the road. No clue what hauling extra junk vs a software VPN app brings to the table except maybe a free workout from carrying that stuff around.
I use NordVPN too and had to add a patch to pfSense to get it to work with >1 ovpn client to Nord.
The reason for this is that the client always gets assigned an IP in the 10.8.8.x /24 subnet, so they all overlap and policy based routing doesn't work.
My patch overrides the auto-assigned mask and makes them all /32s so they can route properly. LMK if you need this.
I had planned to release a PR that adds the fields necessary to do this all via the GUI but I just got a little too busy. You can still apply it easily with System Patches though.
I'm under the impression that you want to check "Do not create rules when gateway is down" under Advanced -> Miscellaneous -> Gateway Monitoring -> Skip rules when gateway is down. This way if you have other blocking rules to prevent LAN1 from going out of WAN2, they are respected and routing is allowed to fail.
I use this setting to ensure that specific Private Internet Access clients are explicitly only able to go out of the OpenVPN client on pfSense. If that's down, I don't want them having access on the regular WAN routes. There are additional blocking rules for these clients in my firewall rules.
Not that I'm aware of. Service Watchdog will restart services that you tell it to but when a VPN client disconnects, the service is usually still running.
I have this set up and my NordVPN client disconnected because (I'm assuming) the server I was connected to was blown away or perpetually down.
In addition to what the others posted, new routers will come with the newest features (802.11ac and 802.11ad) which you will not easily find with a cheap PCIe card. A router will usually also provide more power to the antennas, providing a better connection. For example, here's a somewhat common wireless router (RT-AC68U) used as an AP by /r/homelab people: https://slickdeals.net/f/11788767-t-mobile-wi-fi-cellspot-router-60-free-shipping?src=rcm_category_h
Used as-is or with new firmware, you get a $100 router for $60. It comes with 802.11ac 3x3 (as opposed to the 802.11n 2x2 in the one you mentioned), can get combined data rates of up to 1900Mbps (whereas yours gets up to 600Mbps), comes with beamforming to help extend usable range, and you won't have any potential driver issues causing problems. So it's not that you can't use built-in cards. It's just that having a separate access point generally works better and is more effective.
For 2.4.5-*: https://protonvpn.com/support/pfsense-vpn-setup/
For 2.5.*: https://protonvpn.com/support/pfsense-2-5-x-vpn-setup/
Then of course it depends if you use VLAN or just separate the items with a different subnet. But follow that one and use your own ovpn configuration to it.
> But isn't it merely a cipher-variation of AES?
It's a mode, like AES-CBC is a mode.
> What i'm asking is whether it needs specialized hardware in order to use this type of cipher.
No, but it can be accelerated, like AES-CBC. The differences are 1) it can be accelerated more and 2) you get authentication "for free" out of AES-GCM, where you need to add an HMAC (such as SHA1 or SHA256) when using AES-CBC (or another ESP transform). This is where the larger speed (throughput) speed gain comes from.
Both the C2558 (used in the SG4860) and FX-6300 support AES-NI instructions.
> The Atom processor used in the SG-4960s
The what?
> is inferior in terms of performance
compared to what, exactly? A FX-6300 is a 95W TDP 3.5GHz 6 core (well, 3 really) part, so if it's not faster, you're just burning money.
Here is one independent benchmark: http://www.cpubenchmark.net/cpu.php?cpu=AMD+FX-6300+Six-Core
http://www.cpubenchmark.net/cpu.php?cpu=Intel+Atom+C2558+%40+2.40GHz&id=2557
pay attention to the 'single thread' ratings (1410 for the FX-6300, 551 for the C2558)
Read this: https://www.cloudflare.com/learning/network-layer/what-is-a-subnet/
I‘m using 10.0.0.0 with a /8 subnet. Complete overkill and beyond anything I‘ll ever need but it runs. That’s for my LAN only. VLANS have different smaller subnets.
Mostly just https://pi-hole.net/pages-to-test-ad-blocking-performance/
But I also have a look at google search ads too which are being blocked. I search for hotels and at the top all the ad links will be blocked. Don't really want this but it means it is working
Also I check a few porn sites because they are always ad heavy and probably on the more malicious side
I get close to the theoretical max with my sg-3100, so I can at least tell you it's possible to get near 1Gbps through the device. Make sure your WAN/LAN are both linked up at Full Duplex and consider running the Speedtest-Cli on your box itself.
Also for the hell of it try a different ethernet cable between your modem and the SG-3100 and to your computer.
I was running 2.2.3 and it happened. I was told to upgrade so I'm now running 2.3.4 and it's still happening.
I opened my system.log and it's full from this one event. It seems to be continually looping, and saying that the WAN IP changed: > /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 173.49.250.153 -> 173.49.250.153 - Restarting packages. But you can see it hasn't.
Here's a log of it: https://hastebin.com/qigihoxita.sql
I have an intel atom d525 SOC with 2gb ram and 2 on board realtek nic's and an 8gb ssd. It's a pretty basic setup but it's worked fine until the recent upgrade and new ONT box.
I can't really replicate by plugging a pc in, since it's completely random(and usually during the day when I'm not home, only have rdp access). When I'm home and awake, it pretty much has no issues.
Back in 2000 I've been running a wireless bridge with two old Toshiba laptops. That was very reliable. It never went down for about three years because of the built-in UPS ;) I guess, it depends on how much the fan is running. Those are usually the first things to give up, so maybe run it with the lid open and in a cool place and I don't see why it should die prematurely.
I usually have a noname USB-3.0->LAN adapter in my backpack, that uses an ASIX AX88179 chipset according to dmesg. I'm getting about 350Mbit/s with iperf on a USB3.0 port, about 180MBit/s in both directions when measuring using -d. That doesn't differ much for a USB2.0 port. It should be supported by the axge driver under FreeBSD.
Re-IP address one of the networks. There's not really an easy way around it, this is a limitation of the technology.
You can try to do some overcomplicated hacky shit using NAT translation but it seems like a recipe for trouble: http://serverfault.com/questions/548888/connecting-to-a-remote-server-through-a-vpn-when-the-local-network-subnet-addres
I was using Observium as well but them came across http://www.librenms.org which is an true open source fork of observium that has more features at $0 cost. Allows you to setup alerts and supports plugins.
I'm curious about the technical reason as well. I have the same result as OP and per /u/sishgupta disabling DNSSEC in DNS Resolver corrects this. Another cloudflare test page for ESNI also has the same issue confirming "Secure DNS." Interestingly, the DNSSEC check appears to work though.
My guess is not a bug, but a technical limitation.
Very useful tips, mrpink57! I now have Grafana and Influxdb running in docker. I am able to use this dashboard as a starting point for my pfsense. I'll keep piling on different systems now that I have a working Grafana instance. Thank you all!
For non pfsense stuff if you go here and choose your OS details: https://certbot.eff.org/instructions
Then click the Wildcard tab, it'll show the instructions for DNS challenge.
For pfsense I think you just need the acme package if it's anything like opnsense, then it's just filling out some settings and it'll take care of the rest.
It definitely doesn't. It uses port 80 to verify the domain. I have HAproxy setup for it to forward port 80 to various subdomains specifically for certbot. https://certbot.eff.org/faq#can-i-issue-a-certificate-if-my-webserver-doesn-t-listen-on-port-80
DNScrypt should help you, uses port 443
https://www.linkedin.com/pulse/quic-look-dns-james-montgomery
https://www.opendns.com/about/innovations/dnscrypt/
You may have to run a vm to convert DNS to dnscrypt as it may not be doable directly in pfsense.
Use PFSENSE for the DNS. Have it forward to OpenDNS - see here: https://www.opendns.com/setupguide/?url=familyshield
Forcing safesearch:
Until a recent MS update you could simple add a CNAME for google.com and point it to forcesafesearch.google.com ... this was tidy. MS fucked this up though.
You can still use the IP address - but you must ensure you add country specific domains - eg:
216.239.38.120 www.google.com www.google.co.uk www.google.ca
216.239.38.120 www.google.fr www.google.it www.google.es www.google.nl
216.239.38.120 is the IP of forcesafesearch.google.com which is ronseal
OpenDNS has methods for Bing too
Use PFBlockerNG for the rest, I guess, if you need to. Or just add dummy zones for facebook etc to point somewhere useful.
To bypass DNS blocks - have the teacher use a different DNS server.
DNS is only 33% solution, but couple it with a decent terms of use agreement and you should be set at with minimal expertise or fuss
FWIW, there's a whole page at the pfSense page dedicated to hardware requirements, with a table graduated by connection speed. Cross-referencing your needs with the last table on the page shows you'll need a 2.0+ GHz multicore CPU with server class hardware and PCI-e NICs.
In the download options on https://www.pfsense.org/download/ there's a serial console option. I've never used it but I assume it's for installing the machines that don't have VGA ports or are inaccessible. I assume it follows the regular installer and just sends the data out the serial port. With that said I assume that it draws screens with ASCII characters but the text will be embedded in there as ASCII text. You might have a better experience letting it draw the screen and then having your screenreader read the text rather than having your screen reader echo each character as it is sent to your terminal emulator ( PuTTY?)
Have you use the PFsenses interface in a web browser before? I worked with many different Screen readers and I'm afraid the way the web interface is constructed it would be very difficult to run with the screen reader. well you can SSH to pfsense there is very limited functionality unless you're added in the raw configuration files which is no fun.
I do know in the system settings you can choose alternate web interface settings. I would encourage you to explore those and see if any of them are more screenreader friendly.
PS. if you attempt a serial consul install you will need a null modem cable or null modem adapter to connect the two devices together.
I haven’t seen them since the re-design of the logo. I heard that they come with appliances, but I heard that like 6 months ago. Idk if that’s still the case or not.
If you intend to get them printed, you probably want to be extra careful - that’s one of their big things per this document.
As I read it, keep any logos away from customer stuff; toss it on your laptop or something instead
To support gigabit OpenVPN traffic you will need a modem quad core Intel CPU that supports AES-NI. A generation or two old i7 or i5 will likely provide the best value. I just checked eBay and found some i5 6500 and 6600k CPU's for $180.
The athlon XP system you have will fall to its knees with OpenVPN at those speeds and/or if you enable a few packages such as snort or suricata. For example I use Suricata with a 100Mbps connection and the dual core 1.7ghz Atom CPU I use pegs to 100%. I had to actually back off on the rulesets I use to ensure I don't throttle the internet connection.
The other consideration is the network adapters. You will want dedicated Intel NIC's because they have better driver support in BSD and have hardware off-loading to improve throughout.
Here is the official pfsense guidance on hardware. https://www.pfsense.org/hardware/#requirements
Did you look at this page? I have been in the process of pointing all the internal links I can towards that.
There were 2167 lines added and 1951 lines removed to the book in the last 30 days. (We have been focusing on getting 2.3 out during this time though)
You also get access to the archive/library of past hangouts: https://www.pfsense.org/videos/
>Finally the gold subscription isn't easy to add to my wish list for a gift. All of these factors just make it so hard to gift pfSense knowledge.
Unfortunately there isn't a gift card mechanism in place. For now the person would have to sign up and give you the creds....or just give you $99 gift card for Gold.
>NICs based on Intel chipsets tend to be the best performing and most reliable when used with pfSense software. By comparison Realtek chipsets perform quite poorly. We therefore strongly recommend purchasing Intel cards, or systems with built-in Intel NICs up to 1Gbps. Above 1Gbps, other factors, and other NIC vendors dominate performance.
If you want to push any serious amount of traffic through the VPN (50+ Mb/sec) you might want look at an i3 for the AES-NI crypto acceleration. I would recommend at least 4 GB of RAM for snort, though this can be controlled with proper selection and tuning of your rules. Quality NIC's are also of great importance to ensure that interrupts and processing get pipelined efficiently for maximum throughput. The pfSense Hardware Guide has some sizing considerations and suggestions that are worth reviewing.
I am about to attempt this as well, I want to put private internet access on the router instead of having to do it on the desktop. The following link was what I was going to try.
While WireGuard sounds interesting, maybe even great, Netgate is probably going to require a lot more vetting before it's integrated. I don't think WireGuard has been audited yet. Just look at their "Work in Progress" statement. Could be real good though...
The Steven Black unified list: https://github.com/StevenBlack/hosts/
"This repository consolidates several reputable hosts files, and merges them into a unified hosts file with duplicates removed."
Only one I've ever needed.
Yea, all is doable with some amounts of experimentation and tweaks.
- For LAN to LAN isolation you can always setup VLAN on pfSense in conjunction with switch capable of VLAN tag support. Each LAN can have it's own DHCP server.
- To give access to your internal network, setup OpenVPN server on pfSense.
- For NordVPN, you can setup OpenVPN client and with few firewall rules should be able to direct the traffic for specific clients.
hmm, my development boxes (both CE and Plus) have active Mullvad tunnels. I've never seen them just stop handshaking and require a reboot. I find it interesting that restarting the service doesn't resolve it, but rebooting pfSense does.
The next time you find your tunnel in this state, try clearing your state table prior to restarting the service.
Mullvad for the win. Couldn’t be easier to get configs for and set up. The one limitation is that you’re only allowed 5 keys maximum so if you like to do gateway groups for failover, and have a few other devices that you want to have set up for access, you’ll hit that limit fairly quickly. At ~$5 a month, it’s easy enough to just get another account.
As you've noticed, the Netgate documentation is currently not up to date with the more recent developments in the new WIreGuard package.
Have you seen the developer's Youtube video on setting up Mullvad VPN?
NordVPN works on 2.50 and 2.51. I rolled back to 2.50 due to the routing issue on 2.51 but Nord' is not affected by this.
Issue in the OP looks like a DNS problem so that's where I'd start looking.
Unfortunately, the Kasa plugs don't discover like uPnP or mDNS, it uses a simple broadcast mechanism. There is an Android app that can control these across broadcast domains with just their IP called AnyMote - if you want to observe energy use etc. you can use either OpenHAB or HomeAssistant to also control and monitor them.
This. I also have Mullvad and I have 2 clients on failover. I had a couple issues with a couple Mullvad servers being erratic and dropping packets so this helped a bunch. I believe Lawrence Systems has a pretty helpful vid on Youtube on setting up dual wan failovers.
Nord isn't worth it, IMO. Their service is always 80% off!!! and it was mediocre when I had it. In fact, I think I still have a sub with them because I bought so many years as it was dead cheap. I don't even have the credentials anymore because they were that lackluster.
I don't have the bandwidth you have, but my aes-in enabled device saturates my 300Mbps with ProtonVPN.
Are they talking about this https://www.amazon.com/pfSense-SG-2440-pfSense%C2%AE-Security-Appliance/dp/B00JR6X0ZK/ref=sr_1_1?s=electronics&ie=UTF8&qid=1473801108&sr=1-1&keywords=SG2440 then I feel sorry for you having them as a client.
If they were my client, I would let them know that the hardware is not the same as this https://store.pfsense.org/SG-2440/ and that blindly buying from any seller on Amazon is ill advised (caveat emptor).
I purchased this a couple of months ago: https://www.amazon.com/gp/product/B017SLX05A/
I put Pfsense on it and couldn't be happier.
There are a few variations of the Qotom appliances on Amazon so you can look around and find one right for you. I wanted one with 4 LAN and 8GB RAM which is why I went for this one. Some of them come with WiFi onboard, which I didn't need.
That's my recommendation - I'm a happy camper with this little device.
For me pfsense is everything I wanted edgerouter to be. The thing I like best about it is the vpn functionality. I was never able to get edgerouter working quite right. I bought this box from amazon and it works great. https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-Intel/dp/B01KLEI1MI/ref=sr_1_13?ie=UTF8&qid=1497621924&sr=8-13&keywords=pfsense
I recently switched from SonicWall to OPNsense. I'm running VPN and some intrusion detection on a little Protectli box. It's worked very well. The link is for the one I'm using, but there are barebones ones available as well.
Specs: Intel Quad Core Atom E3845, 64 bit, 1.9GHz, 2MB L2 Cache, AES-NI hardware support 4x Intel Gigabit Ethernet NIC ports 4GB DDR3L RAM, 32GB mSATA SSD 1x USB 2.0, 1x USB 3.0, 1x RJ-45 COM, 1x VGA Solid State, Fanless Silent Operation, Compatible with many Open Source Software distributions
Yes, I believe you would set them up just like you would set up a WAN gateway group for load balancing and fail-over. I have considered doing this same thing with my pfSense router and NordVPN.
I have 2 IOT lans. Neither can access my trusted LANs.
The first is for my security cameras that I can access from my trusted LAN, but they can’t reach back. They are allowed 10mb in/out, 53 blocked and redirected to a dedicated PiHole running on a Pi 3B for that LAN. They are shunted out of a ProtonVPN connection to my local state, but 200 miles away from my actual location.
The second is for all the other non-trusted stuff - Nest, Simplisafe, Alexa, Amazon TV, smart TV, smart plugs, garage opener, etc. They are allowed 5mb in/out, another dedicated Pi 3B running PiHole on that LAN as well, 53 and most ports blocked. 53 redirected to their PiHole. They are also shunted out of a ProtonVPN connection to a state 1500 miles away from my actual location. Amazon TV’s Prime video sometimes complains that it’s on a VPN, so I shunt it out of a private OpenVPN to my business’ Internet across town.
By using this combination of port blocking, port redirection, location and IP address obscurity, the IOT devices can leak/relay whatever they can sneak though the firewall to their masters but it won’t help them with their data gathering too much.