Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Rango

Pages: [1] 2 3 4 5
IDS/IPS / Re: Suricata Really Annoying, Blocking Everything
« on: March 19, 2018, 05:12:22 pm »
Thanks for your help Raffi. I just blocked all countries with exception of few i need it. I will read that taming the beast blueprint too. Step by step i'm improving the security. Sorry for other if newbies like me rehash same thing over again but we got to start somewhere and forum is good spot. I'm already seeing RU, CN, HU trying to access my wan port. Crazy stuff. Nuts.

IDS/IPS / Re: Suricata Really Annoying, Blocking Everything
« on: March 19, 2018, 02:07:23 pm »
Raffi thanks mate. I figured it out. I needed to register for Snort VRT rules of and put registration and oinkmaster code before i can view those policy tabs, otherwise they're not available.

Thanks for the screenshot, cause it helped. I'm going to start with Connectivity as other gentleman suggested.  It is set now and i see some dropped/blocked ips in block I'm backing up config file as i go along not to ruin it going forward.

One more thing,  should we be using emerging rules or snort_ rules OR BOTH? , as those are two separate options when looking under Wan categories. I am attaching screenshot.

I would think one should switch to snort_ rules from emerging but i see you're using still emerging rules?

Also are you running    pfBlockerNG DNSBL  service to compliment. I'm only running it chrome. I want to block Russia country and Ukrain as those were showing up as hackers. Wonder if i should do this threw IDS or pfblocker. I would think IDS would be better choice.

IDS/IPS / Snort 3.0 package. How to install it in pfsense?
« on: March 19, 2018, 01:58:35 am »
Hello guys. How can one install snort 3.0 package, as it is avaialable for pfsense on snort website in pfsense?

It's not available in package depository so i'm thinking it's either manual install somehow or it can't be for time being.

BTW i'm new to IDS. Should i go with snort or suricata. I'm also on openvpn with aes-128-gcm so not sure how HARD i should go on IDS side and what to do on VPN(opt1) interface?

IDS/IPS / Re: Taming the beasts... aka suricata blueprint
« on: March 19, 2018, 12:55:15 am »
Thank you for this great guide. Question though. If one is on Openvpn how does that change this configuration and would interface of vpn provider be treated as wan or just set same rules on vpn interface.

How is the security effected by using openvpn as related to this topic.

IDS/IPS / Re: Suricata Really Annoying, Blocking Everything
« on: March 18, 2018, 04:35:12 pm »
btw guys i'm now on vpn with aes 128 gcm encyrpted traffic. Are these rules neccessary stil even when using VPN encryption and vpn interface therefore?

So far i set @raffi rules only with block enabled on WAN interface only, no lan no vpn interface at all. Any advise.

I tried lan and vpn interace and suricata dropped my vpn connection lol. Granted i'm just getting familiar with IDS so for now i disabled blocking and listening only on lan and opt1 interaces.

I recently had my paypal, amazon and ebay accounts hacked hance me setting up pfsenes firewall and vpn encryption. Then coinmama account got hacked as well.

This was really annoying and was done with malice. It showed russian names on paypal charge but I'm pretty sure NSA did this. I'm also not sure wtf they want from me. I'm just some unimportant dude.

IDS/IPS / Re: Suricata Really Annoying, Blocking Everything
« on: March 18, 2018, 04:19:01 pm »
I had similar issues when I first started using the IPS. As other stated, don't enable all categories. mind12's list seems like a good starting point for a dropsid.config file. I could be wrong, but I thought the categories in the dropsid file had to be separated with commas. I found a similar list which I copied from these forums. Also, under the WAN Categories I have the Snort IPS Policy Selection set to Balanced with the IPS Policy Mode set to Policy. Based on my understanding, doing this will set certain snort rules to drop automatically so the snort rules don't have to be specified in a dropsid file if you go that route.

All of the above statements by @Raffi are correct.  The best starting point for a complete newbie to an IDS/IPS is to use the Snort rules and set the CATEGORIES tab to "IPS Policy Connectivity" and the Policy Mode to "Policy".  This will set up a good starter rule set with expert-recommended rules set to DROP and some others set to just ALERT.  Later, if you want to, you can up the Policy to "Balanced" to get a bit more security, but with the possibility of a few false positives now and then.


Bill, guys under wan interface wan categories and/or wan rules i don't see any option to set Categories to ips policy connectivity. Am i looking in the wrong tab?

OpenVPN / Re: OpenVPN speed vs hardware
« on: March 12, 2018, 01:04:51 am »
Crypto-Dev by itself also did nothing.  I only got it to work when both were turned on.

That's interesting. I now only have Crypto Dev on both sides and it boosts 20% so i can get 120Mbs on N3150 and medium is about 115-117Mbps but when i switch to only AES-NI it goes down by 20%

to base line with is about 100Mbps which is what you see in screenshot above. I tried it every possible combination and that's what i'm getting. At least i'm happy Cryptodev is working and boosting a bit, 20%.

Maybe if AES-NI would work it would boost much more. I dunno what the expectation of hardware based acceleration should be. I just reported what my testing yielded. I am happy with pfsense but it

seems AES-NI module is not working and looks like Cryptop Dev is FreeBSD solution to it, for now maybe. Maybe in 2.5 this will change when they focus on it.  I can't wait if so.

I am however disappointed i purchased N3150 however. I didn't do enough research then. The fact that i owned asus 87u also purchased for encryption. It is now exclusively AP. I guess as they say u learn on your own mistakes. I've learned. Thanks for posting your results. :)

OpenVPN / Re: OpenVPN speed vs hardware
« on: March 12, 2018, 12:49:32 am »
How much did your speed improve after those settings?

I have N3150 and you're getting same speed with hardware as ppl tested so makes me think it's tweaks that make speed increase. Thoughts?


Here is big question, does your 7350K have AES-NI and is it enabled? Is this PC with PSU or NUC?

It doesn't matter actually, i'm just trying to prove it to myself that AES-NI doesn't work currently and it's all about cpu cycles. PERIOD.

If it doesn't have it it proves CPU did it by itself. If you has it and it's enabled it still shows AES-NI does nothing as double cpu cycles did this job. This is sad.

AES-NI does work in Pfsense.  It is just really buggy.   I have it turned on for the server but not for the individual VPNS and for some reason, that is what makes it work.  If I turn it on for the VPNs itself then it stops working.  Also, have to have AES-NI and Crypto Dev both turned on for it to work at all (if I remember correctly).

I run pfSense on a Quad Core Atom E3950 1.6GHz (Burst to 2.0GHz), 2MB L2 Cache, AES-NI, 8GB DDR3L RAM and 64GB mSATA SSD
I have FIOS 150/150 internet plan, and I max out my connect using OpenVPN + AES-128-CBC on PIA VPN. CPU usage is around 20% during speed tests.

OpenVPN is a single threaded process.  The peak OpenVPN could ever take a Quad Core is 25%.  You can go slightly higher when you add Pfsense processes being run in other cores.

Based on what you said cryptodev is doing the boost not AES-NI. Enabled AES-NI in openvpn client only and under advanced networking settings and you will see it makes ZERO difference. When you do that for Crypto dev on client and adv settings without AES-NI it boosts 10% so Crypto dev works but AES-NI DOES NOT. I use it as client so i have no use for it as server unless somehow i can setup multiple instances of connections to my vpn provider. I asked a question how to set that up but so far no answer how to do this.

Feedback / Re: Tapatalk
« on: March 11, 2018, 05:23:55 pm »
Any update on taptalk addition. Can't find this forum in search.

Thanks bud for the feedback. Question. How does one establish multiple connections on vpn. I believe vpn provider will only allow one connection per username so i'm fuzzy how this could be setup. I'm sure they wouldn't like that at all. Sorry i'm still a newbie to this.

BTW yes i agree. I have decided upon i5 as celeron sucks and so does atom looking at single thread rating on cpubenchmark website.  i7 has very incremental gain over i5 but cost is $100 more for it so it's not worth it.

i3 performance is too diminished and closer to celeron so i did pass on that one as well. What i did i looked up single thread performance of all those processors on cpubenchmark as openvpn is single thread operation i chose best one for the money which turned out to be i5. I passed on AMD as well as i saw few threads with issues of AMD and AES-NI instructions. Don't wanna deal with that although i have AMD APU in my pc and i love it. Never had issue with it but for firewall i would stick with intel. My thoughts on intel was and still is a very overpriced CPU. AMD kicks ass for the money.

There is interesting CPU for for firewall i5-6200U with same performance as i7-4500U but no one makes this yet with dual nics.

However i found i5 that is slightly worst then that one but only slightly. I wish there was a way to make openvpn multi thread then performance would really shine. It seems like I should be able to get 300Mbps on open vpen with i5. My ISP internet connection is at 180Mbps so as long as i can get that that would suffice but since i'm spending again few hundred bucks i would like to future proof it a bit and would like more. In few years this box again will be obsolete as probably internet connection will double and in circles we go. LOL. I laugh at those people that say use Pentium 4 for your pfsense router and it will rock. Haha. NOT with openvpn it won't. It sounds like best option would be to build 4.0Ghz AMD APU monster. I wouldn't mind that. That would process 600Mbps over openvpn probably. Some of the AMD are low power consumption. Maybe that's another option for future proofing a bit in mini itx form. Thoughts?

There have yet to be build a box that is sufficient for pfsense over openvpn. I'm thirsty for bandwidth. lol

Value vs performance

Single Thread performance for OpenVPN performance

Guys i think i found good solution for openvpn throughput. Check it out and let me know if anyone tested any of those CPU. I'm targeting 300Mbps or more on openvpn. For $300 i would like to future proof it a bit as i got burned with Zotac box N3510 that can't do more then 120Mbps on openvpn. I am also attaching original 2 yr old throughput thread for reference.

The once that look interesting are CAPA500 & CAPA312 with N3350 with CAPA500 obviously slaying it. I can't find the pricing for it tho. Let me know if anyone tested some of those processors throughput.
I have attached few other sources that seem interesting. If anyone has any other hardware suggestions please post some links. Thank you.,%20CAPA318&C=3.5-inch%20Embedded%20Board,searchweb201602_3_10152_10151_10065_10344_10130_10068_10324_10547_10342_10325_10546_10343_10340_10548_10341_10545_10084_10083_10618_10307_10313_10059_10534_100031_10103_10627_10626_10624_10623_10622_10621_10620,searchweb201603_25,ppcSwitch_2&algo_expid=d2d0b89b-f7eb-4358-bcf8-506b622a23ff-1&algo_pvid=d2d0b89b-f7eb-4358-bcf8-506b622a23ff&priceBeautifyAB=0

Hardware / Re: Asus N3050I-C for OpenVPN (100MBIT WAN)
« on: March 08, 2018, 04:19:45 pm »
What settings are you using?

AES-NI will be accelerating almost every setting to some extent. To test it's effects accurately you will need to enable/disable it in the BIOS though.

The Turbo mode is show as 1601MHz vs 1600MHz for non-turbo.


Steve thanks for feedback. AES-NI is enabled as you can clearly see in screenshot of pfsense that it says it's active to yes it's active in bios and should work. Turbo i enabled last night in bios but that will never take effect as one would have to max out cpu to 100% for turbo to kick it. My cpu maxes out 50% in pfsense during encryption testing so it will never get there. But to your point it shows in pfsense as 1601 so turbo is enabled as well. Look

I have chosen freebsd hardware acceleration in both vpn client and under networking in advanced options which boosted my Mbps by 10Mbps but i max out at 120Mbs now. It won't do more. It's all about
CPU cycles from what i see. I commented on this more here. Let me know your thoughts if you want. I think CPU cycle rate needs to be 3Ghz for ideal setup. Those AMD APU A10 7800k are 4.0Ghz and

are cheap enough but how to chose motherboard with 2 nics, ideally intel onces in mini itx form. I have 2 1gb realtek once and have no problem at all with them in pfsense like some suggest they do. They do their job.

This thread is also right on the money but it's 2 yrs old now so not ideal hardware anymore. That last celeron is cheap but i can't seem to find nuc or motherboard in itx form for it. I think ideal would be AMD A10 APU. Low power and high cycle rate but not sure about mini itx motherboard with 2 nics and what case. Etc. Then again that AMD doesn't have AES-NI so when pfsense 2.5 comes out it will become obsolete without those instructions. So scratch AMD without AES-NI too. This is a quest.

OpenVPN / Re: OpenVPN speed vs hardware
« on: March 08, 2018, 03:39:58 pm »
Let's see the screenshot. I was able to improve my speed last night by enabling FreeBSD hardware acceleration in openvpn client and in advanced options under networking instead of AES-NI so now i get

115-120Mbps which is better with 50% of cpu usage. So i gained 10Mbps but that's where rubber meets the road. No more. The AES-NI doesn't work or it works slightly that one can not notice its effect. 

Based on what i see CPU cycles do 95% of the work and AES-NI is useless. If i learned that here on forum i would have chose different solution with more CPU power as i nee at minimum 200Mbps and

ideal would be 300Mbps so probably i newer processor with 2.5Ghz-3Ghz cycle rate.  I think this thread below  is right as far as Mbps goes as i matched N3150 performance in real testing on openvpn.

If anyone has any suggestions on newer mobile processors with lower power consumption please let me know. I see this thread is 2 yrs old already. I found NUC on aliexpress with 4500 i 7 cput but it's $300 with shipping.

Not bad but too much for 2 yr old processor is somewhat already old.  I should have done this in first place. Ideally i would like to have NUC that can max out 1Gbs connection on openvpn but that's pipe dream i think at this point.

It would have to be some 4.5Ghz monster with 100watt power consumption. So FreeBSD hardware acceleration work, AES-NI doesn't and it assist like 5-10%. Nothing significant. Those speeds in that thread below are right on the money i think.

I'm learning a lot by tweaking here and there in pfsense. Now when i'm looking at consumer router i think it's a toy. I converted my asus 87u into access point and lan switch. That thing maxed out at

45Mbps with 1.0Ghz processor. One can again see coraliation of CPU cycles here again and it being ARM processor doesn't help either. It seems newer CPU with lower cycles would do better then older

CPU with same cycle rate. I would also NOT do ARM with AES-NI. I think it won't do well. Look at the performance of atom and celerons. I would expect similar performance out of ARM. I think CPU needs to be power pc grade and it seems i7 i5 and some newer AMD APU feet the bill. AMD APU

A10are cheap and clock rates are 4Ghz so that would be ideal but then what motherboard. How to get 2 NICs, all this is an obstacle.

Hardware / Re: Asus N3050I-C for OpenVPN (100MBIT WAN)
« on: March 08, 2018, 02:37:23 am »
I just signed up with vpn and did my own testing and compared to this guy here. AES-NI does not work at all. It offers ZERO assist. Not one 1Mbs.

I've proven it here. I have doubled my cpu power over my asus 87u and it doubled my speed but look at this other guy results.

OpenVPN / Re: VPN client setup advise
« on: March 08, 2018, 01:20:45 am »

I bought a 4xNic aes-ni mini pc with pfsense  to replace my home router.
The main reason i want to replace my home router is to setup an openvpn client ( Expressvpn). Is it possible to select the ip's which will be using the VPN tunnel? Or is it only possible to exclude the ones not using the VPN tunnel?



Expressvpn will leak your DNS. You can not setup pfsense with their dns servers. I inquired with them. You will have to point to 3rd party open dns server which will cause you leak dns out.

Pages: [1] 2 3 4 5