Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - pfBasic

Pages: [1] 2 3 4 5 ... 69
Feedback / Re: thank button missing?
« on: August 19, 2017, 06:49:55 pm »
i've tried to thank jimp specifically many times and run into the same issue!

Hardware / Re: New Build
« on: August 19, 2017, 05:52:50 pm »
there are definitely fringe cases where server hardware would be desirable in a home - but they are for sure fringe cases.

That Denverton Atom really doesn't offer much over a modern SoC Celeron/Pentium for most home users looking in that market segment (low power fanless SoC).
But it does cost a lot more (over 4 times as much for quad NIC setups).

In your case, you needed some specific features it has - that most people definitely don't need at home.

though if you can afford it and the server hardware has features you want then imho you should go server.

Many people on here have this general opinion on hardware selection - and it is valid in the professional sector. Unfortunately it often gets spread into the home sector where it has no place.

I would rephrase that for home use:
though if you can afford it and the server hardware has features you want absolutely must have and cannot get in the commercial market imho you should go server.

For the 99% server hardware offers little to nothing they will actually use (or often even notice), yet it costs dramatically more.

Hardware / Re: New Build
« on: August 19, 2017, 02:49:57 pm »
For that kind of IDS/IPS you'll have no problems at all performance wise.

I will, however keep using the VPN -- client and server, plus pfBlocker or similar parental controls, firewall and HAVP.

It will push triple your current bandwidth over OpenVPN, significantly more over ipsec. HAVP can have some pretty noticeable performance impacts on your network even if itsn't taxing your CPU. I tried it out with my old i5-2400 setup and could tell a difference whether it was on or off even though the CPU wasn't even kind of working hard. It also just isn't very useful - but use it if you want it!

DO NOT waste your money on ECC RAM for a home network - just totally no reason at all for that crap. If you are running a business, sure throw it in there so you can tell your boss you did - it still won't matter for a small network.

There are no additional requirements to use ZFS. There is also nothing about ZFS that makes it need ECC RAM any more than other FS. The FreeNAS extremists make ZFS essentially sound like a huge liability the way they chant the ECC mantra  ::), even the creator of ZFS has debunked that myth.  I currently have it installed in raidz2 on 4 cheap flash drives with no issues for months, but I wouldn't use flash drives unless you have plenty of RAM for a RAM Disk (my system came with 8GB that I don't need). You can check out the link in my signature if you're interested in a ZFS install.

Regarding server/ECC hardware: it's not really a requirement but rather something that you should probably always do,

I'm pretty sure this statement was directed towards a FreeNAS setup? Because previously you stated the opposite.

server/ECC is neither required nor recommended for home use pfSense if you like your money.

Hardware / Re: New Build
« on: August 19, 2017, 01:36:28 am »
Anytime! It's a great part, I recommend it often. It's great for sub 100Mbps + significant package usage & also for gigabit with light package usage.

It's cheap, no moving parts and takes standard PCIe quad Gb NICs.

I use one for an HTPC (Apollo Lake has HEVC decoding) and it runs High Bitrate 4K 10bit HEVC with no issues. I personally tested it using Suricata with a moderate ruleset and piping all traffic over OpenVPN AES-128 + pfBlockerNG and it maxed out at ~65Mbps with no tweaking, IDS/IPS was the limiting factor. ~300Mbps is the peak with just OpenVPN, no IDS/IPS.

For your described use case it will serve you well for years.

If you don't already have a PSU it's best paired with a picoPSU -
If you do already have one use that.

It will take the SO-DIMM RAM you already have. You will probably run into issues using IDS/IPS on 1GB RAM unless you are using very light rulesets (which is honestly probably best for home use - IDS/IPS is honestly total overkill for home networks).

Hardware / Re: New setup - will this setup work
« on: August 19, 2017, 01:21:48 am »
nice! Be careful with those girls, Fly safe!

Hardware / Re: New setup - will this setup work
« on: August 18, 2017, 11:32:30 pm »
No worries man, are you a pilot or is it just a username?

Hardware / Re: Pfsense Hardware for a Newbie
« on: August 18, 2017, 07:44:30 pm »
I don't anticipate any of those components failing anytime soon. Nothing moves or gets particularly hot. If you have to replace anything it will probably be from a bad component that will fail in the first few months and that's a crapshoot.

Just keep a thumbdrive loaded with the installer of the same basic version (i.e., 2.4.x, 2.3.x) of pfSense that you use and keep your config.xml's saved somewhere and you should be fine for many many years to come.

Old desktop workstations often work for well over a decade and they have moving parts, deal with on/off cycles, etc. Your box will likely last at least that long and probably longer.
The first thing to go will probably be capacitors, and you could even replace those for a few bucks and keep marching on if you wanted.

Firewalling / Re: Block Steam traffic on schedule? possible?
« on: August 18, 2017, 07:35:18 pm »
See my PM, bottom line - blocking Steam on a box isn't a really great way to stop your teen from playing video games, saying "no" is probably better... but it can be done.

the UDP session will not clear on the scheduled PASS rule above my block rule.

Reset the states - cron will do this on a schedule if you tell it to.

If your scheduled rule starts passing @ 11:30AM every day then.
Code: [Select]
31 11 * * * root pfctl -F state
Now all those blocked states are reset right after you start allowing them again. If the inverse problem arises (passed sessions during hours of blocking) then just write another cron job to flush the states right after you stop passing traffic.

Hardware / Re: New setup - will this setup work
« on: August 18, 2017, 06:45:09 pm »
if this is the hardware you already own then yes it will do the job.

if you are considering purchasing this hardware to do the job your described then don't.

it's way overkill and terribly inefficient, not to mention will cost you too much money.

Build a system based around a J3355B - it's $55 for the SoC (motherboard + CPU), has a slot for your dual NIC card - however, if the switches you have support VLAN's and you're comfortable using them then you can meet your needs with a single NIC. Up to you.
It is also totally fanless - paired with a cheap SSD & picoPSU you will have a system with no moving parts for very cheap = low power usage, no sound & high reliability.

That's a very low power system that is pfSense 2.5 compatible and will easily exceed your needs.
$135 + case if you don't already have one.
Correction, you already have a HDD so $111 + case.

Hardware / Re: New Build
« on: August 18, 2017, 06:29:02 pm »

Hardware / Re: First pfsense build - 400/40 Mbps cable connection
« on: August 18, 2017, 06:27:36 pm »

Firewalling / Re: Block Steam traffic on schedule? possible?
« on: August 18, 2017, 04:39:17 pm »
What you want to do in this situation is - stop paying for "professional counseling" to get your kid to stop playing video games all the time.

Then you want to sell the kid's Xbox/PS4/Wii/Alienware/GameBoy/etc. that you probably bought for him in the first place on Craigslist.

Next you're going to take all that money you recouped/saved and buy this book
Alternatively, you can just send all that money to my PayPal account in return for my "professional counsel"  ;D.

Finally, (most important step) you're going to want to inform your child about the "outdoors" and "non-virtual reality", additionally there are "friends" one can make IRL instead of on IRC. As a side note - maybe provide a pair of sunnies, the sun is bright.

Now if you don't have the time or inclination for all that "raising your child" hassle, you can just block the ports on this webpage which is incidentally a top google hit for "block steam download".


Hardware / Re: 1gb+ CPU requirement?
« on: August 15, 2017, 02:00:34 am »
How much $ are you looking to spend?

Exactly which packages will you be using and how?

Any constraints on hardware? (i.e., socket type of board you're using, parts you want to reuse, etc.)

How are you receiving gigabit; fiber, ethernet?

What kind of traffic are you thinking those <150 clients will be putting through? Will they all be gasping for as much bandwidth they can suck down simultaneously throughout the network or just web based traffic throughout the day?

Provide as much painful detail as possible in the clearest format possible to get a detailed answered for your use case.

The answer to your question could range from a Pentium to an i5 or even more in some scenarios.

Hardware / Re: PSU
« on: August 14, 2017, 03:33:54 pm »
This is basically the ideal application picoPSU is designed for.

Hardware / Re: PSU
« on: August 14, 2017, 03:32:48 pm »
Yeah check out the link, the Pico PSU works for 110/240 at the wall and the connector is ATX.

You're system won't get even close to 60W.

You'll run at probably sub 20W even at high usage on that system.

PSU calculators are usually meant for gaming computers with a bunch of high end components that get really hot and draw a lot of power while spinning up a whole bunch of large high speed fans at the same time.

Your system has 0 moving parts to include no fans with a picoPSU.

I use that picoPSU on my J3355B HTPC with ssd and I forget the exact power usage from the wall but it's sub 20W. I don't think the usage changes by even 1W between idle and load playing 4k HEVC content.

Pages: [1] 2 3 4 5 ... 69