Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - arduino

Pages: [1] 2 3 4 5 ... 7
1
General Questions / Security: FQDN alias vs IP alias
« on: December 23, 2015, 05:56:30 pm »
Wondering if FQDN alias provides a higher level of security than IP.

I am using pfSense to query AD for FQDNs for my alias records. I had previously been using IP, but believe this to be a more secure approach.

Am I correct?

2
General Questions / Re: Not Getting any IP from DHCP servers
« on: December 21, 2015, 01:49:37 pm »
How are you checking the MAC address?

Did you perhaps enable MAC spoofing in the interface options?

Your ISP appears to only accept DHCP requests from verified MAC addresses, am I wrong?

3
General Questions / Re: spam filter on pfsense + pfblobkerng
« on: December 20, 2015, 09:10:47 pm »
This is not a primary spam solution, but it does help.

One thing I do that seems to word very well is:

Install pfBlocker and block everything outside the commercially valuable countries (US and Canada for our company)

Put your mail server inbound rule below these pfBlocker rules.

Create a second MX record and install SpamD

Point the MX record to your pfSense box.

This way, mail outside the commercially valuable countries is subject to SpamD rules.

4
L2TP/IPSec VPN is tricky.

1.) Stop using PPTP, please!
2.) Try forwarding AH (protocol 50)

I found that depending on the setup, L2TP takes awhile to start working. Every time I setup a new pfSense box (dozens of times) I have to try a couple of times, wait a few hours, try again... it does eventually work.

I use it now and have been using it for over a year on, as I've said, dozens of pfSense installs.


5
NAT / Re: Nat reflection difference
« on: December 14, 2015, 02:44:34 pm »
^ Split DNS +1

6
General Questions / Re: Running PFSense on my Mac Mini through VirtualBox
« on: December 14, 2015, 02:38:29 pm »
Try and disable TCP Checksum yet? Not sure if that will help but it helped me when using VirtIO.

What are you using for a NAS? FreeNAS perhaps?

7
Packages / Postfix retry rejected emails
« on: December 14, 2015, 12:03:31 pm »
Our company uses pfSense Postfix package as an MSExchange gateway.

Every so often we get a 550 rejected error. I can't remember the last time we were on a blacklist, but it still seems to happen with a couple domains regardless. I've tried sending variations of the emails (removing signatures, images, links etc etc) but still rejected.

Typically, I will just manually switch over the mail server outbound NAT to a different static IP address as a temporary fix but am wondering if it would be possible to do something like this automatically?


8
Hardware / Re: This OK for home network?
« on: December 04, 2015, 10:31:30 pm »
Quote
This is for my home network getting a full 1000 through, and would also like to run a few programs like snort, VPNs and python for sshuttle (great at getting around the GFW when i'm in china)
If you are able to spend more money then your choice ( 690.00) and you might be having luck
to get your hands on this board or complete PC you would be get a strong platform that is capable
to handle 1 GBit/s on the WAN Port and Snort proper together.

Board:
Jetway NF9HG-2930
US $199.95
大約 HK$ 1,549.63

Complete box:
4 Intel GB LAN Ports
US $289.95
大約 HK$ 2,247.13
5 Intel GB LAN Ports
US $319.95
大約 HK$ 2,479.64

- 4 Core Intel Celeron @2,16GHz
- 2 miniPCIe & SIM slot (mSATA, Modem, WiFi)
- 4 or 5 Intel GB LAN Ports
- max. 8 GB RAM

Strong enough to serve you many years with ease, maybe with Squid + SquidGuard & Sarg on top.
Jetway Mainboard JNF9HB-2930 board for ~254 or 1.770 Renminbi (2.100 HK$) have a look at
eBay Hong Kong or elsewhere in Hong Kong.

You sure a N2930 is going to nat a 1Gbit WAN?

9
Hardware / Re: This OK for home network?
« on: December 04, 2015, 03:21:28 am »
Highly doubt the D510 is going to be able to handle 1Gbit/s. WAN only utilizes 1CPU and the single thread performance of this CPU is low.

EDIT:

Looking through the forum, it seems you'll be lucky to get even half the speed you're looking for. Most benchmarks are in the 200Mbit-400Mbit range.

10
Hardware / Re: Mellanox ConnectX-2 VLAN
« on: December 03, 2015, 09:18:58 pm »
Nope, it happens on any VLAN ID.

I never did figure this out either. I remember reading something about changing a few lines of code, but it required I setup another BSD machine to compile and I didn't have the time.

I am about to see if I can find the post now.

11
General Questions / Re: Debian + Shorewall vs pfSense
« on: December 01, 2015, 09:29:55 pm »
Yes I meant gigabit, sorry.

I've done tests with both being baseline installs (no extra rules, besides allowing iperf and other testing software)

Tried six different single/dual and quad port Intel nic's. I've also tried Supermicro, Tyan and Intel server boards but nothing changes, anything above 600Mb/s shows very high CPU.

My G3220 shows 0.4% CPU usage @ 1.4Gb/s and pfSense on the same hardware is 100%. Even pfSense with a 6 core HT E5-2620 can't keep up with the dual core G3220 on my Debian system.

The tests have been done and the consensus I get is I have done something wrong, but this does seem strange.

12
General Questions / Debian + Shorewall vs pfSense
« on: December 01, 2015, 08:36:23 pm »
I know I am likely missing something, but I am wondering why pfSense routing speed is low compared to a my Debian system?

I've tried several different hardware setups and the Debian system always performs better. I am able to route 10GB on my Pentium G3220 Debian system regardless of size of rule set, yet pfSense on the same hardware can't go beyond 1.4GB/s.


13
General Questions / Re: Unlimited certificates for the price of one?
« on: November 24, 2015, 12:16:52 am »
Interesting...

Well, I can assure you that the limit for regenerated certificates is not < 19.

14
General Questions / Unlimited certificates for the price of one?
« on: November 23, 2015, 11:54:00 pm »
I use Namecheap for our company SSL certificates. We have several SAN and wildcard certificates in production right now.

I notice after I have received my completed request, I have the option to reissue my certificates.

This is all fine and well, but what I find interesting is that they do not enforce the original requested name be the same.

An example,

Having only paid for a single ($99) wildcard certificate, I am able to generate wildcard certificates for *.mydomain.com, *.subdomain.mydomain.com and even *.differentdomain.com..so on and so forth.

I am also able to register SAN certificates with completely different SAN entry names (the common name must be the same).

I have been doing this for quite a long time, no one has said anything and they have always worked. Nothing has ever been revoked (besides the expiring certificate, of course) and I have otherwise never had an issue.

Does anyone know if this is the normal way things are done? I have only used cheap vendors for SSL certificates and haven't had the opportunity to view other mechanisms for requests.

15
General Questions / Re: Question regarding features
« on: November 20, 2015, 05:06:10 pm »
Squid would be the easiest way to implement something like this. It should be straight forward.

You'll probably want the Sarg package as well.

Pages: [1] 2 3 4 5 ... 7