Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - bimmerdriver

Pages: [1] 2 3 4 5 ... 35
IDS/IPS / Re: Snort OpenAppID RULES Detectors fail to download
« on: February 05, 2018, 07:44:45 pm »
The system that is having the MD5 errors is running version 2.4.2. The system that is working properly is running the latest 2.4.3 snapshot. Is it possible a difference between the respective snort packages is the reason for the difference?

There was an update to the Snort GUI a month or two back that updated the URL used for downloading the OpenAppID rules package.  Perhaps your older version is trying the older URL?

The current Snort GUI package version is

I updated the package and the problem is fixed. Thank you very much.

IDS/IPS / Re: Snort OpenAppID RULES Detectors fail to download
« on: February 04, 2018, 04:40:36 pm »
The system that is having the MD5 errors is running version 2.4.2. The system that is working properly is running the latest 2.4.3 snapshot. Is it possible a difference between the respective snort packages is the reason for the difference?

IDS/IPS / Re: Snort OpenAppID RULES Detectors fail to download
« on: February 04, 2018, 11:59:16 am »
Further to the previous post, in one of my systems, OpenAppID RULES Detectors updated on its own this morning. The other system is still stuck at December 8th, 2017, reporting the same MD5 error as above. Is there a fix for this?

IDS/IPS / Re: Snort OpenAppID RULES Detectors fail to download
« on: February 03, 2018, 11:01:35 pm »
I have two pfsense systems with this rule set installed. On one of the systems, the rules are fine. I can force update and they update properly. On the other system, which is connected to the same edge router, the date of the rule set is december 8th, 2017 and it will not update. I've tried force update a few times and it made no difference. Any suggestions?

IPv6 / Re: DHCP6 will not pull IPv6 address on WAN Interface
« on: January 31, 2018, 07:17:55 pm »
Do you know what settings your isp requires? The edge router may not even provide an ip address for the wan. You must request a prefix size that is supported. The edge router may only support one size. It may require you to only request a prefix, not a prefix and an address. If your router isn't asking for a supported configuration, nothing will be delegated.

If you have a windows hyper-v server that you can run pfsense on, you should do that rather than use a desktop. I'm using a hyper-v server with multiple guests and it has been a stable configuration. I have two pfsense guests. One is for my physical LAN and one is completely virtual.

General Questions / Re: Intel CPUs Massive Security Flaw issue
« on: January 06, 2018, 05:06:53 pm »
AMD's performance is so far behind that even 30% slower the Intel is still faster  and I suspect they have their own issues.

From what I have read, AMD's latest Threadripper CPUs are giving Intel a run for their money, and they're cheaper.  As for issues, unless you have something concrete then you can't really make that claim.  I've seen others saying the same thing on other tech forums, that this Intel bug is bad but AMD might maybe perhaps possibly have something as bad or worse.  It's pure FUD.

Sorry to disagree

Threadripper  does nearly half the work clock per cycle  of an Intel  plus they run much hotter and are less power efficient
Work per clock cycle is an irrelevant measurement unless you are comparing similar architectures and even then, while it may be interesting, it still doesn't really matter. The relative performance of AMD vs. Intel depends on the workload. (This applies to Ryzen vs. Core as well as Epyc vs. Xeon.)

Anandtech rated the ThreadRipper as the best overall workstation processor, taking both price and performance into account. Here is a reference:

General Discussion / Re: Smartphone poll: which OS and brand?
« on: December 23, 2017, 10:58:07 am »
I'm on new(er) hardware and the latest version of ios and android, so time for an update. (Sorry it's long, but I feel like ranting.) My phones are a new iphone 7 running 11.2.1 (company phone) and a nexus 5x running 8.1 (personal phone, hand me down from my son who bought a oneplus 5).

tldr; Neither the ios nor the android communities should be blowing their horns about their inherent superiority. Both ios and android have pros and cons. Both apple and google have f*cked over their customers on multiple occasions.

Like the iphone 5s, the iphone 7 is a solidly built phone and it feels nice in your hand. At one point, apple was the only company offering a "premium" handset, but they no longer have this advantage. Samsung has caught up and has arguably surpassed apple. (The latest galaxy phones are beautiful. I really miss my previous company galaxy s7.) OnePlus and others have as well. I give apple major credit for pushing ios out quickly even to older phones. Even my iphone 5s had the same version of ios. However, apple deserves Christmas stocking full of dog sh*t for their latest f*ck up, which is purposely slowing down older phones. F*ch you very much for this apple. This is exactly the kind of trick that turns so many people away from apple.

I honestly don't know what people think is so great about ios. It does what it does well, but it's rigid and inflexible. It's annoying that I can't configure the layout of the screeens in a manner that suits me. ios widgets are a joke compared to android widgets. I also dislike the one-button approach. It doesn't work any better for ios than it does for mac os. Android and windows both benefit from having multiple buttons. I also immensely dislike being forced to use itunes for moving things to and from the phone. Why can't I use USB rather than being forced to install this bloated piece of crap on my pc?

Apple's latest version of the iphone is pretty nice, but it's shockingly expensive for what you get. Also, apple is historically very late to the party with innovations such as minimal bezel, wireless charging, water protection, large displays and long battery life. If Steven Jobs was alive, the iphone would probably still be the size of the 5s. IMO, this is a direct result of the arrogance of apple, deciding what we need and when we should be allowed to have it.

Despite my 5X being a much older phone with less memory and a slow processor, I enjoy using it much more than the iphone. I don't need to keep it, but I don't want to give it up and be stuck on ios. android has come a long way, as have android apps. There was a time when the google play store had far fewer apps, but that hasn't been the case for a long time. I suppose there are apps that are only available on ios, but I haven't encountered anything that affects me personally. Also, there are many things you can do if you root your phone and use apps such as exposed. As I said, I think android's approach of using three buttons is superior and android is much more open and configurable.

What I don't like about android is the cluster f*ck of fragmentation. Google has done an inexcusably terrible job of working with the OEMs to keep android up to date. Treble is too little, too late. Google is touting it as the solution, but they aren't even using it themselves, except on pixel. It will be years before devices with treble are the majority. The 5X does not support treble. They stopped updating the nexus 5 years ago. Google deserves a truckload of coal on their front lawn for christmas for this.

Google also has done a terrible job of providing hardware support to their nexus owners. The nexus 5 has a defective power button, for which google provided no compensation. The nexus 5x and 6p both have a boot loop problem for which google has done a terrible job of providing support. If you bought a nexus 5x from google Canada, LG Canada refuses to support it because it's an "american" phone. Google deserves the same christmas stocking filled with dog sh*t for this.

The other nice thing about android is that there are multiple options for phones and there are some nice ones, such as the galaxy line, oneplus, lg, etc.

In summary, neither the ios nor the android communities should be blowing their horns about their inherent superiority. Both ios and android have pros and cons. Both apple and google have f*cked over their customers on multiple occasions.

Note, if I offended anyone with my language, sorry, but I find it offensive when megacorporations screw over their customers. If you spend hundreds (and now over a thousand in some cases) for a phone, you rightfully should expect better than this.

General Discussion / Merry Christmas and Happy New Year
« on: December 23, 2017, 10:07:49 am »
Since Christmas is just around the corner, I wanted to wish everyone a safe and enjoyable festive season and a great new year. In particular, best wishes and many thanks for the pfsense developers and those who contribute to pfsense in other ways such as testing and supporting this forum.

All the best, everyone.

Why not try checkpointing the vm, then shut it down and try adding another cpu. If it doesn't work, go back to the checkpoint. You do not need to do anything with integration services.

IPv6 / Re: Split up IPv6 /36 using VLAN
« on: November 26, 2017, 04:36:42 pm »
Everyone here understands powers of two. Just because you think you can squander addresses does not mean you should, particularly when it would take no additional effort to not squander them. As was said, there are no reasons to allocate a /36 when a /56 is far in excess of what most people could ever use.

IPv6 / Re:
« on: November 26, 2017, 12:13:40 pm »
Just to provide an update on this. I did try reporting it to OVH. Their support organization did not reply to my emails so I phoned them. Hard as it is to believe, they told me to try reporting it to their abuse website. They said there might be better response. I did get a response, but as is plain to see, they still have not fixed the problem. I guess the lesson here is if you are looking for a company to host your website, don't use OVH. Their network is broken and their service sucks.

I guess the other lesson is to not bother using, because they apparently don't care about it working enough to select a hosting provider that provides a network that supports ipv6. They also don't reply to email. On the other hand, reliably works and the maintainer even responds to email.

IPv6 / Re: Split up IPv6 /36 using VLAN
« on: November 26, 2017, 11:02:26 am »
Well put Derelict.. Which was the point I was trying to make myself ;)

Its not about the number addresses in that space, its the number of prefixes that can be used under it.. I just do not see handing a specific site/user a /36 -- makes zero sense.. Then take into account they do not even know how to subnet it ;)  And points to typo even more..
My point was not about 64 bits on an individual network, it was about squandering networks. This is the money quote.

IPv6 / Re: Split up IPv6 /36 using VLAN
« on: November 26, 2017, 01:08:49 am »
I don't see anyone giving out a /36 to one site.. I take it typo or misunderstanding from a /56.. Why would you give such a large network to a site?  /48 is the typical site space...  ARIN or any RIR would give you as an ISP in your initial space a /32... Why would said isp give out 16th of their /32 space to 1 site?  Doesn't allow for that many sites..  Sure you can more space, but doesn't make a lot of sense to give out such big chunks.

So I could give out 65K /48 or 16 /36 ;)  Which would do you think you should give out?

Didn't comcast get a /9 which was a HUGE freaking allocation... Doesn't allow for a lot of customers if you give away such large chunks of your space..  Even if you had a /9

While I agree sure lets give everyone on the planet a /36... There for sure is plenty to go around, but that is how we ran into trouble with ipv4 - lack of management of the space..  A /48 allows for a HUGE network!!  65k /64's there would be zero reason for a /36 to one site.. You might give that to a region of your global network if you had say a /32 to work with..
IMO, it's just stupid giving out a /36 to any single organization. Even a /56 is overkill for end-users. Sure, there are 64 bits of networks, but pissing it away in such massive chunks at this early stage in its adoption is short-sighted.

Installation and Upgrades / Re: Hyper-V help
« on: November 22, 2017, 09:17:40 pm »

The pc is running Windows Server 2016, sorry i should of mentioned that before, it also meets all the hardware requirements needed for pfsense apart from the dual nics which is why I've ordered another nic today :)
Okay, that's another matter. I'll explain how I have my system set up and you can see if that makes sense for you.

My system has 3 nics, wan, lan and other. The wan and lan nics are externally connected to the bridged port on the modem and and a physical ethernet switch, respectively. Internally, they are connected to virtual switches. The lan switch is set to allow the management operating system to share the lan nic. The wan nic is also set to enable source mirroring so I can connect a virtual pc to the switch running wireshark.

With this configuration, I can have multiple pfsenses connected to the wan switch and I can even have a completely virtual lan and virtual clients. I can also have physical clients on the physical lan switch. I've been using this configuration for several years and it works well.

The "other" nic is connected to a lan port on the modem so I can access the modem GUI from the hyper-v server. (I bumped up the routing metric on this interface so no traffic will exit.)

Feel free to ask more questions if you have any.

Thanks for the info, so from what you've said wan and lan nics can go to the ethernet ports on my router and i can still let the router handle dhcp and the wan connection? Or do i need to have a physical switch as well in order to do this? Obviously I'll have the wan and lan nics connected to the virtual switches running in hyper-v as well.  New nic is arriving tomorrow so hopefully I'll be able to access the web configurator again at least which is what I'm struggling to do at the moment even with the existing nic i have which is set up with pfsense too  :-\
I attached a picture. Maybe it helps. The AP, along with pcs and other devices are on the lan switch.

Pages: [1] 2 3 4 5 ... 35