Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - kpa

Pages: [1] 2 3 4 5 ... 79
NAT / Re: Address pools for NAT: What happens when the pool runs out
« on: December 13, 2017, 08:16:57 am »
The standard outbound NAT in pfSense is not a 1:1 mapping, multiple LAN clients will be using the same external address and rotated in round-robin fashion if multiple external addresses are available. There is no such thing as pool running out of addresses.

The default logging is only there for you to take note of the amount of noise there is among regular TCP/IP traffic and then turn it off and write your own rules for more precise logging. PfSense is slightly different compared to other firewall distributions that by default hide that noise to put the user's mind at ease.

Installation and Upgrades / Re: Pfsense 2.4.2
« on: December 11, 2017, 10:02:29 am »
It should be on by default but you can check yourself after installation.

Depending on the filesystem used:

UFS - run this on the command prompt:

Code: [Select]
tunefs -p /dev/ufsid/<identifier>

Where <identifier> is the UFSID for the root filesystem, you can get that from /etc/fstab from the line that has "/" as the mountpoint (second column).

ZFS - run this:

Code: [Select]
sysctl vfs.zfs.trim.enabled

If it reports value of 1 then your system is using TRIM.

PfSense was never intended to be used like a switch and most likely you'll never see the kind of features you'll see in managed switches in it such as PVID, those belong squearly to managed switches. Separation of concerns.

Do note that traffic originating from the pfSense system itself will always use the default gateway. It's not possible to redirect locally originating traffic to a specific WAN connection or to a gateway group in pfSense/FreeBSD.

Hardware / Re: software RAID1 for OS, necessary?
« on: December 04, 2017, 08:40:24 pm »
Do not use the provided BIOS RAID configurator or any of the provided utilities for it. Instead use ZFS mirror as suggested, ZFS does poorly if it doesn't have a direct access to the disks used. In fact a configuration where ZFS is used on top of a software pseudo RAID defeats most of advantages ZFS offers.

Installation and Upgrades / Re: Why isn't there a nanoBSD for 2.4.1/2.4.2?
« on: November 30, 2017, 10:39:29 am »
NanoBSD has outlived its usefulness and it was becoming a maintenance hurdle for the development team.  Smaller SSDs are cheap and reliable enough now to be used in place of the old style flash media and there are other solutions like eMMC flash where NanoBSD is not needed for reliability.

Just use the full version on your SSD, pfSense will turn on TRIM automatically and on top of that if you don't fill the disk completely you'll never run into problems with write cycles on your SSD.

Hardware / Re: PF Sense 2.4 with Asrock J3455-ITX
« on: November 30, 2017, 07:36:39 am »
You can leave the entry in /boot/loader.conf.local, the update/upgrade procedure won't touch the file in any way.

DHCP and DNS / Re: pfSense not using right DNS servers
« on: November 30, 2017, 07:15:10 am »
You might as well drop the secondary forwarder and use only to avoid a situation where is not responding and the forwarder (unbound in forwarding mode) then tries the unsecure secondary. There is absolutely no requirement to have two forwarders configured, one is just fine.

NAT / Re: quick NAT question
« on: November 24, 2017, 08:06:30 am »
PfSense be default doesn't know what the upstream end of the tunnel is doing with regards to routing. There is no routing protocol in existence (well at least with VPN solutions) that would tell pfSense that the upstream is actually forwarding traffic for your LAN network back over the VPN link to have two-way routing between the ends of the VPN tunnel. Such routing scenarios are always set up explicitly in coordination with both parties.

Installation and Upgrades / Re: CF FS ?
« on: November 22, 2017, 07:59:33 am »
It's normal that you don't see the card anymore in windows after writing the pfSense install image on it. MS Windows has no clue of the BSD partitioning scheme or the UFS filesystem used.

Firewalling / Re: Host alias with same ip in firewall rules
« on: November 17, 2017, 09:13:48 am »
For HTTP(S) you usually use a reverse proxy for such redirection, for other protocols such proxies may not be available. The key is that the proxy can identify the destination based on the application payload (in case of HTTP the destination FQDN in the HTTP headers) and decide which destination address the traffic should be sent to.

What the hell you need a separate ZIL device *) for on a firewall system? It makes sense on a very busy file server but a firewall system is mostly just idling on the disk I/O side.

*) The ZIL log is "ZFS intent log", used only for guaranteeing integrity and atomicity of synchronous writes on ZFS in case the system crashes.

Installation and Upgrades / Re: No ZFS pool located error - intermittent
« on: November 10, 2017, 06:45:57 am »
Boot from the install media and drop to a shell when offered the option, then do:

Code: [Select]
dmesg | grep aac

The controller should be supported by the aac(4) driver but if there are driver initialization problems you'll only see them in the dmesg output.

Installation and Upgrades / Re: No ZFS pool located error - intermittent
« on: November 09, 2017, 07:39:42 am »
If you have a real hardware RAID card and you must define some sort of array in order for the OS (FreeBSD) to see the disk(s) you can define the array(s) as single disk RAID0 array(s). The best option is of course a disk controller (be it RAID or not) that just does the basic I/O and offers the raw disks to the operating system as they are.

Pages: [1] 2 3 4 5 ... 79