2.4 Development Snapshots / Re: OpenVPN 2.4 AES-NI speed
« on: April 08, 2017, 06:50:31 am »
OpenVPN 2.4 adds support for the AES-GCM algorithm, which takes full advantage of the AES-NI hardware acceleration without also requiring the CPU to compute the hash for authentication. Up until OpenVPN 2.4, the only way to use that algorithm with pfSense was IPSEC, I believe. That lets you use your CPU for other functions rather than supporting the VPN connection. (yeah, technically it's all built into the processor, so it's really doing everything anyway, but AES-NI with AES-GCM doesn't affect CPU cycles available for other tasks).

2.4 Development Snapshots / Re: ZFS on SG-2440
« on: April 07, 2017, 11:59:06 am »
I didn't keep the console output from my attempt... so at the moment, no I can't post it. I'm not wanting to go through reinstalling twice just to get it and then get back online at the moment, so maybe later when I'm feeling experimental again I'll post it, if someone else hasn't already.

There may not be an actual issue with the software here, but since 2.4 is the only version with ZFS, I figured I'd post here rather than the pfSense Hardware forum for now.

Packages / Re: ACME - Google Domains Support
« on: April 06, 2017, 09:26:31 pm »
Google supports Dynamic DNS via a DynDNS standard for doing so, but unfortunately there's no way to specify TXT records with that. I don't believe Google has an API that developers can utilize for allowing outside management of DNS records, aside from those A records (not even AAAA records) that are set up for Dynamic DNS.

2.4 Development Snapshots / ZFS on SG-2440
« on: April 06, 2017, 09:21:24 pm »
So I'm the daring type who took my SG-2440 and put 2.4 on it as soon as I got it home. But I wasn't able to install with ZFS. When I tried, the installer completed, rebooted, I removed my USB drive, and ZFS failed to mount.

My thought is that when my USB drive was connected, it was da0 and the built-in storage was da1, but when I removed my USB drive, the device identifiers changed, so the config no longer reflected the correct location. Unfortunately, I wasn't even able to get it to pick up when I tried pointing it to zfs:zroot/da0 (I think that's the format I used, based on what was presented) and the specific partitions as well, so I don't know what was going on.

Any thoughts on how best to install ZFS on a 2440? I'd rather not try things until there's a known good process in place. For the moment I'm just running with UFS instead. I'm fortunate that power where I live is extremely stable, even in the worst of severe thunderstorms and icy winter weather... though I still have a UPS connected anyway.

Traffic Monitoring / Re: Problem with Status_Traffic_Totals Package
« on: April 04, 2017, 09:24:12 pm »
I have the same issue as drinny... March showed up as February... April is showing up as April. It was a clean install in the middle of March, so I don't have the actual month of February to compare to.

Official pfSense Hardware / Re: SG-2440 Sound/Speaker
« on: March 27, 2017, 09:29:12 am »
Looks like a locking power plug would be a good indicator.
Well that's a big fat nope... so they're not yet shipping Rev 2 2440's yet. :(

Packages / Re: ACME nsupdate supported DNS providers
« on: March 24, 2017, 08:51:53 pm »
There might be some paid DNS providers out there that do RFC2136 but I'm not aware of any specifically.
Dyn does... but it's not the easiest thing in the world to get working. At least it wasn't when I last tried it (which was before I started using pfSense, which might have been part of the problem).

Packages / Re: Automating ACME Letsencrypt
« on: March 24, 2017, 08:49:28 pm »
Is domain ownership validation performed on every renewal, or only on the initial issuance?
I'm pretty sure it's on every renewal, to make sure that if the domain were sold/traded, you can't still renew a certificate for that domain as the previous owner of it.

Official pfSense Hardware / Re: SG-2440 Sound/Speaker
« on: March 24, 2017, 12:53:38 pm »
How will one be able to tell if they have a "rev 2" 2440? Aside from hearing beeping noises, that is. It would figure that I would read this after just placing an order late last week. Somehow I missed this thread when it was first created.

2.4 Development Snapshots / DHCPv6 leases not updating in webgui
« on: March 19, 2017, 08:50:59 pm »
So I run DHCPv6 on my main LAN, and many of my devices connected to this network are using DHCPv6 to obtain IPv6 addresses (Android gets sent to the Guest network, where only SLAAC is used). Anyway, I noticed today that when I went to look at my DHCPv6 leases, it only showed two addresses... one is static, the other is my network printer. But when I go look at the /var/dhcpd/var/db/dhcpd6.leases file, I see many other leases there (iPhone, iPad, Apple TV, and a couple other Windows computers).

Any thoughts on why they might not be showing up in the webgui, or how to get it so that they show up?

IDS/IPS / Re: Cant enable some rulesets in Snort IDS/IPS
« on: March 18, 2017, 08:49:38 pm »
If you're using one of the pre-defined IPS Policy settings (Connectivity, Balanced or Security), then the Snort rules are automatically selected. If you also add OpenAppID and ET rules, then you can select those rules, as they are not part of the pre-defined Snort IPS policies.

Here's a post from the Snort blog about how rules are put into each of the pre-defined policies. CVSS score, time, and certain policy groups play a factor in those pre-defined policies.

General Questions / Re: How to get the cpu temp?
« on: March 14, 2017, 03:33:37 pm »
If you have just about any modern Intel or AMD CPU, you can select the appropriate setting in the System > Advanced > Miscellaneous setting for Thermal Sensors. That will usually give you one sensor per core.

And yes, the setting does say "Intel Core CPU" (which I'm pretty sure usually refers to the i3, i5, i7)... but it will work just fine with most of the modern Atom CPUs as well.

IPv6 / Re: Tracked IPv6 LAN goes down when WAN goes down
« on: March 10, 2017, 08:56:15 pm »
This is probably off topic, but I've often wondered why ipv6 on the lan goes down when the wan goes down. Is there a reason why the lan can't stay operational while the wan is down? (I mean a reason other than because it's doing what it's designed to do.)

Is your LAN tracking your WAN for its prefix to use? If so, that's why. :) LAN relies on WAN for IPv6 settings. WAN goes down, LAN loses its IPv6 configuration.

Upgrading is possible if you want to keep using UFS. But if you want to change to ZFS, your only option will be to start from scratch. Pretty sure I have that right.

General Questions / Re: Changing Resolution on VGA Console
« on: March 08, 2017, 01:57:42 pm »
Version 2.4, which supports booting via UEFI, supports much higher resolution displays and show a lot more text on the screen (at least when booting through UEFI). If you want to run the beta now, you can, but it is a beta, so use on critical systems is not recommended.

