@reggie14: @Harvy66: The most concerning exploit I can think of is the RNG. Almost any changes to AES-NI will cause the system to stop working and will be easily detectable as storage and network instantly breaks. But changes to RNG does not cause catastrophic failure. Agreed.  To make matters worse, poor RNGs are extremely difficult to detect.  And in crypto protocols there are lots of opportunities for the attacker reconstruct the state of your RNG if it has a major weakness. @Harvy66: Most any back door related to AES-NI will probably require physical access at some point. AES-NI could save the last N keys in non-volatile on-chip storage or at a certain memory location in dram. Storing unexpected data in dram could very likely result in data corruption unless the location was reserved, but the CPU does not reserve memory, it would have to be in concert with another device that is also back-doored. Maybe I'm not following you, but AES-NI doesn't do what you think it does.  As I said in my previous post, AES-NI is just an accelerator.  If you want to steal a key, you certainly don't need physical access.  The keys are just sitting in memory, so you just need to memory-scrape it (or, in some cases, read it from disk). Even if someone wanted to put a backdoor in AES-NI, I'm not even sure what they'd do that wouldn't be better accomplished with some other form of malware. (And those other methods would work perfectly fine against any software crypto library.) @Harvy66: Any hardware based remote backdoor would require several devices to work together to accomplish this feat. Doing this transparently in a way that doesn't cause an OS to crash would be quite hard, since not all OSs work the same and they change over time. Well, that depends on what you mean by a hardware-based backdoor.  Purely hardware?  Sure, that looks needlessly complicated.  But if that includes tampering with low-level firmware, either in the BIOS or in the firmware in any of the numerous devices in your computer with direct memory access, then that doesn't look that hard.  It seems like an awful lot of work to for a highly targeted attack, though. For both the AES-NI and "hardware" backdoors, I was going after is it would be hard to create remote backdoor that was integrated into the hardware and not software. Creating any old remote backdoor wouldn't be hard, but creating an undetectable backdoor that does not crash the system would be quite difficult if it was built directly into the CPU or network silicon. I assume the easiest place would be into the drivers, assuming they're binary blobs.

windstream is my dsl provider don't know if they offer third party isp option

Yep, sad times. I remember running m0n0wall on an old P100 many years ago. That was my first BSD experience. Steve

+1  Land of my peeps… 8)

Just for fun, there are 2^64 IPv6 addresses in a /64 IPv6 subnet - that is: 18,446,744,073,709,551,616 There are 3,153,600 seconds in a year. Let's say your nmap can scan 1,000,000 (1 million) addresses per second, just to be ambitious. So it will take 18,446,744,073,709 seconds, which is 5,849,424 years. Hmmm - I don't think I want to wait that long just to find the IPv6 address of my lost device.

ha! Many of us are already married. We always accept a free $beverage though.  :D The Gold Member "meetups" are the monthly Hangouts we have that are generally like a mini training session or us showing off a particular feature or methodology. Eventually we'll run out of topics though! We want to have some of them be Q&A sessions as well but the fear is that people will treat them as "fix my firewall" sessions and not a Q&A to benefit everyone. It may work if we have everyone submit some brief questions beforehand so we can have plenty of choices and time to research.

Every other VM's are running absolutely fine apart from the pfsense. The Install is clean and version is 2.2 Actual System build is 2.2-RELEASE (amd64) built on Thu Jan 22 14:03:54 CST 2015 FreeBSD 10.1-RELEASE-p4 BTW it reboots again. :'(

Most of the conce[ts still apply.  There will be be GUI changes and some other stuff like Unbound but I would think 85% is the same.

If one deserves it, it is you  ;D ;D ;D (congrats with even more work  :P ;D 8) ) [image: congrats.png] [image: congrats.png_thumb]

May take longer then 2.3… ::)

I'd really drop any forwarding. Unbound + DNSSEC. There's also this 0x20 draft - patch for pfSense available here until 2.2.1 is out.

Naah, I solved it… Had to select management vlan to 5 and also pass VLAN1 between devices.

Use Google fiber and the state watches you everywhere :D

It's the little things that make the difference.

@kejianshi: The ideal solution would be to use something like a hardware wireless client that also has several ethernet adapters that you can plug your cameras into. Why are you wireless only?  Are you double NATed? (sorry - pic didn't load at first) Looks like your VPN server is in the wrong place to make this happen unless its a bridged network? The VPN server is at my local site.  So, I guess technically a site-to-site setup would work, but would require another pfSense box on hand and in the same cabinet.  Then I would need a small private LAN for the Windows PC and the Camera Recorder. I am single NAT'ed by the 4G <-> Wifi unit, which is my only access to the outside world (internet).  To solve the "no wifi on the video box" problem, I can share the wifi internet on my Windows PC, which then becomes double NAT'd.  I don't think that is a problem if I could VPN client out of that NAT system into my local pfsense server, as it would tunnel through both NATs I assume. I am trying to achieve this without additional hardware, the best I have come up with is a Raspberry pi in a bridge mode, but with a VPN Client connection included that "dials home" to the home office. This, plus VPN connection: https://rbnrpi.wordpress.com/project-list/wifi-to-ethernet-adapter-for-an-ethernet-ready-tv/

@Mr.: BB has pfBlockerNG 1.0 ready, and awaits code review by the admins. pfblockerNG 2.0 (which BB is working on) is planned to have adblocking support. Wooow, sounds awesome. I can´t wait to test the pfblockerNG :-p Thanks to all for your replies Regards

I understand Thank you