@SteveITS said in Feedback request on home network design:

@disi1 said in Feedback request on home network design:

if I enable QoS for VLAN30, it is also applied on the WAN interface for all traffic?

re: inspecting encrypted traffic, the PC would need to trust a cert on the proxy which decrypts the traffic. So, could be an issue for phones or other devices. I know the Bitdefender GravityZone we use for clients can do that on the PC by adding its own cert to Windows and then it intercepts traffic on the PC.

I did register a domain and issued a valid certificate (Let's encrypt) to all internal services, including the firewall (wildcard which I know I have to manually renew every three months). To be clean and potentially use the Squid proxy*.

Before I changed our network over, I did experiment with squid on the exact hardware, using the old setup as the uplink and it produced a lot of overhead on the firewall.

The good news:
Since I use pfSense for all networking and isolated the VLAN30, there were no issues. Before I had extreme lags when I used ZScaler and Pulse VPN for work. It seems the network runs overall smoother. This is without any Traffic Shaping or QoS,

Only today I switched the ISP router to Modem Mode.

p.s. if anyone else wants to split WLAN into VLAN using Mobility Express, it took me some time to figure this out (where 10.10.10.3 is the wlc management interface, but the management vlan needs to stay 0 or the APs cannot join).
switch port access vlan 10 -> IP for the AP
switchport trunk allowed vlan 10,20,30 -> for the wlc interface and the WLANs
switchport trunk native vlan 10 -> needs to be the same as the APs vlan (10)

interface GigabitEthernet1/0/16 description VLAN20_POE switchport access vlan 10 switchport trunk allowed vlan 10,20,30 switchport trunk native vlan 10 switchport mode trunk power inline port poe-ha

Don't forget the ip helper to point to the DHCP for each vlan on the switch.

For Squid transparent proxy you do need a CA, not only a valid certificate. I thought process was wrong. But it doesn't hurt to have a valid certificates in the network.

Thanks for the 'thumbs up' > signature now made a 10 year jump: pfSense 2.2 to 2.7.2, does not sound like 10 years though 🤔

@johnpoz It’s because my Netgate firewall works too well, and they don’t like it. Unbelievable, yeah, I was like what is going on with that my mouse? It’s dancing all over and that config I see on the proxy coming down gestures from Microsoft Azure like I am on a domain. I’m not even on a corporate domain, it’s a private system. Weird, someone doesn’t like my firewall. Works really well, I am glad I finally caught it, while I was working on my AA in cyber security it would do the dancing mouse like clockwork at 4:30 every day when I was doing class, drove me crazy, it would act like the track pad broke. reset would fix it. New laptop same thing same time. It was like crazing making, gas lighting. I wonder if it was a "can, you catch me thing" for the cyber security classes. Again, Microsoft pushes it from Azure.... that's weird. Maybe because I login to a school account for the outlook program that is part of it. Still if I look at the json file it lists a blacklist with google earth, none of it makes sense. Mouse Gestures do not need any remote configurations.

https://answers.microsoft.com/en-us/windows/forum/all/what-is-httpsedge-consumer-staticazureedgenetmouse/615baaf0-a6c2-4adb-b27b-c34d60a6bb42

@keyser pfsense is upstream and has no switch ports..

pfsense -- sg300-28 --- sg300-10 -- nvr

The sg300-10 port connected to the poe port on the back of the nvr to put a leg into that L2 was the one going up down.. The actual nvr lan port was fine. But there was no possible way for there to be any sort of loop that is for sure. The sg300-10 was the one logging the up/down.

Yeah the poe didn't dawn on me for a bit.. And I tried turning off auto neg, turning off green ethernet, etc. etc.. tried all kinds of settings.

Is it poe related - no I am not 100% sure on that.. But I know if your going to connect another switch to poe port of an upstream switch, if possible should make sure poe is disabled on that port, etc. But with the nvr there is no way to do anything like that..

What I can say is no longer seeing any packet loss at all - which before there was some, that would go together with a up/down of the port even if very short 2 seconds, etc.. And there are no log entries for up down on that port connected to the nvr poe port with the little mini between the sg300-10 and the NVR poe port.. And the mini is being powered by the poe coming off the nvr port.

edit: so before I was seeing some minor packet loss

Packets: Sent = 386, Received = 383, Lost = 3 (0% loss)

Now after I put the mini between I don't see any

Packets: Sent = 1524, Received = 1524, Lost = 0 (0% loss)

@Gertjan said in No PayPal at Checkout:

@NollipfSense

As a company that sells devices or services on the Internet, paypal is just a choice.
Like accepting a credit card.
Be ware that the selling party looses a percentage, and it isn't just "1 %".
Furthermore, when a product is sold, the buyer can go to paypal.com and 'contest' Example : because he wanted a router that could handle 1000+ LAN devices, and he discovered that the "1100" can't handle it. Accepting paypal means you have to hire some one to handle paypal transactions.
Money you receive, as a seller, from a paypal transaction, doesn't go to your bank account,, it goes to your paypal account. You want the money on your bank ? Ok, you have to pay for that as well.
Etc.

But anyway as a BIG company (#1 in SOHO firewalls solutions, honorable, etc, etc see the ADs), Netgate MUST ACCEPT THE MOST USABLE PAYMENT METHODS that work with fiats money like PayPal, Moneybookers, etc…
BUT NOT THE CRYPTO

Be aware : I love paypal, as a consumer. I never used them as a seller, and I'm telling this 'as heard' (and reading their usage conditions).

As a BIG HiTech company - this PayPal fees (and all for its support and processing) must be YOUR EXPENDITURES. No doubts.

P.S.
From my business experience, 2 full-time stuff’s persons with ZenDesk able to processing with a stable quality about 200-300 transactions: this mean all aspects from just monitoring to resolving issues by mailing, phone calling, money return, etc…
I hope, Netgate company have sufficient funds on 2 full-time persons, even hiring them from rich places like NYDC, California, or Switzerland:)

@stephenw10 said in Anker Solix 800 Plus as UPS:

UPS but the switch over time is not great

It works great in UPS mode and switch over is very quick

Did the Anker run as continuously from battery in UPS mode?

in UPS mode, all conected devices uses the mains power (bypasses anker) . The battery kicks in (in UPS mode) when power is cut off seamlessly (I did test this by disconnecting the power and my modem and netgate 2100 worked fine)

Anker switch over is documented by 20 seconds and it works very good. I was dissappointed to return the unit because of some other fault - The app started flooding messages as low temp while my basement is constant 66 degrees F. Maybe I will wait for couple of years before buying another one.
I would welcome anybody else who have tried such a thing and please mention the make and model numbers you have.

FYI, I have solix anker 800 (not the plus) as my garage door opener UPS and so far (2 weeks) it is working good.

@JonathanLee

uptime between 200 and 250 days, depending on the Netgate release cycle ;)
Accident free over more than 14 years, well ok two fails, both hardware...

Better late than never.........

I had a similar issue and noticed that you didn't have a number '1' after -c (presuming that you only wanted it to ping once): -c 1

Maybe that would work.

Cheers.