@rcoleman-netgate While I do agree that ZFS is the superior storage filesystem because of the many many features, I would like to argue it’s use for “small home installs”. In my book it has no use in home installs unless you max out the possible disk count from the very start.

THE most painfull thing is the fact you cannot expand ZFS pools with one disk at a time like with both software and hardware RAID if the filesystem on top supports it (which almost all filesystems does).
So small home NAS builds should only be using ZFS if ALL disk slots are filled from the beginning. Expanding is not possible unless you add a whole new vdev. And unless that consists of the same drive count, performance will suffer greatly because data is not migrated/leveled across vdevs.

So use ZFS with care in home builds. You need to know in advance what capacity you need and what performance you need. Expanding into more capacity and speed is VERY painfull for most small installs (involves whiping the intire layout and starting over).
But if your do know your capacity and speed needs and can buy it up front…. Then ZFS is top dog because of the massive amount of features it provides.

Thank you for the answers! It turned out to be unrelated to pfsense issue, which is now resolved.

Is that even available for ARM? Even if it is ARM is not like x86, you would need an image specifically for that platform or at least for something very close to it. I doubt it is possible but I'd check those things first.

Steve

@nollipfsense said in This 12yrs Old Boy:

https://twitter.com/CNET/status/1582763509623836673

I watched 22 seconds of this.
it's not a hack of the your WAP password.

It's decrypting the traffic after getting in. Which is usually due to poor SSID deployment, using weak passwords, etc.

I was asked last year (and still haven't completed) by a higher up here at Netgate to write a blog post about securing your home WiFi and why firmware updates are important for all devices... I should get back to that.

The issue here is manufacturers are building sub-par, poorly secured devices and selling them to consumers as a solution. Weak encryption is just that – weak.

I've been doing WiFi design for more than a decade and these are the things I design against.

@mcdvoiceo1 You will need to determine what you want to "secure" your IP address means and what you want to do with it.

If you don't open anything on the firewall to the outside then you only have to worry about things inside talking to the internet. Snort or Suricata might be the best options for you.

If you want to make it appear you are coming from somewhere that you are not then a VPN would be a good bet. Nord specifically? Probably not. The most popular things are rarely the best. They might be "good enough", however.

Basically what is your level of concern exactly?

Ideally you want to setup a separate subnet (a transport network) between them that isn't used anywhere else. Doing that avoids any asymmetric routing issues that might otherwise hit.

So, yes, you could use a VLAN between them with nothing else on it if you have a physical link already in place. Or just a separate link if you're adding it.

Otherwise there's nothing special required in pfSense, it just sees the Fortinet as a host and routes it's traffic. It becomes more complex if you want, say, the pfSense LAN clients to be able to reach the Forinet LAN clients. Easily doable if you have a transport subnet to roue across.

Steve

@stephenw10 said in pfSense -> OpenVPN Ubuntu site-to-site throubleshooting help:

It should be: 10.0.1.0 255.255.255.0

Of course :-)))

Sorry about that, I have really fast fingers =]]

Not your fault, it wasn't hidden when you moved it. That was all on me. 😉

@viragomann , thanks!

I would expect that i5 to do it. At least the routing and filtering part. And probably the VPN given the right VPN type and traffic conditions. 'Line rate' Suricata may be more of an issue but it will probably do it as long as you don't just load every ruleset!
You have it gathering dust on a shelf so try it and see.

Steve

Ah, that's good to know. I'll have to test that in the new setup in 2.7 without netgraph.

Steve

This device has been sold.