@mcury said in Packet Flow Data 24.03 in comparison to softflowd: But I can't speak badly about SoftflowD because for a long time, it was the only option and served me pretty well. So thanks for the developer and everyone involved in that project. Niether can I, worked great for me these years. One note though, there might be an issue when pfflow is only based on expiring States. That could mean keepalive sessions are never logged as flows

@johnpoz said in blocking doh - speedtest ios app from Ookla: You should use the freaking dns provided I've posted before, but the Dish (satellite) video on demand uses DoH even though the Dish DVR on which it's running uses DNS. Took me a bit to figure out why it wasn't working. I have a "network utility" type app on my phone and it also uses public DNS instead of my DNS, for its DNS test.

@stephenw10 Looks like a duck.. quacks like a duck.. ;)

Alan DeKok speaking about XZ back door: Chief Executive Officer of networkradius.com https://lists.freeradius.org/pipermail/freeradius-users/2024-April/104263.html

thanks everyone for the replies, this will be my first HA setup with pfsense =)

@Dobby_ said in Strange "warning" in dmesg: Mail them directly, often they offer to clients new bioses that are not shown in their "mainstream" offer. Thanks!

Synology is pretty stable and really well professional usage, QNAP lets you pimp and tune or pain add more other hardware on top as I see it, but a small old use HP server is also a budget solution. I have used an old HP Proliant mini cube with an Intel Xeon-E 1231 and 16 GB RAM / 16 TB (4 SSDs) together with Openmediavault. Base model for ~200 € plus 30 € CPU and 50 € RAM and it was running for a really long time together with dual 10 GBe cards for ~40 €! So if money will be point, it could also nice and long running. But now I am looking on a MacBookPro and QNAP offers some NAS boxes with thunderbolt 4 and two PCIe slots and on top such many things to tune it will be then less or more my next option. 2 x M.2 NVMe´s for caching 8 x HHD/SSD´s (2 x RAID5 or one RAID50) Dual 10GBe Network adapter with 2 x NVMe`s (for caching) USB Port for Google coral (QMagie App) USB Port for an external RDX drive for backups Up to 16/32 GB RAM 4/8 Core CPU for running much Apps services (Mailserver, S/FTP, Webserver, Mediaserver, LDAP/RADIUS server, Backup for Mac) At Speicher.de you may find out how much RAM in real you could add to your NAS. Often it was said 4 or 8 GB RAM only and in real you could add 16 to 32 GB RAM. Perhaps good to know for running much services for the entire LAN on the NAS.

@bmeeks For sure you will be right with it, it is a long line of points where "bad code" will be able to enter in the entire process and/or product. But in real life, from the point of an customer or plain user it is more or less how fast they react and they handle those things as I see it. The OpenSource is offering the Source Code free to watch over, the closed Source is from the vendor and more hidden for sure this alone makes a difference for many peoples, but trust you must both of them (or not). If you maintain all by your self, let us say Netgate is hires 20 plugin maintainer and all comes from their own hand now, at the FreeBSD site and on top of all at the found site (Snort, Suricata, Squid....) will be also anymore points were bad code can be running in. @michmo But fine that it is able to do (discuss) and got not suppressed, even cool to see or hear how others will be thinking on those things and wich points they are bringing in. @JonathanLee It is not really long ago, but in 2024 we all can say it is since a longer period able to build for a SMB company a network fully based on OpenSource Software. And for sure the code is open to watch over, but if the code writer gets a family at one day, or must work elsewhere more it is also more a risk that the entire project goes down at one day. With FreeBSD or Linux, LibreOffice, OpenOffice, Univerntion server, Zaraffa, OpenWRT, ClearOS and pfSense you were not pressed anymore to run closed software at all and build a network for your company, but also have a look on mOnOwall or ZeroShell and others they were at one day gone. And then? You start again what is serving me and my needs at the best and who I am trusting now.

@houseofdreams said in Outgoing connections monitoring software?: I found the software that was making the connections, nothing fishy, the software package for the NZXT lighting in my PC. I'm assuming that's sarcasm.

Flattened Device Tree. It's a file that describes the hardware devices and locations that an OS uses.

The only way to peer into encrypted traffic (which is darn near 100% of web and email traffic these days) is to use a MITM (man-in-the-middle) proxy certificate system. That means installing trusted certificates for your proxy on all clients (PCs, laptops, and phones) that you wish to monitor. The MITM intercepts and terminates a client's outbound connection to some website, decrypts the traffic, then the proxy establishes its own connection on behalf of that client to the original website. Traffic returned is re-encrypted using the proxy's certificate and sent back to the original client. For this to work without browsers throwing security errors, the proxy's certificate presented to the clients must be trusted and verifiable by the clients. And the clients must be configured to send all outbound requests to the proxy. Doing this on a home system is very difficult and basically not really worth the effort to implement and maintain. There are "for sale" commercial systems that are cloud-based and handle the MITM interception for you. But again, this requires a customized configuration on each client. It's not something that just happens by magic by purchasing some service. And attempting to virus scan encrypted traffic is a complete waste of effort. How would you scan encrypted traffic for a virus? After all, the data bits are scrambled up to appear as random data specifically so that nobody other than the final receiving client who has the decryption key can unscramble and read them. So, say you put a hardware virus scanner on your WAN, how is it going to make sense of encrypted traffic? That's why antivirus solutions work best at the traffic endpoints. Only there can they see unencrypted traffic by hooking into the client OS at a point after where the browser or other application has already decrypted the traffic and it is again cleartext.

@stephenw10 said in pfSense with OpenWRT Guest logon with VLAN: Yes wireless clients will be isolated from each other is that is set on the access point. They would not be isolated from wired devices on the VLAN that AP is bridged to. What exactly are you wanting to isolate? I was just finally responding to Nikos... but I do Client Isolation on my WAP clients on my IOT VLAN... and all my wired IP Cameras are on that VLAN as well. I just have rules to to isolate the wired stuff in pfSense itself. Linksys e8450 looks like nice device. Yeah, I got some back channel info that one of the OpenWRT Devs is now coding for MediaTek and that some of the Linksys/Belkin stuff was going to get "extra" attention. They do seem have potential but there is a UBI memory hack from DangoWRT that works... but is suddenly causing devices to die.... almost like they've had a Covid shot too many. Anyway... long story short, I'm having an issue getting the DSA build you and I worked on configured under Openwrt 23.05.3. Either I forgot the process, or it isn't going to work... I've even tried editing in the info in the tar backup Network file. I'll figure it out or I'll send you an e8450/rt3200 JP... yes, I'm hearing you in my head... unify, unify, unify. But I really need 4 ethernet ports on two of my remote WAPs with backhaul.

UAC was supposed to protect against that. But people kept complaining about annoying prompts so Windows made the default security level for never OSes "medium" which doesn't ask about built-in programs running with Admin priviledges, Instead they now use safe screen stuff that looks a program trying to run on up on the internet to determine if it should display an additional prompt. Basically just turn UAC to high first thing on a new PC and never have an issue like the one displayed.