@jjb said in ATT Uverse RG Bypass (0.2 BTC):
@aus I've been patiently waiting for this...Congrats and Thank You!! Want to tackle this very soon on 2.4.4 (11.2 bsd). Hopefully, pfsense pros integrate a bypass function easily operated with a checkbox and MAC cloning. Thanks again for your work...
Thanks! And yes. I want to give this a shot too. I don't expect any problems. Worst case, I think I just need to recompile the ng_etf.ko kernel module from FreeBSD 11.2. Might give this a shot this weekend. I'll add any changes to Github if needed. Or if you beat me to it, submit a PR!
EDIT: No issues updating to 2.4.4!
@danieljay23 said in ATT Uverse RG Bypass (0.2 BTC):
Thanks. I got this implemented last night. So far on my Supermicro C2558 box I have only been able to hit mid 600Mbps using this method of of the gig I get. Have not looked yet at adding my static IP. When I do a speed test I do see the CPU go from 1-2% up to 26% and never go above that. Am I correct and thinking that this is due to the process running on only a single core?
How are you running your speed test? If you run speedtest-cli (which is just python) directly on your pfSense box, you get CPU bound pretty quickly.
I've been testing with the speedtest.net desktop application. For pfSense, I'm running a Dell R210 ii / E3-1220 on a symmetric gigabit link. I get ~940 Mbps down on a few speedtest.net servers. I have a hard time breaking 800 Mbps on my upload though, but I don't think thats due to my R210 ii. I get the exact same results when testing with just my residential gateway+PC (no bypass or passthrough). iperf3 gives similar results.
I should also note that there's no running process with this method. I'm no expert on FreeBSD internals, but I believe this is entirely in kernel space, so you'll see an uptick in CPU interrupts, but not significantly enough to impact performance. At least on decent hardware. Which in my opinion, makes netgraph the better solution over some of these EAPOL userland proxies that I've seen.
@webdawg said in Dpinger multiple targets - aka gwmond $2,500:
I admin a pretty decent size network and I have yet to test this plugin. Does this replace what is installed? Is it additional functionality? Can I roll back? I have a box I would like to try it on.
It also seems that luckman212 has not replied. I am going to try and secure some funds from my company to donate to this, how do I donate?
The big question I have now is: Is this compatible w/ 2.4.3_1 or the latest and greatest, and how do we get this rolled into official pfSense packages?
Does this replace what is installed, is it easy to remove?
Take a deep breath. IPsec can be frustrating, but it's not that hard. Typically, the people you are working with will provide you with the parameters- their IP, a pre-shared key, The P1 alogorithm, hash, etc. You add a new phase one under VPN/IPsec and plug the info in. The phase 2 consists of the network on your side (typically your lan) and their side that are reachable via the tunnel. Do a best effort configuration, then get the IT person from the other company on the phone to go over the settings if it doesn't come up. That way you will learn something instead of paying someone to do it for you.
How many hours of work... Seems like quite a few to me.. So unless you get lucky and someone writes it up for their own use and shares it. You have to provide enough incentive for someone to do all the work.
$100 at best at best cover an hour worth of work - this is clearly more than 1 hour to implement, etc.
I would second the option to just virtualize many firewalls. I have a cloud solution for clients running on vmware and I have my internet pipes vlan'd on the network so I can just spool up a pfsense per client.
The downside, you would need much more than an E3. I almost went the "super-firewall" route using a server with dual E5-2630v4 and 64GB of RAM with 8x 240GB SSDs in a RAID 10. But then decided to just use smaller virtual firewalls on my main ESXi servers.
A managed switch, even if it is just a "smart" switch that can handle vlans on the internet side as what I call a "dirty switch". VLan your internet pipes, lets VLAN150 and VLAN151. Then I would route that to dual servers, single E5-2620v4 with at least 16GB of ram or a dual E5-2620v4 with 32 GB minimum. Then load ESXi and set 6 total firewalls with 50 VLANs each.
You can use something like pfmonitor to manage all of those virtual firewalls.
You could conceivably even have 300 virtual firewalls, I would have more powerful servers. Maybe a stack of 3 dual-proc servers running full vmotion and such, like ESX Essentials Plus.
Or at that point, just do straight up L3 routing with a dedicated external IP per ethernet port dorm. Then let the kids put their own firewalls and wireless networks in. Sure it causes congestion, but if it works in high-rises in NYC. Heck I live in a suburban neighborhood with 53 other houses on my street and I can clearly see a dozen or more wireless networks.
Nice! Well thank you for the update. I think it'll be a handy addition to PfSense. Getting alerts your stuff is hot is just as important as getting alerts that your stuff is crashing.
My patch only adds the option for changing the unit of measurement displayed. Adding alerting is beyond the scope of what a firewall is supposed to do; that's what network monitoring systems are for!
You can edit config.xml via the shell using the command viconfig. I just tried toggling the setting on my system and did a diff between on and off.
Before checking the option:
After checking the option:
Hope that helps you.
I've done a little of my own work in getting more flexibility into the DHCPD configuration of pfsense. I've only gone as far as allowing static mappings on ipalias subnets in my submission, but have some code which also allows for creation of ipalias subnet ranges. The reason I haven't released that bit is because of how complicated it gets to validate the new ranges within the existing codebase without a big refactor. Please have a look and let me know what you think.
This is my pull request to RELENG_2_3_4 with the changes:
Thank you marcelloc.
My e2guardian package showed a squidguard dependency and installed a squidguard packaged… even though I don't see it in the Services or Firewall menus.
Transparent proxy is what I want. I will Internet search how to set it up. Do you have any pointers or references on doing this with e2guardian & squid?
Yes hired someone and he created a script. Worked like a charm! Only deployed to one location so far. Then SSD failure! Have to re-engage engineer but I can forward his info to you.
Would be great if this could be officially supported!
Have a similar Problem in AWS the destination syslog server is behind a ELB (Elastic Load Balancer) and this one is just able to balance TCP.
Does "Use the syslog-ng package" means:
configure input - udp
send unfiltered to - tcp destination
Inside pfsense send from Interface "localhost" to 127.0.0.1
By definition if anyone else compiles it, the result cannot be called "pfSense" or distributed as such, it is no longer "pfSense" unless it comes from us. The name could be changed, so long as the references are changed along with any logos/graphics/etc, but again: It cannot be "pfSense".
If someone else compiles it or changes the distribution, you cannot trust it. Anything could have been inserted in there without being disclosed, so you have no idea if the result is secure.
Seek a different solution that isn't fundamentally flawed.
The e2g in the freebsd ports is not the last version but is good enough. They fixed the https filtering in two ways. You can filter using ssl bump or with mitm.
Personally I prefer mitm because is easier to use but ssl bump works nicely.
Thanks a lot for your reply. I'd also want to do MITM if possible, I do have a captive portal on my network and all users are told to install the CA certificate so most errors should be avoided. Since E2 Guardian is now getting a few updates looking at their website…I will give it a shot for sure.
Not at all. I got some help here https://forum.pfsense.org/index.php?topic=120370.0, but it still wasn't working for me. It ended up being just an old floating rule that I was playing with awhile ago and forgot to disable/delete. It wasn't doing anything until I tried to do policy based routing and it by design shut down the policy based routing. I hadn't realized I still had that rule enabled so I just deleted it and all is well.
So in short, policy based routing, that link should tell you what you need to know to get your setup working!