That way I won't have to fight the streaming services blocking Hurricane Electric space. Really that's the biggest reason I disabled the HE tunnel.
I'm using he.net for years now, it works .... well.
Two major downsides, as you stated : Netflix saw my IPv6 (geo located in Paris) as some kind of VPN type of access. So I could access Netflix, but as soon as I pressed Play, an obscure error message showed : "Do not use a VPN".
This changed a couple of weeks ago : no more issues.
But icloud works fine now , since ... a couple of weeks.
Anyway, 'NoAAAA' exists as a Python extension for unbound to block listed AAAA domains, which helped. The same NoAAAA - as it is special kind of DNSBL - is now integrated in pfBlockerNG now. So if some site has IPv6 difficulties, it can be excluded from DNS.
Btw : I love this cdc.org DNNSEC graph ....how on earth admin people can actually let such a situation sustain ? Resolvers that do DNSSEC checking will -as they should - fail on DNSSEC enabled sites with broken DNSSEC. I presume a site as "cdc" is rather important these days.
Using he.net is actually slowing down my overall network performances, as close to 3k accounts are using the he.net POP in Paris. This can't be good for performance, as IPv6 traffic is preferred above IPv4.
@Operations : sorry for going way out of subject. If you have questions : ask ;)
Great device to add to your tool belt, if you have any care to what devices draw.. Is a kill-a-watt meter..
Or a smart plug with power reading.. So you can plug a device in, and see what it actually draws.. Say leave it on the plug for 24 hours min.. And try and atleast use it a bit like you think you normally would..
Cost of elect can vary quite a bit.. But at the national average of like 12cents per kwh.. A 100W will cost you 100 Bucks a year. Not counting delivery cost of the elect as well, and taxes on that etc.. so going to be 100+ a year to run something that sucks 100w if left on 24/7/365
I have gotten pretty into how much something draws, even before I went solar.. So Im the blue line - guess when I went solar ;)
I always use to be above even my non efficient neighbors (all the networking/computer toys) ;) The part I like the most is where I am under the 0... This is where I produced more than I used.. Which is the goal..
On a Windows laptop you can indeed just use file explorer (smb) to connect to other Windows hosts and view their file shares.
You may need to enter the remote IPs directly. If you are passing a dns search domain to clients and pSense as a DNS server they may be able to resolve LAN side hostnames if pfSense is a the DHCP server there.
The hosts you are connecting to need to allow smb connections from the OpenVPN tunnel subnet of course.
Anything you can do from the Android phone locally on WIFI should also work over OpenVPN.
I don't know what you are trying there. I'm not sure I've ever tried to access smb fileshares on a phone. There may well be an app for that.
@gertjan Agreed. However, an email outage is not as tragic as it once would have been. I, and I suspect many others, don't see email as critical communications. It's the use of an email address as identity that is troubling. I regularly go days or weeks without sending an email. I do use email addresses multiple times everyday to logon to various services. 2FA is a band-aid at best, security theater most of the time.
now shows the Speed and Duplex for this card. (it didnt for the other one.). It was set to auto which wasn't working. Setting it to 1000baseT Full made it magically work.
I would guess if the driver doesn't support speed changes it doesn't show. I poked around and on an SG-3100 the LAN doesn't have a speed dropdown...it's a switch so that is meaningless there (the WAN does).
If the port was supposed to autodetect at 1000/full and changing it to 1000/full improved things, I would be looking at the connection...is the patch cable cat 6, etc. IOW that implies autodetect sets to something the hardware can't handle. Autodetect will detect the fastest speed and if the cable is insufficient there will be lots of errors.
Well its weird because it DOES autodetect speed. But internet no work. When I hard set it to what it auto detects it as. It works.
There's nothing in between pfSense and the modem to troubleshoot. It's literally a 6 foot cat7 cable between the two. I tried two cables. Same results. I'm using the same cables for all my wired stuff and everything LAN wise is good.
If I hook up direct PC to modem I get 900+ download speed. pfSense, still around 500. No packet loss or anything. It's like a hard limit somewhere. I'll check the bios, maybe there's an update that might help... I donno.
I'll grab a $35 intel pcie nic off amazon and see if that helps i guess.
Alternativ statt nur DNS erlauben zu "LAN Address" eben alle Ports erlauben, dann kannst du vom Kindle Tablet auch noch die Sense UI aufrufen oder auch NTP machen statt nur DNS. Und wenn man mal ggf. mit HAproxy spielt, klappt auch das. :)
Das problem daran ist, dass der Kindle nicht nur auf den NextCloud Server zugreifen muss, sondern auch auf andere "Server" und "Dienste" welche (derzeit) alle im LAN Segment stehen. Das würde bedeuten, dass ich für jeden Dienst eine Regel erstellen müsste. Da diese ganze Konfiguration noch maximal dieses Jahr halten muss, ist mir diese Quick-and-Dirty Lösung ganz recht. Wenn wir dann im neuen Haus sind, wird sowieso richtig umgebaut und alle Server in eine DMZ verschoben.
Wie weiter oben schon mehrfach erwähnt: wenn der Kindle und 'die ganzen anderen Geräte im gleichen LAN' letzten Endes an einem Switch vor bzw. hinter der pfSense hängen dann sieht die pfSense das (an ihrem LAN) nicht und man braucht auch keine separaten Firewallregeln dafür. Das ist unnütz. Die Geräte reden über den Switch direkt miteinander.
Die Firewallregeln für den Kindle sind nur dazu da:
um DNS, DHCP und NTP der pfSense zu nutzen
den gesamten restlichen Traffic zur pfSense und ausserhalb des LAN (eben auch den kompletten Internetverkehr) zu blockieren
@JKnott ok sorry.
Noob more in regard of IPv6 itself. I'm not a networking guy, I got a fair understanding of IPv4, but not so much about IPv6. And to that I must say: still a noob, and looking to learn.
About the HOW, I'm sorry if that wasn't clear and I didn't get the hints to explain that part better, but its out in the clear now I guess. I may have missed mentioning it was a Datacenter I just said "provider" my bad and I'm sorry for the confusion.
I have 4 dedis with 2 pfSense routers. WAN is only connected to the pfSenses via vSwitch. All vm's get their connectivity through pfSense and are not host-bound.
@Derelict I didn't mean to offend probably as much as you meant me. I already explained the "noob" part, but consider saying to someone:
You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.
Its like people (or me in this case) are stupid and can't interpret what were told. Your comment was specifically about one's ability to understand a message and pass it on. People who can't understand a simple message and repeat it fall in such categories. Maybe you could have phrased better. Anyway, please note I said it seemed, I am sure that's not what you meant, yet I felt the remark was due. I have been working with IT and customers for 14 years and I never made such a remark to any, despite how dumb I may think they are sometimes.
Anyway I don't want to derail the topic to this, was just a comment.
I'm still insisting with the DC so they give me a bigger prefix.
Ggf. ist das ja wie JeGr sagte, eine Tochter, der Tochter des Neffen der Cousine des Schwagers der NSA oder GVU.
Dann lieferst du denen deinen Kopf frei Haus
Ich nutze die DNS die ich von meinem Provider erhalte.
Google weiß ja schon was ich wann gesucht habe, die brauchen dann nicht auch noch jede einzelne DNS Abfrage von mir Archivieren.
Wobei das ggf. praktisch ist, wenn ich die voll indiziert durchsuchen könnte, sollte ich mal wieder ein Lesezeichen vergessen haben zu setzen.
Oder ich vor lauter Taps den richtigen nicht mehr wieder finde.
Hinterfrage einfach, warum jemand für 3-5€ im Monat deinen ganzen Datenverkehr bei sich durch ein Monster AES Device jagen sollte ohne dann daran ein Interesse zu haben.
In Zeiten von Big Data?
Der dann ggf. noch im Ausland sitzt und unter Recht von Staat xyz steht?
Da vertraue ich lieber meinem Provider der sich an die DSGVO halten muss.
I'm still unsure if its related to the Virtual IP or not (I don't believe it is) but I have been running into a issue when I try to join a second K8S control-plane node to the cluster. It runs through its join process and then seems to lose a connection and ends up killing the cluster. You can see a post I made about it here on ServerFault if you want. Assuming the issue is not VIP related, then I would say this Netgate forum thread is closed. Thank you everyone again for your help in this matter!
I am passed this issue, everything is almost fine, after I added that specific link local, the ISP has sent me. My only problem is that the interface clients don't communicate between each other (for the time being, ping). The internet communicates with them, from anywhere, they communicate with the internet, but not between each other. I mean clients from one interface with clients from another interface. Clients within the same subnet talk to each other just fine.
The very first thing I tried is adding an allow from any to any firewall rule on IPv6 for both interfaces, all protocols, first rule from top to bottom, but nothing..
@elmnts Yes, I'll certainly re-install when the next version appears, or soon after, probably on a day when I'm at home by myself, and I've got a few hours to do some testing without danger of upsetting my partner's television viewing or internet use!
As I said, it isn't really urgent because I'm not running an environment where there is a particularly high risk of a user going somewhere they shouldn't or being hijacked, but it is nice to know the protection is there, particularly when life gets back to normal and we have visits from the younger family members who are all over social media!
Je ;e suis penche sur les docker, c est pas mal en effet !
j ai pu sur une seule vm mettre plusieurs containers "proxy" pour aller taper sur ceux de la dmz.
Me reste a faire pareil pour la dmz. De ce que j qi pu lire , pfsense sous docker cq marchent pas top..
Merci en tout cas.