USB to Ethernet Adapter NOT working
-
So, I just picked up a Belkin F4U047BT, i plugged it in and rebooted the machine, and everything works.
OMG so excited. -
Nice! :)
That's really the problem with USB ethernet adapters, with FreeBSD at least. One adapter gives endless trouble but looks like it should work. Another just works first time. There's no way to know in advance what an adapter might do. Manufacturers change chipset or fimrware versions frequently and don't label anything.
Don't think you're out of the woods yet though. Give it a few days/gigabytes to crash. ::)
How much traffic are you putting through it that you can't put the WAN on a VLAN but can use USB?
Steve
-
Just wondering - How much did that USB NIC cost you?
-
Im not exactly sure how much traffic will be on it, like i said earlier, my boss says do this, and i do it.
It costed $30 at BestBuy, i know that they are cheaper online, but its something i needed ASAP -
Tell your boss USB ethernet adapters suck. It you want to be a multi-tenant ISP, be one. If not, don't.
-
Derelict is right. USB Ethernet adapters suck. Even when you get them to "work" they still suck USB solution isn't cost effective.
Even after you have gotten this up and running, it still would be best to scrap it and make a proper pfsense than to use this one.
If you lived in a hut somewhere on the Serengeti Desert and only made $100ish a month, then I'd say its ok because its all you can manage.
A cheap old computer with a free PCI port + a Gigabit NIC to put in it cost about what you paid for the NIC.
It doesn't even matter if you get a USB solution functioning, its rarely if ever the right way to go.
-
I see USB's command some negativity, but I've yet to establish anything susbstansive and upto date regarding them.
Of the pfsense threads I read, most appear to be relevant to USB1 and the introduction of USB2, namely the USB2 doesnt provide the 480Mbps speeds, but with USB3 and continued development since USB2 was introduced, I'm not seeing any new complaints as various chips on the motherboards as well as usb nic have improved.
I've managed to find just one bug related to the USB/Ethernet I use (ax88772), which consisted of a script which constantly enabled/disabled the usb adapt until it eventually stopped responding, but eventually this came down to a fault elsewhere in the network with a different manufacturers card nic, in effect the USB nic was the recipient of someone else's bug.
That type of bug/situation is quite common in software development & hardware support, usually down to standards not being adhered to properly, which means in some instances some hw configs will just never work and/or some sw / hw configs will never work.
I'm just trying to be as informed as possible about the hw I'm already using as my mileage has been good since pfsense v2.1, sure I had problems with pfsense 1.2 and usb adaptors but that was freebsd8 (iirc) which is some time ago interms of development.
So what are the problems which are supposed to affect usb nic's?
TIA.
-
The biggest bug that all the USB NICs have is that they are not Intel PCIe NICs (-:
I'd say that Intel PCIe NICs are the best and USB is the worst.
USB is what you use when you have no other choice and are out of money, in which case, I'd say its better than nothing.
In your case, I'd recommend using your 1 built in NIC and a cheap VLAN switch.
-
OP must already have a VLAN switch since he has many VLAN interfaces defined. Just make one more for WAN and move on.
Now that that's solved, speaking of all these VLAN interfaces, are all these tenants really going to trust you to do their firewalling for them (I know I wouldn't. Nothing personal, it's just a "no way" no matter who it is) or are they going to all have firewalls of their own?
-
I shy away from any network equipment like nics & switches which come with remote management facilities, they attrack hackers no end and its often hard to even tell if someone is in management mode due to the need to not interrupt operations.
A usb nic often has no fancy remote access/management/whatever so should be less to worry about.
I'm happy with the speed but I cant get fibre where I am for another few years.
However I could use usb nics to control access to the pfsense box like a physical key.
I could assign a fixed ip to a usb nic based on its arp/mac id, add a rule to allow access to pfsense from the usb nic, block access to pfsense from everywhere else and that should make pfsense a little more secure in a different way.
I could have a second usb nic and repeat the above steps for a backup measure.
Provide the nic comes up automatically and works as required, that would make securing pfsense a novel way with a physical key and a password effectively giving you a sort of two form factor authentication.
I couldnt do that with intel nics or any other pci-e nic could I? ;)
Edit.
Possibly 3rd form factor authentication, if pfsense can tell what USB port its plugged into if a choice of usb ports exist.
-
I could use usb nics to control access to the pfsense box like a physical key
If you mean you could remove the USB NIC and only connect it when required then no, no you can't.
If you remove a NIC that is configured and assigned in the config file then the next time you reboot you will be dumped at the initial interface assign prompt. That is a problem with any easily removable NIC, if it's accidentally removed then the result can be very bad.Steve
-
USB NIC as a security dongle. Now I've seen everything.
-
I shy away from any network equipment like nics & switches which come with remote management facilities, they attrack hackers no end and its often hard to even tell if someone is in management mode due to the need to not interrupt operations.
That's what management VLANs and firewall rules are for.
A usb nic often has no fancy remote access/management/whatever so should be less to worry about.
Neither do "real" NICs.
However I could use usb nics to control access to the pfsense box like a physical key.
I could assign a fixed ip to a usb nic based on its arp/mac id, add a rule to allow access to pfsense from the usb nic, block access to pfsense from everywhere else and that should make pfsense a little more secure in a different way.
Except that anyone who wants in can get in by spoofing that MAC.
I could have a second usb nic and repeat the above steps for a backup measure.
You'd probably need one.
Provide the nic comes up automatically and works as required, that would make securing pfsense a novel way with a physical key and a password effectively giving you a sort of two form factor authentication.
I couldnt do that with intel nics or any other pci-e nic could I? ;)
Edit.
Possibly 3rd form factor authentication, if pfsense can tell what USB port its plugged into if a choice of usb ports exist.
With proper network design and firewall rules this is all a non-issue. My users cannot get at my pfSense interface, switch management interfaces, AP management interfaces, etc. And, no, I don't have any USB NICs on my network.
-
Ah, wait I see, you mean use the USB NIC at the client end to provide a different MAC?
As Derelict points out, probably easier to just spoof the MAC to something else when you want access. But no real additional security anyone could read the MAC and spoof it. If you're concerned about access from internal networks then setup a VPN server and put rules in to only allow access to the webgui from VPN connected clients.
Steve
-
I shy away from any network equipment like nics & switches which come with remote management facilities, they attrack hackers no end and its often hard to even tell if someone is in management mode due to the need to not interrupt operations.
That's what management VLANs and firewall rules are for.
A usb nic often has no fancy remote access/management/whatever so should be less to worry about.
Neither do "real" NICs.
However I could use usb nics to control access to the pfsense box like a physical key.
I could assign a fixed ip to a usb nic based on its arp/mac id, add a rule to allow access to pfsense from the usb nic, block access to pfsense from everywhere else and that should make pfsense a little more secure in a different way.
Except that anyone who wants in can get in by spoofing that MAC.
I could have a second usb nic and repeat the above steps for a backup measure.
You'd probably need one.
Provide the nic comes up automatically and works as required, that would make securing pfsense a novel way with a physical key and a password effectively giving you a sort of two form factor authentication.
I couldnt do that with intel nics or any other pci-e nic could I? ;)
Edit.
Possibly 3rd form factor authentication, if pfsense can tell what USB port its plugged into if a choice of usb ports exist.
With proper network design and firewall rules this is all a non-issue. My users cannot get at my pfSense interface, switch management interfaces, AP management interfaces, etc. And, no, I don't have any USB NICs on my network.
Intel nics have had forms of remote access in their nics since the 1990's.
http://en.wikipedia.org/wiki/Wired_for_ManagementIt might be obsolete but the functionality still ships in their nic chips, hence a security risk. Lets not forget rootkits were just old dos viruses, that the youngsters forgot about.
http://www.intel.com/design/archives/wfm/"WfM has been replaced by the Intelligent Platform Management Interface standard for servers and Intel Active Management Technology for PCs."
Intel AMT (vpro) is considered a back door into systems as this works out of band, and the
IPMI is aimed more at the servers.
http://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface#Security
"On 2 July 2013, Rapid 7 published a guide to security penetration testing of the latest IPMI 2.0 protocol and implementations by various vendors.[6]Vendors have provided patches that remediate most of the vulnerabilities, but the "IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval" vulnerability has not yet been addressed. This arises from the difficulty that the IPMI 2.0 specification is flawed in that it reveals the password hash and salt to anonymous remote clients. This allows for offline brute force attacks. Complete remediation will require a change to the IPMI specification.[7]
Some sources are even advising against using IPMI at all,[8] due to security concerns related to the design and vulnerabilities of actual Baseboard Management Controllers (BMCs).[9][10] However, like for any other management interface, good security practices dictate the placement of the IPMI management port on a dedicated management LAN or VLAN."
"The development of this interface specification was led by Intel Corporation and is supported by more than 200 computer systems vendors, such as Cisco, Dell, Hewlett-Packard, Intel, NEC Corporation, SuperMicro and Tyan."
On the point of using vlans, heres a paper which discuss the weaknesses of it. Its worth noting the conclusion as the biggest risk of vlans is not configuring them properly. Considering most people here asking about vlans probably have little to no experience of them, the suggested use would render some users of vlans more vulnerable than if they did not attempt to use it.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39054
I used to be a big fan of remote access for system support, but I'm finding increasingly as more functionality is added, so the risks of bugs which could be your next undiscovered zero day increases and so more things get hacked.
On the point of spoofing, thats fine, in fact it would probably be spoofed so that serial numbers cant be traced back to arp/mac id's and then be logged somewhere in the supply chain. They still need to guess what it is, just like a password, but if its also the only management channel and the only device that connects to it, never goes online and/or doesnt have any remote access built into it, then it should be quite secure if not as secure as pf itself.
Arp/mac id's are just another identifier, just like a username and password combined is an identifier for a system. How the system is set up to react to these unique identifiers is down to the user.
Windows uses a usb device to store the key if you encrypt the hard driver, how is that any different to a usb nic if not more obvious if someone were to pick up the usb stick due to it being known as a device for storing sensitive info. A usb nic is a less obvious place to store info whilst being in plain sight.
@ Stephenw10
"If you mean you could remove the USB NIC and only connect it when required then no, no you can't."
It does work in 2.2 rc, I've tried it. -
So let's not talk about "Bad USB."
-
wow, i go away for a day and then i come back and its all trash talk on USB NIC.
that was my only option, because the machine i was working with didnt have any expansion slots and only the one Ethernet port.
but now that its done, im now working on 2 separate machines that each have 3 Ethernet ports. and im not having any issues with them.
all i know is that the USB to Ethernet is working just fine, and yes all the VLANs are for separate tenants and the business i work for controlling their firewall ,
well we arent controlling yours so it really doesnt matter then, does it Derelict -
Its not so much "trash talk" as attempting to point you in a better direction.
As pointed out earlier, if you already had a vlan capable switch you didn't need the usb dongle at all.
If you were in the mood to buy something and had no free slots, vlan switch would have been the way to go. -
So let's not talk about "Bad USB."
All I'm asking for is some 3rd party source to quantify how good is good and how bad is bad?
With out this knowledge, people cant make that much of an informed choice, can they?
In my case, I need to work with the lowest common denominators which means old hw possibly a laptop as it has things like wifi, various usb sockets, a nic, serial port, battery (for ups), already rolled into one handy portable device, cheap usb nics and a basic adsl connection with a variable ip, ie the typical cash strapped consumer market.
In windows, we can assign some drivers to work with specific usb configurations, usb printers tend to be a good example of this in windows, who has ever unplugged a usb printer from a windows pc, then plugged it into a different usb port and find it doesnt print until you change the usb port in the printer driver config?
If it were possible in freebsd/pfsense to fix fw rules to specific usb hw configs, ie hub1, port3, hub2, port1, you get to introduce a physical element to the puzzle of getting into a fw, when you consider the different combinations a couple usb hubs can plug together before you plug the usb nic into the last hub which is another element of the physical size of the puzzle. Its a fairly lost cost low tech way to introduce a bit of physical security on the cheap, thats all.
Likewise the right mac id at the device which will connect into the initial usb nic on the fw, can also trigger the right rule which gives access to pfsense. So two mac id's to guess introduces two unique physical identifiers before you've even got to try the right username and password.
-
If most of the time when a person plugged in a PCIe Ethernet adapter it didn't work, or worked poorly and unreliably, I'd be discouraging their use.
But as it is, USB is the interface type that holds that status.