Things the forum needs to fix.



  • all forums are different, some go hard core with videos, tutorials with pictures, well thought out stickies, vetted firewall posts- to increase user count.

    this place seems to be stocked with very smart, individuals with vast knowledge. I do find that its similar to an engineer mentality, whereas vital newbie things are skipped over, after all pfsense is a HOME firewall. Little things.

    Like looking at hardware req's I was concerned that my old- dell optiplex 745 duo-core 3ghz, 3gigs ram wouldn't be enough.
    But loaded up with the good UTM packages, 3 PCs going full DL'ing with 4000 bit VPN (separate thru the desktops) the pfsense box didn't go above 6% CPU or 13% memory. So you can run this on old hardware. From reading the forum I was thinking a i3-i7 with a crypto accelerator card, the whole bit.

    Its a shame I couldn't get this to work with my wireless router for lack of tutorials/stickies so I have to stick with my consumer grade router junk. The stickies that are here tout old 2008 cira hardware- ALix etc everything is outdated in terms of knowledge.

    I don't have a problem giving back and doing tutorials with pics but for me to get into it, I gotta get a base.

    Too much contradictory information or outdated setup info regarding rules. or negligence of thought- if you are going to change the base GUI login port don't leave SSL on. no mention of this fact.

    This would be solved with a single sticky tut that covers 80% of the typical home use (1 wireless router/ap a couple laptops, wired pcs few smartphones) with a importable ruleset attached with explanations.

    Instead I spent tens of hours trolling thru posts where high post count poster is telling you to block everything (quick) floating rule and then on the lan opening things up, where the documentation says floating quick rules are processed 1st and when it is quick, its stopped processing further rules. Or opaque and contradictory  language on how to set a subnet or wireless.  A general downloadable ruleset would be nice. 
    Little things.

    Stuff like this is hard to get a new user engaged- things like this are, in my opinion not helpful to growth of this- I think everyone with a home internet connection should be running this PFsense.

    Just my thought and my weekend experience, with this incredible piece of software. Consider this constructive not negative feedback

    Even though I am not going to use this right now because I cannot get it going, I wanted to buy all the package threat lists and the whole deal.

    My next option is to re-tool and get a newer fanless box and pay someone to set it up locally.  And to me that's a fail.



  • Good post but a couple of comments,

    One Pfsense can be used in a SMB and even Large environment. I personally think that PfSense at home is overkill but most of here run our home network like our corporate networks. I guess the thought for many of us here is that if you are running PfSense at home then you have a minimum level of knowledge but I think that you bring up a good point about the need for some basic knowledge. I'm actually working on creating a PfSense networking class similar to Cisco ICND 1 & 2 but more tailored to PfSense. I will be putting them on YouTube so stayed tune. As far as your wireless problem with PfSense don't let that discourage you from running pfSense at home. I too am using a Dell OptiPlex 745 and that is plenty of power (upgraded to a q6600 processor), there are a lot of write ups that tell you how to do what you want, but it does require some work on your part. Most of us on these forums are networking nerds and do this with our own time so all we ask is that anyone asking question first take some time to put work in. Today we live in a society where information is cheap, meaning anything that you want to know, all you  have to do is search for it on the Internet and you will find someone telling you how to do it. But it does require some effort. Keep diligent and you will get what you want but don't expect someone to do all the work for you. In my career I have made a lot of mistakes but that is how you learn. I feel fortunate because I came up in an era before the Internet so there was a lot of self discovery, I think you learn better that way plus it puts something in you to try to find the answer your self before you seek help. Please don't take this like asking for help in wrong, I'm just saying sometimes when you get the help you then may have to do some homework to see what the person is talking about.

    The last thing I will say with networking nerds is that we you ask them a question you will get as many answers as the group you are asking. Meaning there are many ways to do one thing. I try to find the best way but that will be for you to discover what is best for you.



  • after all pfsense is a HOME firewall.

    Yeah, you kind of lost me here.  pfSense is certainly not what I would consider a personal firewall, although it can certainly be used as one.

    Some information can seem contradictory due to different scenarios or circumstances.  For example, floating rules aren't something you need to worry about just yet.

    I do agree that the forum stickies are a total mess with ancient content going back years.



  • Now that the packet filter is not core-locked, pfsense even better for industrial purposes.



  • @fdisk:

    after all pfsense is a HOME

    Interesting,

    I See pfSense as a replacement for commercial products used in the SMB segment not as a home use product.
    I also see many "techies" use the product at home but dont expect that many none tech type people using it at home.

    Just because its free, dosnt mean its 'cheap'.

    We are using it in HA mode in our data center.  We replaced a Sonicwall HA system with pfSense and I am liking it much better then the previous setup.

    There are plenty of good knowledge in this forum and many willing to share it.
    Plus the pfSense guys are active here and helpful too.


  • Rebel Alliance Developer Netgate

    The forum, as a source of documentation or a database of static knowledge, is a poor medium. That's what the Doc Wiki is for:

    https://doc.pfsense.org

    And what the book is for ( https://portal.pfsense.org/gold-subscription.php )

    What the forum is good for is a place of discussion where people can take general knowledge and apply it to specific configurations, of which few are rarely the same.

    Information may conflict because different people run their networks different ways. Some environments are stricter than others, and others prefer things easier to manage.

    I would prefer there be fewer sticky posts and more pointers to the wiki, but that's me.



  • I disagree with you KOM.  In today's age most homes can have up to 30 devices connected to the internet. Standard "Walmart" home routers are not up to the task and that is the cause much of the identity theft and "Malware" infections we read about today in the news.

    A good "Home" pfSense router/fire wall running just snort/suricata in blocking mode with pfBlockerNG and the basic "Malware" lists can prevent a GOOD part of the "Malware" and "Hijack" sites out there and will go a log way to keep those devices clean. Snort VRT home subscription is just 29.95 a year. All of this a 15 year old can install.

    It's really funny when one of my friends/family/kids friends bring their laptops and infected Android phones from their unprotected homes, snort and pfBNG go crazy with alerts, sometimes even making their phones and lap tops useless.

    We DO need a simple "Home" setup Wiki page or Youtube video. If most homes ran pfSense, it would put a lot of the "We'll clean your PC" companies out of business.

    Let's picture a large company that would REQUIRE that it's employees run a basic "real" firewall setup in their home before their devices can be brought on property. Every home should be running pfSesnse or something similar.

    @KOM:

    after all pfsense is a HOME firewall.

    Yeah, you kind of lost me here.  pfSense is certainly not what I would consider a personal firewall, although it can certainly be used as one.

    Some information can seem contradictory due to different scenarios or circumstances.  For example, floating rules aren't something you need to worry about just yet.

    I do agree that the forum stickies are a total mess with ancient content going back years.



  • Yes there are many scenarios but i think it would be nice if some users would post there basic home settings
    or there would be some recommendations for example on stuff like Squid Memory cache size based on RAM.
    I believe for home use the needs between people do not differentiate to much.
    I think there are allot of people here who have experience on what works best.

    Allot of stuff here is years old and as fdisk said if you look around it seems like you need a killer machine.



  • @fdisk:

    all pfsense is a HOME firewall. Little things.

    So no.

    Our company has several clients using many of these and even in nested configurations across the country.

    Methinks you are posting angry.

    Don't post angry.



  • Topics like "New Alix board for 2013" still pinned on top…
    And we're in 2015...



  • @Fdisk

    I really think you are over reading. Your hardware is fine if you have two Network ports on the machine. Just do the default install, it installs the rules you need by default.

    Add the Snort package. Go to snort.org and get a free Oinkmaster code. Add that to "Global Settings" in Snort. Go to the "Updates" tab and click "Update". Add a LAN interface on "Snort Interfaces". On "Lan Settings" click Enable, Block Offenders, Kill States, in "Lan Categories" tab click "Resolve Flow Bits", "Use IPS Policy" and on "IPS Policy Selection" choose "Conectivity". Hit Save.

    Log into your current wireless router and set it up as an access point. Just Google your router brand and "setup as access point" and follow those instructions there.

    You now have 100 times the home network security that any commercial "Walmart" router has and a basic "UTM" as you mentioned in you post. Then you can start reading the more in depth posts to add more functionality, or just leave it like it is.

    PS. If you need help, PM me I'll walk you through it.

    @fdisk:

    Like looking at hardware req's I was concerned that my old- dell optiplex 745 duo-core 3ghz, 3gigs ram wouldn't be enough.



  • I agree with the OP.  Some of the docs are woefully out of date.  An example would be the minimum hardware requirements.  The hardware listed was becoming obsolete a decade ago.  This does a disservice to potential new users who are trying to get good supported hardware.  From that page, I could assume that my AMD 5350 with 8G RAM could handle any pfSense usage scenario (I doubt it though).

    It would also be nice to see some basic tutorials walking through a non-trivial home setup.  An example setup would be a pfsense box with a wireless AP and a switch using the Ethernet ports on the pfsense box.  I'd assume this is trivial to setup, but after reading through the forums, I'm no longer sure.

    The example setup would be
    Ethernet port 1 - WAN
    Ethernet port 2 - LAN (switch)
    Ethernet port 3 - LAN (WAP)
    Ethernet port 4 - Maybe a DMZ



  • @Waggles

    Everything is "simple' if you have done something a lot.

    A master in kung-fu probably thinks it's piece of cake to catch a fly with chopsticks
    An experienced welder can merge 2 pieces of steel together while having a chat with a collegue and checking his phone.

    So while the documentation might not be perfect, its not THAT bad compared to some other docs i've read over the years.
    imho if you learn how to crawl before you try to run the 100m in 10secs, then you'll grow into it.

    the other option is to pay for a gold subscription and receive the "definitve guide' .


  • Rebel Alliance Developer Netgate

    @Waggles:

    Some of the docs are woefully out of date.  An example would be the minimum hardware requirements.  The hardware listed was becoming obsolete a decade ago.

    The hardware requirements are definitely due for an update, but what other parts of our documentation are "woefully out of date"? I have spent the last 6 months updating every article on the wiki, if something is still outdated on the doc wiki, I'd like to know so it could be fixed.



  • Here are some items that are out of date or appear out of date because they conflict with other docs.

    https://doc.pfsense.org/index.php/What_is_the_best_wireless_card_to_use
    The link Madwifi Compatibility list is dead.  All the cards seem to stop at 802.11n.  This might be a limitation of FreeBSD.

    https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used
    seems out of sync with
    https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense
    The first talks about using a bridge to add wifi support, while the other avoids bridges all together.

    https://doc.pfsense.org/index.php/How_can_I_increase_the_state_table_size
    This seems dated because it implies that 1G RAM is huge.  It doesn't seem that high for modern hardware.



  • I would be extremely happy if the official documentation could include some explanation similar to this (or a more updated version): https://forum.pfsense.org/index.php?topic=24773.msg129341#msg129341

    I am personally attempting to simplify the explanation HFSC's exclusive capabilities, so regular users do not need to resort to reading the HFSC white paper(s), but a "good" writeup is months away… :(
    (Perhaps a script that calculates m1&d values using standard packet sizes based on a chosen protocol would be easier than explaining HFSC to everyone.)

    Maybe pfSense should spend time documenting differences from FreeBSD, and otherwise link to FreeBSD/OpenBSD for documentation. No need to reinvent the wheel. Though, I guess pfSense's demographic is different from the full BSD operating systems.

    :)


  • Rebel Alliance Developer Netgate

    @Waggles:

    https://doc.pfsense.org/index.php/What_is_the_best_wireless_card_to_use
    The link Madwifi Compatibility list is dead.  All the cards seem to stop at 802.11n.  This might be a limitation of FreeBSD.

    I fixed that page. (Updated the card we all use internally, removed that dead link)

    @Waggles:

    https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used
    seems out of sync with
    https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense
    The first talks about using a bridge to add wifi support, while the other avoids bridges all together.

    Those are two COMPLETELY different things. The first is talking about bridging two pfSense interfaces in general, the second is about using an external wireless router not a wireless card, and there isn't even a second interface involved in that second page, so bridging is irrelevant. In that scenario the external wireless router is plugged into the LAN. The two pages are not related in any way.

    @Waggles:

    https://doc.pfsense.org/index.php/How_can_I_increase_the_state_table_size
    This seems dated because it implies that 1G RAM is huge.  It doesn't seem that high for modern hardware.

    It's using a simple example there, it doesn't make commentary about how "huge" the RAM is. 1,000,000 states is still huge, regardless of how much RAM is in the box total, and it's a nice round number that makes a good example.



  • @jimp:

    @Waggles:

    https://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used
    seems out of sync with
    https://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense
    The first talks about using a bridge to add wifi support, while the other avoids bridges all together.

    Those are two COMPLETELY different things. The first is talking about bridging two pfSense interfaces in general, the second is about using an external wireless router not a wireless card, and there isn't even a second interface involved in that second page, so bridging is irrelevant. In that scenario the external wireless router is plugged into the LAN. The two pages are not related in any way.

    The first page makes much more sense now.  I didn't read it as a WIFI card.  I interpreted it as an Ethernet port connected to a WIFI router.


Log in to reply