 | Lars Fosdal on Security alarm provider Woonve… |
 | Thomas Mueller on Question got closed in May 202… |
 | Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
Posted by jpluimers on 2025/08/15
I have been contemplating on pfSense hardware as there has been a large shortage on that market especially for having more than 2 ports (similar to for instance Mikrotik PoE router unavailability).
If by now I have not found any, I might want to revisit [Wayback/Archive] Gowin R86S mini PC offers 2.5GbE and 10GbE networking for $310 and up – CNX Software has 3 RJ45 ports and 2 SFP+ cages.
They found it via this 4 page review:
Posted in Ethernet, Hardware, MikroTik, Network-and-equipment, pfSense, Power User, routers | Leave a Comment »
Posted by jpluimers on 2025/04/18
I wonder how well [Wayback/Archive] H3/H2 Net Card – ODROID is supported by pfSense. It is an M.2 based PCIe network card that adds 4 ethernet ports of 2.5 gigabit each to an ODROID H2 or H3 series (so you have 6 ports total), ideal for some hefty router.
Pictures (from the above link) of the board, cases and mainboard below.
But first: Realtek NICs is not vendor supported on FreeBSD (which pfSense and OPNsense are based on).
Posted in *nix, BSD, Ethernet, FreeBSD, Hardware, Network-and-equipment, pfSense, Power User, routers | Tagged: homelab, serverbuilds | Leave a Comment »
Posted by jpluimers on 2024/03/14
Reminder: check reviews for this little device: [Wayback/Archive] Compact fanless firewall appliance offers 6x 2.5GbE ports for $230 and up – CNX Software
If referred to:
(which for EU customers went up from USD ~230 to USD ~270 the day CNX published; this might have to do with VAT and import duties [W/A])
–jeroen
Posted in Development, Hardware, Hardware Development, Network-and-equipment, pfSense, Power User, routers | Leave a Comment »
Posted by jpluimers on 2023/12/11
Last year, after an already long sequence of doing stupid things, Ubiquiti sued Brian Krebs.
For many this was a reason to think about what to replace their Ubiquiti.
My cloud key had already died, I never installed the USG router, so this is the reminder to see if anything has come up to replace the Unifi access points that is easy to manage in a self-hosted way are powered over ethernet, do the same seamless handover and cooperative WiFi antenna management.
Some links from back then:
Posted in Cloud Key, Ethernet, Hardware, MikroTik, Network-and-equipment, pfSense, Power User, routers, Ubiquiti, Unifi-Ubiquiti, USG Ubiquiti Unifi Security Gateway, WiFi | Leave a Comment »
Posted by jpluimers on 2023/10/27
Some links on the pfSense hardware I am planning to use.
Whereas apu1 was totally different, apu2, apu3, apu4 and apu6 are very similar. The letters after the first digit indicate evolution of the boards. The first and last digit set apart features. Together, they form a confusing matrix which is not really made clear at the PC Engines web-site as some intermediate categories are missing which makes it hard to get an overview.
Basically their shop site has the list of most current products and is easiest to get links to the actual product names. Like many Swiss companies, they accept multiple currencies, so there are three links to the shop:
Posted in APU, Hardware, Network-and-equipment, pfSense, Power User, routers | Leave a Comment »
Posted by jpluimers on 2023/04/24
It was great while it lasted, so be sure to order within the next 12 months as [Wayback/Archive] PC Engines apu platform EOL:
PC Engines apu platform EOL The end is near ! After a long production run, AMD will accept last orders for the SOC used in our apu2/3/4/5/6 boards by end of June 2023. apu phase-out We will do a life-time buy for a quantity of the AMD SOC and some other key components. We are willing to schedule customer shipments through end of June 2024. There is a 26 week lead time on the AMD SOC, expect limited supply until late 2023. First ordered, first served. Binding orders may be required for large quantities.New products ? Despite having used considerable quantities of AMD processors and Intel NICs, we don’t get adequate design support for new projects. In addition, the x86 silicon currently offered is not very appealing for our niche of passively cooled boards. After about 20 years of WRAP, ALIX and APU, it is time for me to move on to different things. Thank you ! I would like to thank all of our customers for their business, and sometimes patience.
–jeroen
Posted in APU, Hardware, Network-and-equipment, pfSense, Power User, routers | Leave a Comment »
Posted by jpluimers on 2022/08/05
I tried the solution in [Wayback/Archive.is] Fritz!box 7590 interface extremely slow : fritzbox (remove the some 30-40 unused machines from the network overview), but it didn’t matter: since Fritz!OS 7.x, the Fritz!Box 7490 UI is just very very slow: each page takes 10+ seconds to load.
Hopefully I can get rid of these and move to pfSense based hardware eventually.
–jeroen
Posted in Fritz!, Fritz!Box, Hardware, Network-and-equipment, pfSense, Power User, routers | Leave a Comment »
Posted by jpluimers on 2022/03/08
Since this is what I use to VPN home:
pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more
[Wayback] Download pfSense Community Edition: [Wayback] pfSense-CE-2.5.1-RELEASE-amd64.iso.gz
–jeren
Posted in Internet, pfSense, Power User, routers | Leave a Comment »
Posted by jpluimers on 2020/09/28
Saving an initial configuration without changing anything gives these errors:
If you are OK with self-signed certificates, then the first is solved by using this as the Server certificate:
The second needs an additional step: you have to select or create a certificate authority first at hostname/system_camanager.php?act=new where hostname is the hostname or IP address of your pfSense configuration.
This order is actually explained in [WayBack] OpenVPN – The Open Source VPN: HOWTO and [WayBack] OpenVPN Configuration (pfSense) – ELITS, but I like stronger security.
For the Internal Certificate Authority (CA), use at least these settings:
2048 bits, but I prefer 3072 bits (to be safe after about 2030) as per
sha256, but I prefer sha512 as it will be safe for a longer period of time.3650 (10 years); can you keep your VM safe for that long? If longer, you can increase the lifetime, but also have to ensure you take large enough values for the Key length and Digest Algorithm.You can view the possible settings in [WayBack] pfsense/system_camanager.php at master · pfsense/pfsense · GitHub.
Use a TLS Key
TLS Key
TLS Key Usage Mode
Peer Certificate Authority
Peer Certificate Revocation list
Use a TLS Key
Use a TLS Key
ECDH Curve
Hardware Crypto
RDRAND instruction is available, this choice allows to use it. I think OpenVPN (via OpenSSL) on BSD uses this in a similar way as Linux: i.e. not as the only source for randomness. See [WayBack] Torvalds shoots down call to yank ‘backdoored’ Intel RdRand in Linux crypto • The Register/usr/bin/openssl engine -t -c command:
DH Parameter Length
This means they can potentially be re-used as an attack-vector, so you need to manually re-generate them as per [WayBack] DH Parameters – pfSense Documentation by using /usr/bin/openssl dhparam
In order to speed that up, you have to either manually add a lot of entropy, or ensure your VM uses the host entropy by installing the open-vm-tools and rebooting.
This can take quite some time as it depends on /dev/random as a pure random number source, which will wait if there is not enough initial entropy available yet (see [WayBack] prng – differences between random and urandom – Stack Overflow).
In order to speed that up, you have to either manually add a lot of entropy, or ensure your VM uses the host entropy by installing the open-vm-tools and rebooting.
On a single-coreIntel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz, the timings of these
/usr/bin/openssl dhparam -out /etc/dh-parameters.1024 1024
/usr/bin/openssl dhparam -out /etc/dh-parameters.2048 2048
/usr/bin/openssl dhparam -out /etc/dh-parameters.4096 4096
using the [WayBack] FreeBSD Manual Pages: time command are (each measured twice):
4096Encryption Algorithm
AES.AES-256-GCM (256 bit key, 128 bit block)
AES-128-GCM.Enable NCP(Negotiable Cryptographic Parameters)
NCP Algorithms
AES-256-GCMAES-192-GCMAES-128-GCMAuth digest algorithm
SHA512 (which I use) or SHA256 is fine. Do not use SHA1 unless you need backward compatibility with pre 2.4 OpenVPN installations or pre-configured clients. See [WayBack] How safe to change default SHA1 to other encryption algorithm?Certificate depth
All networks are in CIDR notation, like 192.168.3.0/24.
IPv4 Tunnel network
172.x.y.0 networks as they are far less used than 192.168.x.0 and 10.x.y.0 networks. Note that some networks starting with 172 are in public use, so limit yourself to 172.16.0.0 – 172.31.255.255.IPv6 Tunnel network
IPv4 Local networks
IPv4 Remote networks
IPv4 Remote networks
Concurrent connections
Compression
compression lz4 or compression lz4-v2 in the future.Push compression
Type-of-Service
Inter-client communication
Duplicate Connection
Dynamic IP
Topology: choose subnet (use net30 only for old 2.0.9 client compatibility on Windows; use p2p if you only have non-Windows clients)Advanced client options
Custom options
UDP Fast I/O
Send/Receive Buffer
Gateway creation
BothVerbosity level
Even if the underlying Intel/AMD processor supports AES, it is not enabled by default in pfSense as per web UI home page:
Intel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz
AES-NI CPU Crypto: Yes (inactive)
I was quite surprised, but then remembered that enabling RDRAND in the OpenVPN settings was also non-default and dug a bit deeper into ….
There I found you have to go to the System menu, choose Advanced, then the Miscellaneous tab:
From there, browse down (or search for Hardware) to “Cryptographic & Thermal Hardware”, then enable the CPU based accelleration:
After pressing the Save button at the bottom, you are done:
AES-NI CPU Crypto: Yes (active)
I got this via [WayBack] AES-IN Inactive?, which also mentions this:
- AES-NI loads aesni.ko
- BSD Crypto loads cryptodev.ko
- AES-NI and BSD Crypto loads both
Note that AES – as of FreeBSD-10 – AES-NI and other hardware implementations are only indirectly incorporated into /dev/random. The Linux kernel already did this in an indirect way. I think that is a good idea as when multiple entropy sources are merged together, it makes it much harder to influence to total entropy. FreeBSD implemented this using the Yarrow algorithm – Wikipedia and now has moved to a successor, the Fortuna (PRNG) – Wikipedia.
More background information:
Note there is a message about ACE support on the console and in the boot log that is related to AES:
padlock0: No ACE support.
aesni0: <AES-CBC, AES-XTS, AES-GCM, AES-ICM> on motherboard
The cause is that in the past, VIA PadLock Advanced Cryptography Engine (ACE) in the mid 2000s introduced encryption acceleration (see [WayBack] VIA PadLock support for Linux) a few years before AES-NI, so ACE is incompatible with AES-NI. AES-NI is now much more widespread than ACE, even the wikipedia VIA page padlock information has been removed.
An odd thing: unlike AES-NI which needs to be specifically enabled, VIA Padlock is always enabled, see
Ensure you install the (optional, but highly recommended) [WayBack] OpenVPN Client Export Package:
Allows a pre-configured OpenVPN Windows Client or Mac OS X’s Viscosity configuration bundle to be exported directly from pfSense.
These config files work with Tunnelblick as well, which is a great free and open source OpenVPN tool on Mac OS X / MacOS:
I have yet to cover these two; for now read [WayBack] How to setup OpenVPN on pFSense? | IT Blog and [WayBack] OpenVPN Remote Access Server – pfSense Documentation.
I like this overview a lot:
–jeroen
Posted in Internet, pfSense, routers | Leave a Comment »
Posted by jpluimers on 2020/09/25
If during a pfSense reboot you get one or more messages from syslog about “operation not supported by device” on various log files, then they are likely corrupt.
I had this when a pfSense 2.4.x RELEASE version VM was accidentally power-cycled during initial setup.
A side effect was that no logs showed in the web UI either, nor would clog on any file in the /var/log directory.
The solution was to choose option 8 (Shell), then in the /var/log directory, remove all files with extension .log, then reboot.
Now the messages were gone and the web UI showed logs. clog /var/log/system.log showed content as well.
Solution based on these posts:
–jeroen
Posted in Internet, pfSense, Power User, routers | Leave a Comment »
The Wiert Corner - irregular stream of stuff 