Messages

1

Hardware and Performance / Re: HW for 1GB WAN speed, openvpn stongest encryption, IDS/IPS, squid, all of this..

« on: December 02, 2019, 08:51:42 pm »

I've used this: https://www.supermicro.com/en/products/motherboard/X11SCL-iF along with a Xeon-E 2126G. I have gigabit up and down and run traffic shaping + IPS/IDS as well. No slowdowns (that I can observe)

Nice solution. NB this version https://www.supermicro.com/en/products/motherboard/X11SCL-LN4F has 4 gigabit ports but otherwise looks similar except larger form factor (microATX). It's about €70 more expensive here (Sweden).

Another variant is this: https://www.supermicro.com/en/products/motherboard/M11SDV-4CT-LN4F
Bit slower than the Xenon above but fanless, still Mini-ITX and more energy efficient (35W). Also a bit cheaper than above m/board + CPU, at least in Sweden.

8 core version: https://www.supermicro.com/en/products/motherboard/M11SDV-8CT-LN4F
Still low power (30W). Similarly priced to X11SCL-LN4F + Xeon CPU.

2

Hardware and Performance / Re: Hardware for small/medium office

« on: November 23, 2019, 10:45:32 pm »

The Qotoms are very nice in that they are passively cooled and therefore completely quiet. I’ve got an i5 myself, in the cupboard in the bedroom as that’s where the fiber comes into the house...! However, the Dell small form-factor business PCs are pretty darn quiet as well and if you put a quad Intel gigabit card in one of those (or or or two dual, according to your requirements) you have a higher spec machine with more up-to-date CPUs. At that level hardware you would really struggle to max out the CPUs even if you used IDS, antivirus and VPNs etc. And they are very reliable.

My Qotom has been rock-solid as well so far, but I do wonder if it suddenly is going to die on me one day.

3

19.1 Legacy Series / Re: Scheduled states not working

« on: June 27, 2019, 06:08:10 pm »

Yeah I’ve done it as I understand it you’re supposed to... a scheduled allow rule above a permanent block rule. Description at the top. So when the allow rule expires (and should kill all its states with it) then the block rule immediately below ensures nothing new gets through until the schedule revives the allow rule again.

Except the states are left intact when the allow rule expires.

Sounds like I’m in the same place as you were...
I think it would be nice to get this fixed in opnsense.

4

19.1 Legacy Series / Re: Scheduled states not working

« on: June 27, 2019, 04:14:17 pm »

Thanks. Yes I understand that a workaround is to clear states yourself through pfctl commands and cron scripts, however I would rather see the functionality works properly in the product itself. And to your particular solution - I don’t want to clear *all* states but only those affected. I.e. I would need to write scripts that only clear the relevant states, according to their tags, and I believe this is exactly the functionality that is already supposedly built-in but is not working.

5

19.1 Legacy Series / Re: Scheduled states not working

« on: June 27, 2019, 02:46:00 pm »

PS listing all the states using pfctl you can see they are tagged according to the rule that created them. There could be several reasons for this but I think at least one of them is to find all the relevant states and kill them when a given rule expires. Alas this part is not working. As mentioned I could probably hack around it with cron and my own pfctl commands but would prefer to avoid that.

6

19.1 Legacy Series / Re: Scheduled states not working

« on: June 27, 2019, 02:35:58 pm »

I think the documentation is pretty clear. Re the wording “schedules clear the states of existing connections when the expiration time is reached” - is your point that “expiration time” could refer to something else than expiration of said schedule? I’m not aware of any other type of expiration time that it could possibly refer to including on connections or whatever. I’m pretty sure the intention here is to automatically pfctl kill all states created by the scheduled rule as soon as it expires, but this is not working and as mentioned there are many reports on the Internet of people having had problems with this in pfsense too in the past.

I’ll create a bug report for it.

7

19.1 Legacy Series / Re: Scheduled states not working

« on: June 25, 2019, 07:23:55 pm »

Bumping this thread. No ideas of similar experience? How do I raise a bug for this?

8

Hardware and Performance / Re: Cost Effective HW advice for 1.5Gbps fw throughput

« on: June 23, 2019, 09:21:58 am »

Do you plan to / need IPS? Rackmount or stand-alone? Would fan noise be an issue or do you need it fanless?

9

19.1 Legacy Series / Re: Scheduled states not working

« on: June 19, 2019, 09:42:39 pm »

(to add - I note the workarounds to start hacking around with cron scripts and pfctl but I really want to avoid that if possible)

10

19.1 Legacy Series / Scheduled states not working

« on: June 19, 2019, 09:41:09 pm »

Hi,

This seems to be a long standing issue in pfsense as well and since several years back:
https://forum.netgate.com/topic/69331/scheduled-blocks-won-t-work-without-manual-states-reset/2

Long and the short of it; in order to restrict kids' access to Internet at certain times of the day I've got the following rules:

Alias: kids' devices (KD)

Enable kids' devices to any, source KD, on schedule
Block kids' devices to any (source KD)
Default allow any other LAN to any (source !KD)

This almost works... except that states are not killed when the scheduled pass rule expires. So any new connection is blocked as expected, but already open ones are kept alive, which means the kids continue to play... until they have to switch page or whatever and suddenly find themselves locked out.

Firewall -> Advanced -> Schedule States is UNchecked (somewhat non-intuitively, but that's what everyone says)

As mentioned and as per the link above this seems to be an old issue and inherited into opnsense..?

Any ideas...?

11

Hardware and Performance / Re: Good ITX board with limited availability

« on: May 04, 2019, 09:37:49 am »

Nice one! And yes it would be interesting to hear your experience of this setup under load, this is a TDP 80W CPU right? But with superb performance to boot, the equiv Xeon D costs $$$$

12

Hardware and Performance / Re: OpnSense and WiFi Mesh

« on: May 01, 2019, 06:14:37 pm »

Should work: https://www.tp-link.com/us/support/faq/1842/

NB I have no personal experience from this product

13

Hardware and Performance / Re: Good ITX board with limited availability

« on: April 21, 2019, 08:09:22 am »

Will try to get the X11SCL motherboard and use an i3 or i5-8400. I’ll be running opnsense alone but I have gigabit internet and I wanted to run IPS/IDS on it as well as VPN. The other thing is I’ll be using opnsense to bypass my ATT RG using netgraph. Have you had to use opnsense with gigabit throughput on IPS/IDS?

Nice. Yes I'm running gigabit internet with IPS/IDS on an i5-5250U cpu in a passively cooled Qotom box. I get close enough to full gigabit throughput that I'm happy. Haven't stressed openvpn speeds so not sure how it would perform then. An i5 8400 on the other hand should be almost twice as fast.

14

Hardware and Performance / Re: Good ITX board with limited availability

« on: April 19, 2019, 09:25:41 am »

Yes, Supermicro a bit more expensive but probably not by a huge margin when you account for power supply? Then you know the CPU fan will fit too. I would have gone that option... Still a relatively low cost compared to m/board with CPU and RAM.

What are you planning to run on it out of interest? Opnsense alone, or VMs / other stuff?

15

Hardware and Performance / Re: Good ITX board with limited availability

« on: April 18, 2019, 08:17:04 am »

Supermicro recommends this one: https://store.supermicro.com/1u-active-proprietary-cpu-cooler-snk-p0049a4.html

... but I guess that’s if you use their chassis too. What chassis are you planning for it?