Topics

1

20.7 Legacy Series / [Solved] Bridge isn't passing traffic between physical ports

« on: August 10, 2020, 05:47:41 am »

I followed the guide for Bridged LAN and it appeared to work, but it turns out it's only half working.

I have igb0 set as WAN, bridge0 set as LAN. Bridge0 contains igb1, igb2, and igb3 (though only igb2 and 3 are plugged in).

All connected links can talk to the router; DHCP works, hosts have internet access, etc. But hosts on igb2 can't talk to hosts on igb3.

Any suggestions on how to proceed?

2

20.1 Legacy Series / Can't upgrade to 20.7 after restore with beadm

« on: August 09, 2020, 05:01:42 am »

I used beadm to take a snapshot, then I upgraded to 20.7. I'm pretty sure it was successful, but I guess I didn't pay too much attention.

Then I messed around with some bridge settings and locked myself out from the network. I used the local VGA console and used beadm to restore to prior to the upgrade. Things were working, so I deleted the broken 20.7 boot environment; figured I could just upgrade again.

Well now when I go to System -> Firmware -> Upgrade it claims no upgrades available. It doesn't show the 20.7 unlock button.

If I do Audit -> Health it shows a ton of checksum mismatches. I don't think that was the case before I attempted the upgrade, etc.


Is it possible that the something from 20.7 survived switching beadm to switch boot environments back to 20.1?

see: https://controlc.com/9c26862d

Code: [Select]

$ uname -a
FreeBSD router.local 11.2-RELEASE-p18-HBSD FreeBSD 11.2-RELEASE-p18-HBSD  f08b5f14327(stable/20.1)  amd64
No issues turned up in zpool scrub.

3

20.1 Legacy Series / Configuring WebUI for A+ rating on SSL Labs

« on: February 02, 2020, 03:54:42 am »

I don't normally have my WebUI accessible via the internet, but I allowed it through the firewall temporarily so I could test in on SSLLabs. It was surprisingly easy to get an A+ rating.

I'm using the ACME plugin to get a cert via Lets Encrypt. Everything else setup via System -> Settings -> Administration.

Disable TLS 1.0 and TLS 1.1

SSL Labs caps your rating at a B if you allow TLS 1.0 or 1.1. It looks like the only way to do this is by limiting the available ciphers. So limit to the following ciphers I've changed my ciphers from Default to the following:

Code: [Select]

# TLS 1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

# TLS 1.2
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
This will prevent some archaic browsers from accessing the WebUI. Some examples:

• IE 11 works, but not IE 11 on some un-updated versions of Windows Phone OS
• Safari 9 on all platforms work, but Safari 8 and older will not work
• Android 4.4.2+ should work, but anything older will not

HSTS
Check the box for HTTP Strict Transport Security or you'll be limited to an A rating.

That's it!
Congrats! Your router now has a higher SSL rating than Amazon.com =D