John Galea's Blog

My blog on Gadgets and the like

PFSense open source Firewall

Ok, I will warn you straight off, this is going to be a tekkie post, sure to bore many. But if your one of the few that eats bits for breakfast … enjoy! I have to admit, even as an IT guy with pretty good network knowledge this project challenged me.

Routers sit there out of the internet, exposed. The result of this is that they get hacked. Manufacturers stop updating firmware and plugging vulnerabilities because in the end, there is no motivation for them to spend the effort/$$s. Instead they want you to buy a new router every so many years. And the cycle goes on. And the firewall on routers is not always impervious … If you don’t believe this, after you’ve setup Pfsense see how many hacks get through your existing router!

This product attempts to fix this issue by putting another layer between your precious laptops, phones, gadgets etc and your likely leaking router. Or so the story goes. Frankly when a colleague of mine, Jeff, starting talking about this topic I had to admit the fascination of it alluding me, all the while he was enthusiastic and embracing of Pfsense. Now given I think Jeff is a bright fellow, so I decided to dive in and see what I could see … And frankly, it’s the winter, I’m not snowboarding, my gf is out of town, and I’m bored, so I decided to burn some cycles. And burn some cycles this will … Setting up Pfsense is no small feat. So let’s jump in. We will take this in small steps, enabling functionality as we go. I’ve written, updated and rewritten this article a number of times as I’ve learned more and more. In all I’ve been at this almost a month, but don’t fret, you can start small and add features until you get the functionality set you want.

Introduction

So what is Pfsense you ask? It is a Linux (FreeBSD to be exact) Open source, extensible, highly configurable firewall. By default, it does not have some advanced features (like intrusion detection, anti virus etc), but these can be added through a fairly extensive list of package add ons. Pfsense can run on super small appliances, or it can be loaded on just about any old PC you have laying around. I chose to load it as a HyperV VM at first so that it costs me nothing, and I can assign it as much or as little resources as I want to … In the end the hardware resources for this firewall are quite low. I gave it 2G memory and 4 VCPU 20G and that was more than enough. In reality you really only need a couple G drive space for it to run off. As a VM I can also move around the networking that Pfsense has quickly and easily allowing me to implement it as it goes! I downloaded an ISO (which stupidly was Gzipped) and installed it from there. Installation was quick and painless. Once up you simply tell Pfsense which network has your internet (the WAN) and which has internal network (the LAN). You will need (and want) two network cards for Pfsense. IPs for these networks can be super simply setup. It’s worth noting, that Pfsense becomes your gateway out to the internet, so if it’s down … so’s most of your internal network. I did notice that they have obsoleted the 32 bit version of Pfsense at 2.35. Going forward you will need a 64 bit x86 processor. Pfsense could have, but does not allow you to have the two subnets on the same NIC which would have been helpful, but compromising from a security point of view. Pfsense can also implement all DSL PPOE authentication, allowing you to put your modem in what’s called bridge mode. Although I’ve not done this, to allow me to fall back quickly by turning the Bell modem, a SmartRG SR505, back on anytime and abandon Pfsense.

Getting started

Step one of getting it up and able to act as a firewall is pretty easy. My Router will remain on the perimeter with IP in the 192.168.1.x range. I chose to setup the LAN as 192.168.2.x. I can slowly migrate clients from the 192.168.1.x exposed side to the 192.168.2.x behind the firewall side. Pfsense is setup initially to be pretty lenient and allow pretty much everything outbound. This makes setup and admin much easier. You can choose whether this is how you want to leave it, or start adding rules blocking outbound stuff. I’ve seen other firewalls that take the opposite approach and deny all, but this becomes a headache pretty quickly. If your going to have anything that is serving in the home (web server for example) you will need to assign a static IP to the WAN (192.168.1.x) side of Pfsense. If Pfsense is going to be DHCP duty then the lan side (192.168.2.x) will also end up with a static IP. By allowing Pfsense to do DHCP (instead of your router) DNS inside your home can be comprehensive. Something that never quite worked right on my previous setup.

Configuring inbound NATs (and static IPs)

Next step is setting up your inbound rules. For me I have inbound RDP, as well as a web server. So first off you have to create static IPs (DHCP reservations) for any hosts that are going to serve. This is easily done from Status > DHCP Leases and click the + sign to add a static mapping. Or you can add them yourself Services > DHCP server down the bottom. The static IPs are based on MAC addresses of the network cards. First off you have to go to your router and repoint any incoming rules and move them to point to the IP address on the WAN side of Pfsense. Within Pfsense you then add Firewall > NAT for each server you want to host. I had some difficulty in that I had a VPN running on the one host which blocked the incoming NAT. This cost a NUMBER of hours to sort out, but in debugging I poked around a lot. I found Canyouseeme very valuable in testing externally inbound ports.

Outbound VPN

Ok now your ready for the next feature … outbound VPN. If you do any form of P2P you want a VPN if for no other reason than to avoid nagging from your provider. I found a great guide for setting up PureVPN for Pfsense. The VPN setup is done using OpenVPN. The setup was not at all straight forward and honestly took a while to get working. The one thing missing in this doc was the compression setting which was LZO Compression Legacy.

Now with this setup ALL traffic will go through the VPN. This isn’t what I want. What I really want is for any traffic for the one host that I run P2P on to go through VPN. So to take care of that I added an additional interface for the VPN. Interfaces > Assignments, add. This adds something it calls OPT1. Then in System > routing you now see a gateway for the VPN. Lastly you can now create a firewall rule that triggers on requests from that host and passes it to the VPN gateway instead of the default gateway.

You can use tools like IP chicken, or Whats my ip address to help debug when your connected to VPN and not.

Status > system logs can show you any errors VPN might be having. The status of the VPN connection can be seen at Status > OpenVPN.

The default for OpenVPN client is to have all communications go out the VPN once setup (as I mentioned above). In the configuring of the client you can remove this and then route the traffic you want to the VPN through rules.

I had one MAJOR issue with the VPN on Pfsense. I want what is called an internet kill switch. Ie if the VPN is down, then I want no traffic outbound outside of the VPN. At this point I’ve been unsuccessful in getting this working. What ought to be simple rules, just don’t seem to be working.

It’s worth mentioning that if you create a VPN on the PC then that PC is directly exposed to all other members of the same VPN. So it’s important to insure your running a firewall at the very least. By moving the VPN onto PFsense it removes this exposure. It is important that you turn Snort on (more on this later) on the VPN interface.

Dynamic DNS

Next up I added Pfsense updating dyndns which was super trivial. This allows Pfsense to update dyndns instead of my client. This became super important if ALL internal traffic is going through the VPN, because it will end up updating dyndns with your VPN IP since this would be all your internal network was aware of.

Ad/Malware/Ransomware blocking

With a fully functioning firewall we can now look into exploiting some additional functionality. I had read a bit about PiHole which is an ad/malware blocking DNS server that can be setup in a separate VM. Well it turns out you can do the same thing in Pfsense using PfblockerNG. There are two sides to PfBlockerNG. The first which for now I don’t care about looks for incoming hackers. The second replaces the DNS forwarder that normally is in use for internal DNS requests and replaces it by a DNS resolver. The DNS resolver has the ability to add lists to it that it will in turn reroute to an internal IP address, in effect blocking that IP (called DNSBL). There are lists of “bad” sites that can be obtained from PiHole. These are then manually added as feeds into DNSBL and the Pfblocked goes out and updates them daily. This gives you PiHole like functionality for free! To test if this is working go into one of the lists that you added as feeds and find a URL. Then simply ping that URL. If you get 10.10.10.1 (the default for DNSBL) as the IP address back for that URL DNSBL is working perfectly! I had a major issue that I had DNSSEC turned on which requires a secure DNS server. As it turns out the DNS servers I use are not compatible with DNSSEC so outbound was being blocked. Turning DNSSEC fixed the issue. I originally turned on another function of Pfblocker called DNSBL easylist, but I found that blocked too many things to be useful so turned it back off. Even Google calendar stopped working. I also had issues in that most clients will cache dns requests. So to flush this on windows you have to enter:
ipconfig /flushdns (as an admin)
I ran into one oddity which is that if you stop Pfblocker, I had to manually tell Pfblocker to back out and resync the DNSBL feeds to get it working again if you then enable it.

Tuning DNSBL

Once your have turned on Ad/malware blocking you may see that there are sites being blocked that you don’t want blocked. These can be easily tuned to allow those domains. By going into Pfblocker, then alerts you can see what is being blocked as well as which list it was on. These domains can then easily be clicked on to add to a whitelist. This white list allows these domains through. Or you can manually add them to the Pfblocker, DNSBL, custom domain whitelists. And you can add domains, and include subdomains to allow. Once they are on the whitelist you will need to force a reload for them to start working, by Pfblocker, Update, force. Then you can test to see if that site is now not being blocked. Using this method you can fine tune what you want and not want to allow.

Blocking hackers/web robots

Now that the more important DNSBL is setup and running we can look at blocking known incoming attacking web sites. There are lists for this just like there are for DNSBL. These are configured in PFBlocker, IPV4 tab.

This in turn creates an incoming firewall rule to block these IPs.

To test this I added my own external IP address to the block list and then attempted a connect. Sure enough it was blocked and shows in the alerts as being blocked.

This web site had a couple of lists of bad guys to add to PfBlocker! Now this is entirely based on the sources IPs. As you can imagine bad guys can change their IPs so this is somewhat like chasing your tail. This is not to be confused with something like Snort that is more algorithmic detection based. This would also not detect anything like a port scan of your host. You can also use this feature to block web robots/spiders/crawlers from indexing your web site and adding it to search engines. You can also control well behaved spiders using Robots.txt on your web site.

In the end I don’t see much point to this part of Pfblocker.

Snort

It is quite common for hackers to try and see if they can get into networks and poke around using everything from known exploits to hacking tools etc. There are apps called Intrusion detection sensors (IDS) and prevention that attempt to use known patterns to identify and block these prods. Snort is one of these. Setting up Snort is a multi step process.

Step 1 install Snort

First install it from the packages list. It will consume additional memory, processor and disk space, but it ended up being less than I thought …

Step 2 tell Snort what interface to listen on

Once installed you need to tell Snort what interfaces you want it to listen on. At the very least I recommend your VPN and WAN (internet connection). Remember that outbound VPN is it’s own connection, and people doing bad things maybe also using VPN so it’s not a bad place to keep an eye on as well. And, the VPN drills a hole directly through your router/firewall so this is a place Snort is actually extremely helpful. And lastly snort can watch for bad things coming out of your internal network … like viruses and the like. In fact the packet inspection, and pattern recognition in Snort can very much be compared to anti virus, and the positive thing is these are blocked at the perimeter of your network. When defining your network (especially your external network) be sure and check block offenders. What’s the point in seeing an intrusion and doing nothing? Don’t forget to press save.

Step 3 tell Snort what to look for

Once the network is defined you need to go into WAN categories and tell it what you want it to look for. I just turned them all on, which annoyingly there is no enable all button.

Step 4 is Global setting

This defines what Snort does for all networks. I also created an account on Snort.org which allows me to download patterns from Snort itself. Be sure and set an update interval for the patterns to insure you have the most current. I chose daily. I also again just basically turned on all of the available sources for known threats. I can always revisit this if it becomes to slow/burdensome.

Step 5 go get updates

By going into Updates next you can download all of the patterns so Snort knows what to be looking for. This would happen according to the update frequency you set above but this just lets you kick it.

Step 6 start it

At this point Snort is ready to go, but you have to manually start it. Go back to interfaces and start Snort. I hadn’t noticed this at first, and was wondering why it seemed to be doing nothing 🙂 DOH. Snort can take a few minutes to get started so be patient.

Once started it will look like this and is good to go:

Test it

Ok so it’s installed, and configured but is it doing anything? I read lots of articles about how to test Snort. There were many way too complicated answers to this stupidly simple question. Well it’s actually pretty easy to test. Just use a port scanner, pscan, nmap whatever. Now just point that scan at the interface you enabled Snort to watch and let it rip. In short order Snort will jump into action. You can see this in Snort, alerts.

From this interface you can click the red x under source interface to remove this block (assuming you enabled block), or you could also click the red x under SID to remove that rule if you decided it was blocking something you didn’t want blocked. You can see what the IP that the offender was using along with the rule that triggered this alert. Under the blocked tab you can see all IPs that Snort has triggered on and subsequently blocked. Again here you can click the red x to remove the block. Now it’s worth noting that if you were doing this by RDP you have now just lost contact with the host you were testing from 🙂 Don’t forget to unblock your test machine. And with that you’ve tested Snort …

Tuning Snort

Because Snort actively blocks sites it’s important to keep an eye at least at first at what it is alerting on. I found it was alerting on, and then blocking my VPN provider which in turn broke my VPN. It had false positive triggered. So I had to go into the alerts, disable the rule that was causing a false positive and then unblock my VPN provider. I also had issues that Snort was triggering on P2P, which in a corporate environment is bad, but at home is good, so I simply told it to ignore those.

You can create pass lists for IPs you always want ignored, but setting this up is WAY less than obvious. It takes 4 steps. 1) create a firewall alias with all the IPs for a given interface you want to allow. 2) create a passlist that points to the alias you just created. 3) tell sort the passlist for a given interface 4) restart snort.

It’s worth noting the obvious, that any thing that Snort detects as an attack, is something that went through your router (in my current setup where Pfsense is behind my router, ie double Natd).

If you find anything not working, a web site, an app, whatever, start by disabling snort and see if it is the culprit. Then you can look at tuning it. One area of snort that is ENTIRELY problematic is the http_inspect function provided by OpenAppid. I highly recommend you just disable these. So many web sites will false positive trigger and then be blocked by this.

Inbound VPN using OpenVPN

Next up I thought I would look at OpenVPN to be able to setup a VPN externally into my network. I started with this official guide to get going. It recommended using the wizards within OpenVPN and I didn’t at first and had no end of issues. Then I discovered (and it’s in the guide but I missed it) that you need to add a package to Pfsense to allow you to export your OpenVPN connection. This allows you to create simple install files to test out OpenVPN. I found tweaking and making changes to your OpenVPN server was easiest dealt with by downloading the install files and running them. If all that had changed was the config, then that’s all it installed. It ought to be possible to just export the configuration but I had no luck with that on Windows. Then I had issues with DNS resolver not working. These were fixed by creating an access list for the subnet of the VPN clients, in my case I had chosen 192.168.3.x. With this fixed and working I was able to get at my internal network remotely. This also means ad blocking would now also work with my VPN clients. It also means I can refer to my internal machines by their names rather than their IPs from VPN clients. The last thing not working was internet traffic through the VPN tunnel. Ie all remote internet traffic would go through my internet connection. This I had issues with and could not find the solution. And then I found this article that pointed to the fact that I needed to create an outbound NAT rule to allow VPN traffic externally. And like that … le voila it was done!
It’s worth noting that I tried to setup IPSEC/L2TP but could not find a group of setting that windows would live with and gave up. I had no end of performance issues with OpenVPN, and in the end got the best results by dialing down from SSL/TLS to Remote access User auth. This still used TLS for authentication making it harder to hack into my VPN. I also dialed down the encryption. The greyed out one was too slow, in spite of trying a number of different hardware solutions.

It’s worth noting, that if you decide to pass all of your remote traffic through your home you will be limited by the slowest part of your service speed. So in my case I was roughly 24Mb/s down and 7 Mb/s up. But remember, for a remote client this gets reversed. So the fastest you could possibly dream of would be 7Mb/s. Not great. So, my decision was simply to leave remote clients using their own internet connection for external communications. Internal would still go through VPN, and ad blocking etc still work. Of course you do loose the protection of Snort. To tell the remote client to use their own external connection turn this off:

To be able to use internal DNS names as well as ad blocking for remote hosts, be sure and turn on block outside DNS.

Connecting to OpenVPN with an iPhone/iPad

There is a client export package that can be installed on Pfsense that makes setting up clients super easy. Once this is done you go to VPN/OpenVPN/client export and select OpenVPNconnect. This will allow you to save an ovpn file that has everything you need. Go to your iPhone/iPad and install OpenVPN connect app. Now email yourself the ovpn file you previous downloaded. Go into the default iOS mail app and click on the attachment. Click Copy to open vpn.

Then import it into OpenVPN. Now your ready to test. I found one odd anomaly which is that you can not logon twice with the same VPN userid. It hands out the same IP address thus kicking others off. The simple solution is to have separate accounts per device.

Traffic shaping

Traffic shaping is something I’ve had in the past and like it. The theory is to prioritize those things that are important. Like web browsing. And de-prioritize unimportant things like torrents. I played with this a LOT and got no where. In fact, I had it cause MAJOR performance issues. For now, I’ve turned this off.

Clustering

Since Pfsense now becomes essential in the home I decided to look into clustering Pfsense. To do this you start out with two fully functioning, fully setup Pfsenses. The easiest way to do this is to set one up, then do a base install on the second, install all packages, and then backup from the primary and restore to the backup. Test both to make sure they are working. Once confirmed your ready to start. The first step is to setup System > high availability sync. This keeps the settings etc in sync between the two boxes. To do this go to the primary, tell it what interface to sync on, I recommend the LAN. Some people talk about needing a dedicated interface, and ya that would be nice, but not necessary in a home environment. Add the IP address of the backup Lan IP. Add the sync config to ip to the backup lan IP. No idea why you have to do this twice. And give it the remote system username/password. Same you would use to logon to the web interface. On the backup box enter only the sync peer. And with that you can see sync working or not in Status system logs. Your now ready for the next phase adding VIPs. To make a seemless fail over your going to need a WAN (if you care about incoming) and a LAN VIP. These are called CARP VIPs. I had HyperV issues, but solved them (enabled MAC address spoofing) and I also had issues on my USB ethernet adapter not working with CARP.

Once I had CARP up I wanted to do some testing to insure it was actually working. I found I had to make a few adjustments to my settings. All incoming NATs had to be moved from the WAN address to the WAN VIP. DHCP had to be modified to add the default route and DNS server to be the LAN VIP rather than the server IP address. The DHCP changes have to be made manually on both servers this does NOT replicate.

It’s worth noting that the way this works is a master/slave relationship. The master, or primary if you prefer is the dominant server and will always take over when it’s available. The slave just sits there waiting to take over. Fail over and fail back happens pretty quickly. Any changes to the slave server in the area of things like firewalls will be completely over ridden when the master comes back online. Hard failures like a server completely dieing are picked up perfectly. Softer fails are hit and miss from my experience.

Site to site VPN using OpenVPN

Ok so just when you think your done … a bud wanted to play with site to site VPN. Why the heck not. This allows you to virtually join networks across the internet. So machines in his home can see mine and vice versa. Now the biggest limitation of this is going to be (as before) your internet speeds. None the less, on we go. So first you setup one Pfsense as a server (the other will be considered the client). It needs to hand out an IP address in a unique subnet. It can NOT share the subnet that your other VPNs are using. Your going to be setting up a peer to peer shared key. It will also have to be on a unique port (can’t share a port with your client OpenVPN setup). You will need to insure there are no overlapping subnets (that you want to share) between the two homes. You configure each end with the subnets of your networks. And from there you configure the client with the same parameters as the server and point the client at the IP or name of the other side. You will need to open the firewall on the server side to allow the incoming port. You can see the status of the tunnel Status, OpenVPN. Errors can be seen in the System logs. Once done you can simply ping first of all the gateway on the other side of the tunnel, and then an IP in the other location. If you want to get fancy you can add DNS to each side so that names resolve as well. And with that, the homes are digitally connected. The tunnel will stay relatively connected, but I have noticed delays when it has been used for a bit while it reconnects.

Hardware testing

If your like me you have a number of older physical boxes in your pile doing little to nothing. Seemed like a great place to play with Pfsense. Again this BURNED A LOT of time!

I dug out an old Asus ASROCK media player I have. It’s based on a dual core atom 330 processor. I got lucky and this one is 64 bit. I decided to put Pfsense on a 8G USB stick. The media player only has one NIC so I used a USB ethernet I had laying around. I also wanted to play with WIFI but I ran into an issue that my Realtek RTL8188 but couldn’t get it going on the 64 bit version of Pfsense. The driver ignored it. Migrating from my VM to the physical box was super simple. You simply backup your old configuration making sure you choose backup all. On the new box do a vanilla install. Be sure and add any packages you want on the new box that you had on the old one. Then use the restore function. If the NICs are different it will simply reask which NICs are which. I had to manually redownload the Pfblocker/Snort rules but that would have been done on the schedule anyway …

Now that you have a functioning Pfsense box you may want to benchmark it. So to do this I popped one of my machines in front of Pfsense, attached to the router and ran Speed test to get a baseline of my internet. I then ran the same test behind Pfsense. My performance was awful. 24.85/7.33 MB/s (down/up) and behind my physical Pfsense box I only got 9.57/4.81. So I looked at the dashboard and saw that processor, and memory seemed to be fine. This left hard drive as the likely culprit. I ran:
geom disk list
To get a list of disks and then ran:
diskinfo -c da0
to benchmark the drive. I discovered the USB key that I was using, and how it was connected was resulting in REALLY bad performance. Like 2.5MB/s vs what ought be 40MB/s or so. So I moved it back to a hard drive. With this resolved the performance improved a bit. At first I’d given up on Atom, but eventually discovered it was traffic shaping causing the poor performance and simply disabled it, I’m not convinced it was doing anything anyway.

By the way I used DSL reports to benchmark my internet speeds but you could also use Source Forge’s too.

Going back to my VM I ran the same test on the VM which was configured as 2 virtual CPUs running on a i7 860, and 3G memory. This time the performance over my 25Mb/s DSL connection was much better and showed little to no slow down.

Performance testing

So now I got curious as to how hard this could be pushed, so I went back to my VM. I setup a web server on one machine, and a web browser on another. I used a Ramdrive to host the content Imdisk so the question of the hard drive being the bottle neck was removed. Using H2testw I was able to measure the Ramdrive as being capable of 389/293 MByte/s (write/read). So on with the test. Locally the content was served up at 166MB/s. Remotely, not through Pfsense this got 150MB/s. It’s worth noting that the second machine is a VM on the same box so the connection is a virtual 10Mb/s adapter. So with 150MB/s as the now bar I was curious to see how multi threaded the firewall is, using a VM allowed me to change the number of CPUs. With 2/4/6/8 VCPUs I got 104/106/120/118 MB/s. So as you can see it scaled relatively well right up to 6 VCPUs. What this tells you, is the firewall is very well multi threaded, able to take advantage of multi core processors!

In running some of this I found a few tools worth pointing out. First of all there is a tool you can install that will tell you your incoming speed test. It removes the router and anything downstream. It’s a way of telling basically your line speed in. From a pfsense command line you need to install the tool:
pkg install py27-speedtest-cli
and then you can run the test anytime by running:
speedtest-cli

Second there’s a network bandwidth tool call iperf that you can use to test speeds between computers without having other bottlenecks like hard drives etc in the way. iperf is can be downloadfor windows amongst others. To add ipferf to pfsense install it from the web based package manager. To use iperf you start iperf on the receiving end by running:
iperf -s
then run it on the other end:
iperf -c host -p port

You will get back a bandwidth between the two.

On Redhat to install iPerf:
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install iperf

Selecting hardware

I saw a guy on a forum ask a simple question … what’s the best hardware to run Pfsense on? The smart ass answer that came back is the one you already have 🙂 That said, its quite true. The ones I played with were for exactly that reason, I already had the box available.

A VM is a great choice and allows you the max flexibility in network configuration as well as resource changing (memory/processor). But I have to say I have had issues with VMs. I could not for the life of me get Pfsense clustering to work, the VIPs refused to come online externally, until … I finally read an article on Best practices for FreeBSD on Hyperv which directly addressed CARP and solved the problem (it was MAC address spoofing had to be enabled). And CPU utilization just seems bizarre to me. I have more experience with Vmware and the way they allocated VCPUs makes a whole lot more sense to me. I would see Pfsense showing the CPUs pretty busy but the physical CPUs still being inactive. Temperature on the VMs never showed on the dashboard of Pfsense.

I tried for a LONG time to get Pfsense to run an older dual core Pentium 4, P4D. I could get the older 32 bit version of Pfsense running, but the 32 bit version is end of life. And since there is no support for taking configurations backed up on the 64 bit version and restoring them on the 32 bit (I tried and it restored but had bizarre issues). The 64 bit would oddly install but just not boot. So this was out. Although, the performance on the P4D on the 32 bit version was quite adequate. Using Windows Server 2018R2 and HyperV I was able to get Pfsense running on the P4D. Performance was adequate but just barely. The processor lived at higher than 50% for a lot of the time and sometimes even peaking around 90+. And this in turn generated a LOT of heat which caused the fans to scream. So in the end this became a net but useless experiment. More time successfully killed!

I had an old Xeon Dell, a poweredge. This box seemed like it would have all the horsepower. Interestingly enough, the performance on this box was not night and day better and certainly didn’t justify the cost of running this HUGE box for nothing.

I also had a quad core atom box and this ran fine as long as I had traffic shaping turned off (as discussed above) and dialed down the VPN requirements.

Going forward Pfsense (2.5 and above) have stated that a CPU having the AES instruction set is a requirement, so if your buying hardware be sure and look for that.

Buying hardware

As I come to the end of the journey I love the functionality that pfsense gives so it’s time to make it permanent and give it a home of it’s own. There are lots of dedicated boxes that make perfect Pfsense machines. Like Qotom Q3554

But this is more money than I want to spend. So I looked for and found a refurb desktop with a Core i5 processor that has AES support so it’s good going forward from Laptopsforless for $149. And if I bore of Pfsense it has many uses in the home. I bought a HP Elite 8200 i5-2400 3.1GHz. With 4 memory slots, a max memory of 32G, and lots of PCI slots there’s lots of room for growth for future uses!

Costs

PCs that run 24×7 can start to become expensive if you aren’t paying attention, so I thought I’d take a look at what my HP Elite 8200 might be consuming. So I bought a Kuman 15A/1800W Plug Power Meter from Amazon. Over the period of almost 2 days I got an average of 44W, which is quite low for a desktop. By comparison my Dell Poweredge SC1430 that I was originally thinking of using consumed a whopping 160W. Translating this into $$s using an average cost of hydro of 8.9 cents/KWh we get an annual cost to keep Pfsense running on this hardware of ~$35 per year. Now the dell would up this to $125, or by buying the new system I saved $90 a year. Or in other words the system was paid for in 1.9 years!

Power management

I played with power management enabling PowerD from within System/Advanced/Misc and put it on min performance (max power saving) and set the drive time out to the min, but didn’t see any decrease in power consumed. So for my system this did not seem to help.

Automated backup

I found a great tool that you can run from a Windows box that you can use to automatically backup and download your pfsense settings. Given the amount of time I have into this … yay!

I read an interesting post from Netgate that explained how to install Pfsense in a minimal environment and one of their comments was “In order to limit microSD card wear, we recommend enabling RAM disks. Navigate to System > Advanced > Miscellaneous and select Use RAM Disks.” They chose to build their Pfsense box on a Dual ethernet, quad core Minnowboard, or Dual core dual ethernet

March 29, 2018 Posted by | Uncategorized | 1 Comment

Advanced elements Firefly AE 1020 mini review

My gf was looking to get an inflatable kayak for the spring and one of these popped up on Kijiji and thus we have this post. At this point I own an Advnaced Frame AE1012 and tried out a AE 1009 Expedition so this makes the third in the company’s product offerings I’ve touched. At this point I haven’t had the Firefly in the water so can’t comment on handling yet. But let’s have a quick look at it and I’ll update the post when I get it in the water. Compared to mine this one is quite a bit shorter, and lighter.


The difference once inflated is quite significant. There’s a whole lot less of the boat behind you. The one we got according to the hull ID is a 2014 and did not come with a seat. (The Hull Id # is located on the kayak and begins with XZE. The last two digits are the ones that will tell us what year it was made in.) I spoke with Advanced elements and they told me “The firefly seat was added in 2016, so your year does not have the seat option. It also does not have a seat buckle to add a seat unfortunately.” I’ve found the company to quite responsive and helpful, excellent customer service.

There’s a lot less to inflate than my boat, 2 chambers (+ floor) Vs 6 (+ floor) . There’s no combing that you could possibly attach a skirt to, or to deflect water out of the cockpit. There’s no dry storage area (same thing on mine). It does however have velcro straps on the deck to hold the oar while you are carrying/launching the boat. Mine doesn’t. Overall the material used seems similar to mine and should be reasonably durable. The inflation chambers use a clever valve that make it easy to inflate and deflate the boat (same as on mine). Overall the boat is super fast to inflate/deflate.

The lack of a seat may be a limiting factor, I guess we will see. Not sure why Advanced elements didn’t think of that. Overall this looks like an excellent beginner boat. Super light, easy to setup. We’ll see how it handles. I can’t wait for the warmer weather to get back on the water!!
Entire manual for the boat is available for download.

Update 5/28/2018
I finally got a chance to get this in the water this past weekend. It is as described super light and super quick to inflate. Once in the water you can easily see the boat is also much lower in the water. Handling wise is where you pay the price of this boat. The rudder they used seems to be about the same size as my boat, but because it is so short in the back when you paddle the boat swings significantly. And then you paddle the other side and it swings back. A lot of energy is wasted as you zig zag, all the while looking like a drunken soldier. It’s shocking the amount of energy this boat takes to move. This boat absolutely does NOT track well, and does not in anyway feel like a real kayak. Rough water would be a big challenge in this boat given the low profile in the water. I have to admit to being thoroughly disappointed in it’s design. A larger rudder on the bottom might help, who knows. I would have to say, I do not recommend this boat.

March 6, 2018 Posted by | Uncategorized | Leave a comment

Amazon dot review

A friend of mine bought an Amazon dot … the first question I asked was why? Then he said do you want to play with it first? Um, sure I thought. So let’s start with what is it. Well first of all it’s a voice activated digital assistant. Think SIRI. You can ask it things like what’s today’s weather. From this point of view given I have an iPhone I don’t see a value. But frankly at $69 it’s cheap enough there doesn’t need to be a lot of value to have one. Setup is pretty easy but be aware it’s impossible from what I can see to set one of these up without an Apple phone/tablet or Android phone/tablet. And even using it without these is not going to be all that rich an experience. Now for someone tech savvy enough to want one of these that’s not a huge barrier, but they could have provided a web interface to interact with it, but they didn’t. And seeing what the dot is playing is seen entirely on your phone/tablet since there is no screen on the dot.

Taking a step back lets look at the physicals. What you have is a round device a little thicker and larger than a hockey puck. Jack wise there is a micro USB plug which goes into a 5.2V 1.8A 9W adapter. In general I saw it drawing around .5A so around 2.5W. So not a whole lot of power. It also has a 3.5mm audio plug you can plug into a stereo. On the top of the device is a mute, volume up/down, and and activation button that calls up Alexa if you don’t want to use voice commands. There lights that go around the outside of the device that have a bunch of meanings. These can be disabled using the devices do not disturb mode. And if this is in the bedroom I HIGHLY recommend you look at this before it inevitably wakes you.

So give me some examples of what you can ask it? Well the list is long but as mentioned above, the weather. If you link your calendar you can ask it your calendar. You can get Alexa to add items to a shopping list that you can see on the phone and share with family members. You can add timers, alarms etc. There is no way that I can see to get emails or text messages from your phone. You can use Alexa to make voice calls to other Alexa enabled devices. You can also make phone calls using your contacts from your phone.

You can ask it other things and it will go out and try and find answers for you. I do find SIRI more conversational than Alexa (which is what the assistant is called). The mic in the dot is really quite good and picks up your voice from quite a distance. Miles better than the mic on iphone which was never meant to be used from across the room. By the way, Apple has a similar device that rocks a whopping $349 price tag. Pass, even if it is an amazing speaker, I’ll still be using my home stereo.

The dot can connect via bluetooth to a home stereo. This opens a few new possibilities for the device. You can use it to play music from Amazon music, find radio stations on tunein and the like. I couldn’t get the radio player Canada skill to work for whatever reason. Paired with the home stereo the sound worked very well. Tunein sadly did not identify the song playing, a HUGE miss for me. I long for a music player with something other than basics, like lyrics, who is the band, what is the song, what’s there discography etc. Not here. Now if your stereo is smart enough to have bluetooth, it probably already has an internet radio player built in. So this is largely a wash. But it does sound fine. Amazon music player does identify the song playing. The dot switched seamlessly back to the internal speaker when the bluetooth disconnected. Well done.

There’s supposed to be a way to pair the dot and my amazon fire TV but I couldn’t get this working. Nor do I see it all that useful.

My Radio WIFI thermostat was not supported so that functionality was out.

The dot can add new “skills” that can add additional functionality you can call on. I like that the device is extensible.

So in the end, it is a neat device, but I’m not sure there is enough room in my digital world for it. And what I don’t need is another gadget that I don’t use. So I won’t be grabbing one … for now. Now if something in a similar price range that used siri and fit into the Apple eco system existed, that I would buy.

March 3, 2018 Posted by | Uncategorized | Leave a comment

PNY 3000 battery pack

I last blogged about a Mocreo 2500 mAH battery pack. It worked well … so well my daughter took it 😦 On to find another one. The worst feature of the Mocreo was that it was a micro USB cable with a converter to lightning. The converter and the cable were a little precarious, although 6 months later it was still working well. So this time I wanted a battery pack that had native lightning cable. This particular battery pack is quite well designed. A little more pudgy than the Mocreo, but all in all not that back in size at all. You can have it in your pocket and for the most part not notice it’s there. They have deisgned it well in that it has both a cable on the one side that is micro USB and on the other is a lightning. Both cables are well designed and rigid enough as to feel durable. If there is a complanint it’s that they did nothing to label which is micro USB and which is lightning, but this is a nit pick. They also included lights to show the level of charge of the pack, a welcome addition.

So let’s look at specs. They are pretty clear that the pack can put out 5V 1A from either cable. This pack once plugged in requires you to press a button to get the charging started. 1A is fine for older iPhones and is the same amount of current the stock charger even with the iPhone 8 comes with. So what you get is a comparable to plugged in charge speed. Almost all newer Android phones and even the iPhone 8 can use higher current to give you a quick charge. So this battery pack will not do that (nor do they suggest it will). The pack lives precisely up to what it says and delivers a solid 1A. On a deep discharge cycle the phone went from 9 to 70% on an iPhone 8 in an hour. The Iphone slows charging down beyond that. Overall the pack can charge the iPhone 8 from dead once. This comes out to an efficiency of around 60%.

From a recharge point of view again the specs are pretty clear that this can only take 1A in, so your looking at a slow recharge. These battery packs do not seem to have caught up to the phones quick charge improvements. Recharge time from dead was well over 3 hours.

For the price on Amazon ~$20 this is a very good battery pack. Well designed, well executed, cheap price, fast ship.

March 1, 2018 Posted by | Uncategorized | Leave a comment