Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018

4,757 views

Published on

Slides for the August 2018 pfSense Hangout video

Published in: Technology
  • This program and community of women has been the single most influential piece of my recovery after 11 years of bulimia. I recommend it to anyone who wants to learn to love themselves and claim a life of joy and freedom. ■■■ http://scamcb.com/bulimiarec/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❤❤❤ http://bit.ly/2F4cEJi ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❶❶❶ http://bit.ly/2F4cEJi ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Get Paid On Social Media Sites? YES! View 1000s of companies hiring social media managers now! ♣♣♣ http://t.cn/AieX6y8B
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • This is Amazing! He Won the Lotto Jackpot 7 Times, and Doesn't Mind Revealing His Secrets? ◆◆◆ http://t.cn/Airf5UFH
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018

  1. 1. pfSense 2.4.4 Short Topic Miscellany August 2018 Hangout Jim Pingle
  2. 2. Youtube Live ● First hangout on Youtube Live! ● May be some rough edges, so let us know if you have any problems or concerns If the video looks fuzzy, Youtube set your auto quality too low Click the gear and choose 720p!
  3. 3. About this Hangout ● Netgate News ● – All topics below are on pfSense 2.4.4 – ● CoDel/FQ_CODEL with Limiters ● Captive Portal Authentication Changes ● Captive Portal Page Customization ● IPsec Speed Improvements ● Certificate Management Changes ● Gateway Group as a Default Gateway
  4. 4. Netgate News ● pfSense 2.4.4-RELEASE Coming in early September – https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html ● TNSR 18.08 up now on AWS, hardware installs supported in 18.08 and coming soon – NACM access control, NTP, improved DHCP server, DNS Resolver, IPsec accelerator support, RESTCONF server management – https://www.netgate.com/docs/tnsr/releases/release-notes-18.08.html ● All past and present pfSense Hangouts are now on Youtube – https://www.netgate.com/blog/all-pfSense-hangout-videos-available-free-on-youtube.html ● The pfSense Book is now free to access for everyone – https://www.netgate.com/blog/pfSense-book-available-to-everyone.html – https://www.netgate.com/docs/pfsense/book/ ● Still chances left to win a limited edition MinnowBoard Turbot Dual-Ethernet for taking our pfSense® User survey – https://www.netgate.com/blog/win-limited-edition-turbot-dual-e.html ● SG-5100 Desktop now available for pre-order – $799, Shipping mid-September – Intel® Atom® C3558, 4GB RAM (upgradable), 8GB eMMC (can also take m.2 or SATA) – 6 Intel 1Gbit/s interfaces (2x igb, 4x ix, all 1Gbit/s copper ports) – Passively cooled, no rack mount option – https://www.netgate.com/blog/sg-5100-desktop-available-for-pre-order.html ● pfSense Supplementals I course next month, one-day course that covers popular packages – https://www.netgate.com/training/pfsense-supplementals-1.html
  5. 5. CoDel/FQ_CODEL With Limiters ● CoDel (https://en.wikipedia.org/wiki/CoDel), pronounced "Coddle", is short for Controlled Delay. It is a scheduling algorithm designed to combat bufferbloat on routers – It is billed as a “no knobs, just works” algorithm, but there are parameters to tweak if needed ● What is Bufferbloat? (From https://en.wikipedia.org/wiki/Bufferbloat) – A cause of high latency in packet-switched networks caused by excess buffering of packets – Bufferbloat can also cause packet delay variation (also known as jitter), as well as reduce the overall network throughput – When a router or switch is configured to use excessively large buffers, even very high-speed networks can become practically unusable for many interactive applications like voice over IP (VoIP), online gaming, and even ordinary web surfing – You'll notice the effects for example when one download seems to dominate an entire link, or when latency skyrockets as a file is downloading ● Bufferbloat and speed test at http://www.dslreports.com/speedtest – Users have reported going from a Bufferbloat score of “F” without this configuration to “A” after ● Due to the way limiters function, using an alternate scheduler requires that traffic be run through a child queue and not a limiter directly. So in this example, we will make two limiters, and a child queue for each, and then attach the child queues to a floating rule
  6. 6. CoDel/FQ_CODEL With Limiters ● Navigate to Firewall > Traffic Shaper, Limiters tab ● Click + New Limiter: WANDown – Check Enable – Bandwidth: Equal to WAN download bandwidth – Mask: None – Description: WAN Download – Queue Management Algorithm: CoDel ● Options will appear after save, but leave them at defaults – Scheduler: FQ_CODEL ● Options will appear after save, but leave them at defaults – Queue Length: Can vary depending on the speed of the link, can try at default, or use 1000 which should be a safe default for most high speed WANs – ECN: Checked – Click Save
  7. 7. CoDel/FQ_CODEL With Limiters ● Click WANDown to reload the page ● Click + Add New Queue (under WANDown): WANDownQ – Check Enable – Mask: None – Description: WAN Download Queue – Queue Management Algorithm: CoDel ● Options will appear after save, but leave them at defaults – ECN: Checked – Everything else blank/default – Click Save
  8. 8. CoDel/FQ_CODEL With Limiters ● Navigate to Firewall > Traffic Shaper, Limiters tab ● Click + New Limiter: WANUp – Check Enable – Bandwidth: Equal to WAN Upload bandwidth – Mask: None – Description: WAN Upload – Queue Management Algorithm: CoDel ● Options will appear after save, but leave them at defaults – Scheduler: FQ_CODEL ● Options will appear after save, but leave them at defaults – Queue Length: Can vary depending on the speed of the link, can try at default, or use 1000 which should be a safe default for most high speed WANs – ECN: Checked – Click Save
  9. 9. CoDel/FQ_CODEL With Limiters ● Click WANUp to reload the page ● Click + Add New Queue (under WANUp): WANUpQ – Check Enable – Mask: None – Description: WAN Upload Queue – Queue Management Algorithm: CoDel ● Options will appear after save, but leave them at defaults – ECN: Checked – Everything else blank/default – Click Save ● Click Apply Changes
  10. 10. CoDel/FQ_CODEL With Limiters ● Navigate to Firewall > Rules, Floating tab ● Add a new rule (bottom of the list if there are other rules) – Action: Pass – Quick: Checked – Interface: WAN – Direction: Out – Address Family: IPv4 ● If you need both IPv4+IPv6, make two separate rules, one for each family – Combined rules cannot set a gateway – Protocol: Any – Source/Destination: Any – Description: CoDel Limiters – Click Display Advanced – Gateway: WAN gateway (Must be set!) – In / Out Pipe: WANUpQ / WANDownQ ● With floating rules in the outbound direction, "in" traffic is uploads, and "out" traffic is downloads – Click Save
  11. 11. CoDel/FQ_CODEL With Limiters ● Click Apply Changes ● Reset states to force all traffic to use new limits ● Run tests to confirm new behavior – If the behavior is not as desired, read through https://forum.netgate.com/topic/112527/playing-with-fq_codel-in-2-4 (mostly near the end of the thread) and make adjustments to parameters
  12. 12. Captive Portal Authentication Changes ● Captive Portal has been integrated into the User Manager for authentication ● You can now use LDAP for Captive Portal authentication! ● Captive Portal RADIUS entries are migrated to the User Manager on upgrade – There should be no difference in behavior on upgrade for existing setups – If you have duplicates, you can pick one to keep and set all portals to that, then remove the rest ● Some Portal-specific options are still in Captive Portal settings ● Numerous Captive Portal RADIUS issues were fixed as a result, see the release notes for details
  13. 13. Captive Portal Page Customization ● New default captive portal page with modern design, images, CSS, etc – Still adapts based on config changes such as adding a voucher field automatically when vouchers are enabled ● Easier customization – Can upload a logo, custom background, and set Terms & Conditions all without having to edit/upload custom HTML! ● Full customization is still possible in the previous style ● No automatic change on upgrade for users of customized HTML
  14. 14. IPsec Speed Improvements ● Asynchronous Cryptography, allows the crypto load to be spread across multiple cores ● VPN > IPsec, Advanced Settings tab, check Asynchronous Cryptography – Defaults to enabled for Netgate hardware factory image installs, disabled on CE ● Primarily benefits single tunnel configurations, or at least configurations with less tunnels than CPU cores ● Performance improvements may disappear or even be slower with larger numbers of tunnels ● Speed improvements are still being measured but in some cases have been quite dramatic – One of our new model firewalls with AES-NI and Async Crypto enabled went from ~400 Mbit/s to over 900 Mbit/s of IPsec (1500 byte packets, MSS clamping enabled)
  15. 15. Certificate Management Changes ● Certificate fields have been revamped to conform to RFC 5280 ● When creating a new CA or Cert, the default action is to create an internal entry rather than import ● The only required subject component field is now the Common Name ● The Common Name field has also moved to the top of the list of subject attributes as it is the most important component ● The E-mail address field has been removed as it was declared deprecated – If a certificate requires an e-mail address, it can be added as a SAN instead of in the subject ● Some areas did not have full support for the optional Organizational Unit, which should work everywhere now ● Changes have been synchronized across the CA Manager, Cert Manager, User Manager, and OpenVPN Wizard
  16. 16. Gateway Group as a Default Gateway ● Now a Gateway Group can be used as the Default Gateway ● This replaces the old “Default Gateway Switching” behavior ● Using a gateway group, you can control which gateways can be default and the order in which they are used ● Works only with Failover type Gateway Groups – One gateway per tier ● To setup, use System > Routing, Gateways tab, Default Gateway section ● Default state on upgrade attempts to reflect previous chosen behavior – Visit the page after upgrade and confirm the correct default is selected, or pick a group to use the new behavior
  17. 17. Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, Reddit, etc

×