Anyone know if this is a ‘full implementation’ or will it be crippled?
Specifically asking because of the whole ‘dhcp only on connected subnets’ thing.
No support carp status for HA is going to be a big bummer. If they can’t get that worked out then I can see that being a huge waste of time.
This is good to see. Running a service as root that no longer gets security updates, and that everybody in the network has to touch, is a little concerning to be fair. Not sure I would dunk on this as a waste of time. If you have the need for HA you can always do that way from your pfsense box. Plus, you get security benefits from that setup. Looks like they do support this. I kinda wish I had a need for this in my home office.
EDIT: also, can you elaborate on your concern about dhcp only on connected subnets?
pf cant route at 10g - solution is to go with router on stick and let an L3 switch do switchy things but current pf implementation of dhcp does not support this setup. The default response to this is ‘just run a separate dhcp’ which is fine if you have vm environment or spare box. Another option is to use inbuilt dhcp on the switch which seems to be a mixed bag depending on switch. I have no idea how much either of these would cripple logging/pfblocker type functionality.
I am in the middle of revamping home network with some 10g mixed in. With pfblockerNG python mode seemingly closing the gap to pihole for noobs like me I was excited to bring everything under one easy to use system. Now I’m debating whether to stick with L2 on my switch and wait to see if Kea implementation will work or go back to pihole as dhcp/dns. I’m probably going to go with the later as who knows how long it will take them to have Kea ready for production use.
Interesting, I didn’t realize pfsense could not route 10G. I’ve never messed with L3 switch while I was in the industry, but kind of wish I had. I probably would have tried to keep everything in the same broadcast domain so L2 switch would work (unless your WAN is 10G).?.
I know this next point is unpopular here, but I’m of the old school belief that a router/firewall should be a one-trick pony. Adding all the stuff pf lets you do is super convenient, but not as secure, flexible, or robust. As Steve Gibson would say, convenience is the enemy of security (however, he is a pf user so that argument only goes so far with him, as with all of us I guess). If you have this separated out then you are already ahead, IMO.
It can too route at 10Gb. You just need to have the right hardware to run it. Starting with the netgate 6100 and up.
Sorry correction - cant rout 10g on typical x86 hardware… I guess in theory it can with enough processor. If you are willing to spend $800 for netgate hardware that same $800 could get you something like this dell R910
I am routing at 10Gb with an optiplex 7020 with an i5.