I have a spare 3b+ even with a poe hat that i almost never use anymore. I have home-assistant running on Proxmox in a container. I was thinking to put HA on the PI but maybe this dshield honeypot is a nice option too. Something new to discover and play with. I am going to check it out after i reconfigured my block rules snort pfb etc. I will look into that honeypot project too.
I don’t mind fan noise to much myself. I have a separate room for my hobby’s. In here are always lots of fans running day and night. I have a double utp connections in every room. The other rooms have no equipment with fans, only here in my mancave it is a orchestra of fans haha I don’t mind. Most of the time i wear (wireless) headphones anyway.
About TNSR i can imagine it is huge overkill. pfSense probably good enough for my needs. But i am just curious about the workings and to experience the difference and just like to know it a little bit. So there is a evaluation version hmm interesting. Geez not enough hours in a day
I almost don’t dare to say it but i disabled that status > monitoring. I enabled it now and keep an eye on it.
I am not planning on using 10Gbps but more bandwidth like a 2x 1gbps port LAG for instance. I have a 2 port (lacp) lag trunk between my proxmox server and the edgeswitch. That works really well. Not only the bandwith but also those 2 cables. If i need to physically move the system it does not have to take it offline. I can reroute the cables one at a time without losing connecting. Not that it is a critical server or anything haha but still it works very stable and fast. I would like to have that also between the router and the switch. My Supermicro mini-itx pfSense system has just 2x 1gbps ports. This board is pretty old Atom D525 4x 1.8ghz 4gb ram no aes-ni.
I meant that Snort running on your device just wants to process the packets that were not blocked. Nothing nefarious.
In regard to TNSR, it is neat but they make you jump through some licensing hoops just to play with it. For me it would be more like a project then once I achieve it I will go use something else. In my virtual lab I regularly use VyOS because it’s fast and reliable. TNSR clearly just wants bigger customers.
Oh no! Embrace the data! I actually created a “fake” interface to monitor all the way to Google so I have even more data, haha. This lead me to bug my ISP and one of their peers as to why my latency was so high. After a bit of playing around I figured out that ICMP traffic (the pings that dpinger uses in this case) did not have priority and while my ping might take 20ms a TCP packet to the same destination was more like 8ms. Well played little rural telecom co-op! I bet they love hearing from me.
Yeah i am curious about that vector packet routing or what was it called again haha it seems to be fast i am curious the difference on my old pfSense system. It is not free or we have to go thru a lot of licensing trouble ii now know from you but stil much trouble just to play with it i am not going to pay for it anyway so oke bye TNSR
I read VyOS was the “grandfather” of pfSense. I thought pfSense is a fork of m0n0wall. I started in 2004 with m0n0wall. After m0n0wall stopped i started using pfSense back in 2015. Today I visited the old m0n0wall website. They encourage users to use OPNSense what is that about? What is the difference betwen OPNSense and pfSense?
I didn’t use status > monitor i disabled it like i disabled as much as possible in the hope with less processes running on pfSense my router would be faster. On the portal page of pfSense i see cpu and ram usage that is never high but still the speed between vlans is around 400mbps not the full 1gbps. I hope with a new faster system maybe higher frontside bus is also a factor maybe i could get full 1gbps. That new system of netgate 7100 looks really nice Tom reviewed is but 1000 euro inc vat brrr lot of money.
Interesting what you wrote about dpinger never thought of that to change it to another monitor ip. I never checked latency it always works so i don’t know. Wen my internet goed down dpinger send e-mail to my local mail server or wen i lose connection i look at the gateway log on pfSense other then that i never looked at dpinger. I never saw that gateway setting page. it is interesting to know it is there and i could change the monitor ip that could come in handy. Buti would not use a google ip for it. I try not to use google if i can. It is impossible i know but if i can i avoid google. One source with such a big pile of data of all of us doesn’t feel good.
About virtualization on work station. I used virtualbox for years. The last year of maybe 2 years i didn’t use it anymore. I have Proxmox i can run all kinds of systems on promox i don’t need virtualbox anymore. maybe some day i need it again who knows. At the moment i am very happy with my proxmox system.
No. PfSense is a fancy GUI front end for the packet filter (pf) built into the BSD operating system. VyOS is built on Debian Linux. VyOS is a fork of Vyatta which is what Unifi OS is built on. I saw a neat chart once that tried to keep track of various distributions and where they forked from and it was pretty overwhelming.
You should talk with Netgate before buying a new device. There are a lot of things that can cause this and they can make sure you don’t waste your money. Their paid support is very good but you can get a lot of technical stuff out of the sales people too with the promise of buying a device.
Be aware that there are actions tied to the monitor IP. As you can see in my previous picture with the fake Google interface I disabled those actions because it’s just to collect stats, but they are enabled to the “real” interface. I chose Google as a real world test (where would you go to see if the internet is up? That is what you put in there). The actions involve restarting the interface to try and bring it back up if it is down among other things.
Ah yes Unifi OS that was probably what i have read sometime in the past but forgotten the exact story haha i am getting older
The forums of Netgate is not a place for me i like it more here on Toms forums but send a mail to the netgate poeple i could try that good ideaa thanks man and thanks for all the help and tons of information. That was a really good find this syn scan i would never thought of that. I once read about wen i looked into nmap bit i wouldn’t recognize a syn scan if it would bite me in the rear end hahaha
By default pfSense set the gateway of my ISP as the dpinger monitor ip. why would i have a problem with that? i think it is a better idea then ping google. maybe rotate that monitor ip between 8.8.8.8, 9.9.9.9, 1.1.1.1 etc.
Using your ISP gateway as the monitor IP is good for the monitor actions (restart the interface if it cant get to the next hop for example) but for data collection, such as with my fake Google gateway, it doesn’t account for problems with your ISP such as getting out of their network. I find this very useful for clients when they say things were slow and I can point out exactly where it was. You dont have to use Google, but if you want a more complete picture then the “fake” gateway for monitoring needs a pretty common public IP, and to that end you should also understand that anycast addresses (1.1.1.1 for example) could route to many different actual devices too. So I suppose Google is a bad example, haha. Maybe test.com? Or just use a monitoring service I guess.
I try to understand what you are doing with the fake gateway ping monitor. You record the hops between you and 8.8.8.8 and with that see were the network was slow. Is that how it works?
Dpinger just pings the monitor IP and waits for a response. For the purpose of monitoring the important number is the “time” number in your response. We want to know how much time it took for that packet to get to the monitor IP and back. Collecting this data over time is quite useful. If there is no response and monitor actions for the route are enabled then pfSense does a few things to try and bring the route back up. For the purpose of what we are talking about it’s just used to determine the quality of the connection. On the status > monitoring page there is a little wrench in the upper right. Check out what graphs you can make.
I did know dpinger sends regularly a ping to the monitor ip (in my case the isp gateway). Wen no response the Internet is down and the watchdog service sends me a notification mail.
You record those pings with the graphic monitoring tool. That will be a handy graph for sure.
I am going to fiddled a little with that. Wen i add another (fake) gateway in system > routing > gateways the default one disappears. We can’t have 2 ip’s to monitor? Wen i remove the fake gateway the default one is back again.
I never did anything with the graphical monitor tool i have to get to know it a little better.
I was never so much in collecting data. If my Internet works and I don’t see to much wierd things going by in firewall logs (like, i now know, syn scans) i am mostly a happy man But always open to learn new things.
It will let you make two gateways but I noticed in a recent version I had to “remake” the default one for it to show back up again (if it was really gone your connection would be down). Not sure what was going on there.
This is going to be a nice graph in a while.
This is a very smart handy trick.
Nice tutorial for your brand new blog filled with more pfSense stuff people can use too
Ah yes those DNS lookups
I am going to contact BBcan177 and ask him to read this thread.
He probably knows what his software does in this case.
I will let everybody know what he said.
Sounds good! Keep in mind that the ICMP packets dpinger sends are very small so there should be no performance impact. You do want them to send more often that your graph interval because latency (the thing the graph is calculating) is not measured in one packet, it’s an average.
Yeah i was playing with the interval times. Not so much because of the bandwidth / performance but more the thing that i am sending many icmp packets every halve second to the other side. They might not be happy me doing this.
Little update:
BBcan117 did not reply on my email at all.
After the update from Snort yesterday the range 193.163.125.0/24 is not blocked anymore by it.
The syn scans are still going on from this range but Snort is not blocking the outgoing reverse DNS lookups anymore.
