[pfSense-discussion] IPv6 needed, IPv4 exhaustion - was Re: [pfSense-discussion] Re: Low end, cool CPE.
On 12/11/10 13:43, Eugen Leitl wrote: - IPv6 support, native or tunnel to tunnelbroker.net type thing. ... The point is: We've been asking for IPv6 for too long. That's just one bit in a packet header. We need to start asking for the features we expect, which is a lot more than that bit. Leo Vegoda of IANA said on 13th Nov that a new block, 105/8, was recently released to AfriNIC, with previous allocations this year being 1/8 14/8 27/8 31/8 36/8 42/8 49/8 50/8 101/8 105/8 107/8 176/8 177/8 181/8 223/8 leaving only 11 unallocated /8's. so, that means none left by this time next year. oh, and it means people should check their bogon filter updaters are working! - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] Re: Low end, cool CPE.
- Forwarded message from Joel Jaeggli joe...@bogus.com - From: Joel Jaeggli joe...@bogus.com Date: Tue, 16 Nov 2010 19:36:10 +0800 To: Eugen Leitl eu...@leitl.org CC: Jason Lewis jle...@packetnexus.com, NANOG list na...@nanog.org Subject: Re: Low end, cool CPE. User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6 On 11/12/10 11:30 PM, Eugen Leitl wrote: On Fri, Nov 12, 2010 at 10:10:30AM -0500, Jason Lewis wrote: Everytime I'm in the market for a device like you describe, it comes down to the limitations of consumer devices. You can't get all those things in a low cost solution. I end up rolling my own. My latest system is this http://www.supermicro.com/products/system/1U/5015/SYS-5015A-PHF.cfm snip , with Endian http://endian.com/en/community/download/ and an additional dual port nic. With all the parts (HD,NIC) it's under $400. It's an atom board, so you could put whatever you wanted on it. I have a 50mbps net connection and it doesn't have any issues. Works well on GBit/s as well. I haven't measured the throughput yet, though. Should be ~500 MBit/s, assuming a single Atom core is about equivalent to a Pentium 3 at the same frequency. An atom should easily be able to forward some high fraction of a gig between two pci-e 1x connected interfaces certainly in the soho context such a box can do ipsec at farily reasonable rates as well. Regarding equivalence to a PIII an atom is a scalar rather than super scalar device. it is slower clock for clock than a pIII but there are also multicore variants and of course they run faster at loewr poper consumption rates than the equivalent PIII derived embedded processor such as the intel a800 - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] Re: Low end, cool CPE.
- Forwarded message from Bjørn Mork bj...@mork.no - From: Bjørn Mork bj...@mork.no Date: Fri, 12 Nov 2010 13:55:27 +0100 To: na...@nanog.org Subject: Re: Low end, cool CPE. Organization: m User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.2 (gnu/linux) Leo Bicknell bickn...@ufp.org writes: - IPv6 support, native or tunnel to tunnelbroker.net type thing. This is far too diffuse. You'll get a yes, we've got IPv6. You should at least add - IPv6 packet filtering and policy management (at least simple access lists) - DHCPv6-PD client running over PPP or ethernet (possibly bridged DSL) WAN interface(s) - Ability to split the delegated prefix into a /64 for every LAN and loopback interface, preferably fully configurable - Configurable RA on LAN interfaces, using the dynamically allocated prefixes - (wishlist) configurable ifid's on the LAN and loopback interfaces as an alternative to using EUI-64 - WAN link addressing using whatever is available of SLAAC, DHCPv6 IA_NA or link local. Specifically: Using SLAAC for the WAN link should be possible without sacrificing any router functionality on the CPE. and probably a lot more. DNS resolver handling needs a chapter on it's own The point is: We've been asking for IPv6 for too long. That's just one bit in a packet header. We need to start asking for the features we expect, which is a lot more than that bit. Bjørn - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense-discussion] Re: Low end, cool CPE.
- Forwarded message from Charles N Wyble char...@knownelement.com - From: Charles N Wyble char...@knownelement.com Date: Fri, 12 Nov 2010 08:07:14 -0800 To: na...@nanog.org Subject: Re: Low end, cool CPE. User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.11) Gecko/20101006 Thunderbird/3.1.5 On 11/12/2010 01:24 AM, Eugen Leitl wrote: On Thu, Nov 11, 2010 at 05:41:00PM -0800, Leo Bicknell wrote: I've run into a number of low end CPE situations lately where I haven't found anything that does what I want, but I have to believe it is out there. I'm hoping NANOG can help. An ALIX with pfSense 2.0 (BETA4 at the moment) would fit most of the above. IPv6 support is coming (is mostly there in the kernel, but interface only alpha). PPPOE is currently broken in 2.0 BETA4. :( If you want to run the snort package I'd however pick a Supermicro Atom system with 2 onboard NICs and add a dual-port Intel NIC, and run pfSense from a small SSD or an USB stick. Albeit a rackmount, the system would be quiet enough for SOHO. Yes. I agree. Have SNORT run as a transparent bridge and have a separate management interface. Use vlans on that interface to handle whatever you need to do (dedicated vlan for snort, one for your management network, one for secure wifi, one for guest wifi etc). Basically think about a sophisticated home user, or a 1-5 person small office. Think DSL, Cable Modem, maybe Cell Card or ISDN as backups. Looking for an appliance, very much fire and forget. I probably won't get all the features that I want, but in no particular order: - Able to deal with backup connectivity, eg. Cell Cards which you only want to use if the primary is down. - User friendly features, e.g. UPNP, NAT-PMP, etc. - Good manageability. ssh to a cli would be a huge bonus, at least the ability to backup a config. Very well supported. http(s) and ssh both. Well the SSH interface is very limited. You can login and do some basic checks. However everything is driven from a single XML config file that gets parsed by PHP scripts during the init process and then writes out all the UNIX configuration files. However all the things I've ever done from the CLI on a Linux box are readily available from the pfSense web interface (arp table checks, traceroute,ping,iperf,tcpdump). I only use the CLI when I have broken something. _ Nice firewall features. - IDS features are cool. It has a SNORT package that's pretty nice. Also has some other AV type stuff and a proxy. I haven't gotten the proxy/av to work yet, but haven't put much time into them. WiFi is not strictly required, but would be cool. Things like guest WiFi would be an added bonus. It supports a lot of wifi cards. I put a USB wifi stick in my pfsense box and configured it as an AP from the web UI. I'm running the current stable pfSense (1.2.3 I think). Very happy with it. It's a fully featured distribution that is incredibly well put together. - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] Re: Low end, cool CPE.
On Fri, Nov 12, 2010 at 5:51 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: [snip] But still - no IPv6 support (though a 3rd-party patch is now available to beat it in, it's not up to par yet, and it's not in 'stable'). :( The work Seth is doing will be in 2.1 sometime next year. He has made a lot of progress in a very short amount of time. Scott - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] Re: Low end, cool CPE.
The work Seth is doing will be in 2.1 sometime next year. He has made a lot of progress in a very short amount of time. And please don't misunderstand - I am absolutely thrilled about it. But it probably does not meet the OP's needs quite yet. Nathan - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
