tag:blogger.com,1999:blog-3993498847203183398.post5075504329382242814..comments2024-03-28T09:19:27.451+00:00Comments on RevK<sup>®</sup>'s ramblings: FB2900 and Let's EncryptRevKhttp://www.blogger.com/profile/12369263214193333422noreply@blogger.comBlogger66125tag:blogger.com,1999:blog-3993498847203183398.post-11132780265958209782018-04-16T16:21:27.320+01:002018-04-16T16:21:27.320+01:00Thank you for explaining.
JimThank you for explaining.<br /><br />JimAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-75716469495070308232018-04-16T15:44:48.650+01:002018-04-16T15:44:48.650+01:00It does explain on the site that the FireBrick pro...It does explain on the site that the FireBrick product is made by Andrews & Arnold Ltd and Watchfront Ltd. FireBrick Ltd just holds the rights.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-51880314838451306052018-04-16T15:38:26.666+01:002018-04-16T15:38:26.666+01:00I was considering purchasing a FireBrick but spott...I was considering purchasing a FireBrick but spotted that it is apparently developed, marketed and supported by a dormant UK company #04932284 (https://beta.companieshouse.gov.uk/company/04932284/filing-history). <br /><br />Is this a mistake?<br /><br />JimAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-84124916819765364392018-04-16T12:44:45.911+01:002018-04-16T12:44:45.911+01:00Does it have a unilateral phase detractor?
Also I...Does it have a unilateral phase detractor?<br /><br />Also I wonder if it would benefit from a panometric fan?<br /><br />Hehe <br /><br />https://youtu.be/RXJKdh1KZ0wAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-46815751372566136942018-04-16T09:15:17.058+01:002018-04-16T09:15:17.058+01:00Not quite in the same league, but I replaced my Sh...Not quite in the same league, but I replaced my Sheevaplug with an MSI Cubi N a while ago - very nice device, pretty powerful, low power requirements and fanless.Steve Hillhttps://www.blogger.com/profile/09798286430189689578noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-16576685543987794812018-04-14T19:16:51.884+01:002018-04-14T19:16:51.884+01:00Thank you very much! I really enjoyed reading that...Thank you very much! I really enjoyed reading that. You are a great writer!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-9045463570367031842018-04-14T19:15:20.146+01:002018-04-14T19:15:20.146+01:00I think he means he can upload??I think he means he can upload??Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-6495318332335461672018-04-14T19:14:43.294+01:002018-04-14T19:14:43.294+01:00Would it be possible just to put a slightly faster...Would it be possible just to put a slightly faster processor in it? Sort of like an i5 instead of an i3 type approach? Also, anyone paying for a 1Gbps line can surely afford a little extra for the one-off spend on their Router?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-23873564551673605092018-04-14T18:57:29.568+01:002018-04-14T18:57:29.568+01:00Like I said I like it but there really has to be a...Like I said I like it but there really has to be a scenario/setup that can demonstrate to management that it will do 1Gbps.<br /><br />I know & you know its largely meaningless but its management we're dealing with & if they're paying for a GigE link someone climbing the greasy pole will point out the router can't do 1Gbps.<br /><br />Bit of presentation for the pointy-haired bosses really but I'd recommend a preset profile that does 1Gbps just for marketing/management (same thing in IT terms).<br /><br />Can't be that hard - have a play around at home instead of trying to get iStuff to work ;)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-50367622047632706552018-04-14T18:50:42.761+01:002018-04-14T18:50:42.761+01:00I'm more than happy with the FireBrick's D...I'm more than happy with the FireBrick's DNS. I use it for ad blocking at network level, and it works very well. (Either use the block function, or else resolve to 127.0.0.1/::1)<br /><br />I resolve upstream using my own bind server, for privacy reasons, but no particular need for that.<br /><br />For NAT, once I understood the syntax, it was easy — I'd send you an XML snippet, which you can easily modify, but I doubt you want that :) <br /><br />VPN was straightforward with EAP authentication (username and password), but I wanted certificate authentication, and that required me to learn more an openssl.<br /><br />I'm just another user, like yourself, but, if you want to drop me a line if/when you try to set it up rather than go to support, that's absolutely fine!Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-11408982672797933122018-04-14T17:40:01.856+01:002018-04-14T17:40:01.856+01:00If the FireBrick runs a decent caching DNS server ...If the FireBrick runs a decent caching DNS server I'm happy to ditch the Pi. All it runs is dnsmasq as a DNS cache since the one in the Zyxels caches only a tiny number of entries and anyway I don't entirely trust the Zyxels.<br /><br />I note for some of these items you say they weren't easy to figure out how to do. I will give the Zyxels this: it was trivial to set all of my requirements up. They really know how to tailor the config to a home user. It's a shame they need power cycling about once a month to keep working as a router. I expect networking uptimes about like I get from my Apple Airport Extreme which runs my wifi, it only gets power cycled on power cuts.Owen Smithhttps://www.blogger.com/profile/00890951742186614705noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-38819225135029836422018-04-14T09:57:01.622+01:002018-04-14T09:57:01.622+01:00Anonymous, here's a short review of the FB2900...Anonymous, here's a short review of the FB2900 and some pictures: http://forum.kitz.co.uk/index.php/topic,21359.0.htmlIxelhttps://www.blogger.com/profile/09791233106249437795noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-80106945517249348512018-04-14T07:18:47.014+01:002018-04-14T07:18:47.014+01:00> and some DHCP reservations
There are a coupl...> and some DHCP reservations<br /><br />There are a couple of ways of doing this. <br /><br />You can either use Status / DHCP / select your interface, and then "lock" particular MAC addresses to particular IPs. This is easy, but they don't (AFAIK) form part of the config, and so don't get backed up.<br /><br />Alternatively, you can set them yourself in the config. In the GUI, it's Interfaces / edit your interface / DHCP server settings, then add whatever you want. <br /><br /><br />> I need to change the DNS server in the DHCP response to my local Pi<br /><br />I haven't tried this, as I'm using the FireBrick for primary caching, which then points to our DNS server. <br /><br />If you'd be happy having the clients first querying the FireBrick, and then the FireBrick going upstream to your Pi, in the GUI, you'd want <br />System / General system services / DNS service settings, and pop your PI's IP address(s) into "resolvers".<br /><br />If you actually want DHCP to push it, so you don't use the brick's resolver at all, have a look under Interfaces / edit your interface / DHCP server settings. I suspect — not tried it — that it's the "domain" field.<br /><br /><br />> as far as I could tell the firewall in the FireBrick was off by default until I could work out how to set one up<br /><br /><br />AFAIK, it's got a default deny or drop rule to LAN, so you're not exposed immediately.<br /><br /><br />> I was also trying to keep my VPN working, which meant more port mappings and not using 192.168... IP addresses. But Apple broke that in an iOS update so I can probably ditch that requirement.<br /><br /><br />I use the FB as an IPSec server, and have my iPhone connected to it via an "on-demand" profile. Whenever I'm not connected to a trusted network, it auto-dials the brick and routes the traffic through there. <br /><br />It's not the most trivial thing to set up, and EAP authentication is much easier (but then can't be used "on-demand" on iOS), so it depends on your needs. But the instructions on the wiki are pretty good, and support has more detailed instructions on the "on-demand" side of things if you need them.Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-79286597528337445232018-04-14T07:18:36.126+01:002018-04-14T07:18:36.126+01:00Oh, cool, that all looks readily do-able. I'm ...Oh, cool, that all looks readily do-able. I'm sure support can offer far better advice than some bloke on the Internet but, in case you're hoping to give it a go this weekend, this might help:<br /><br />> I need at least one more port that is on the same network, and that doesn't seem to happen by default on the FireBrick.<br /><br />Not something I've tried myself, but look at the "port grouping" setting under "interfaces". If you wanted ports 1 and 2 to be on the same network (as opposed to plugging a switch into port 1), I think you'd just set up a port group containing ports 1 and 2.<br /><br />Then, either select one of the existing interfaces or create a new one, and set the "port" setting to your new port group.<br /><br />> I also need an IPv4 NAT port mapping for my server<br /><br />Okay — this caused me a bit of a headache at first. How I've done it is this:<br /><br />I created a new firewall rule, at the bottom of the list. Because it's at the bottom, I've set the no-match-action to "drop". <br /><br />The rule-set name is "Mappings" (just for ease of reference), and I've set the target-ip to my chosen WAN IP.<br /><br />In that rule-set, create your mapping rules. For example, if you want port 80 TCP traffic to go to 192.168.1.3, set your "target-port" to 80, "protocol" to 6, and — here's the mapping bit — set "set-target-ip" to 192.168.1.3.<br /><br />Rinse and repeat for each new rule you want.<br /><br />So, in essence, the rule set applies where the destination of the traffic is your WAN IP (or, if you've got more than one, whichever one you want), and then a specific rule within that rule set which says that, where traffic is destined for port 80 ("target-port"), the rule should change the destination of that traffic ("set-target-ip") to the RFC1918 address.<br /><br />Under "Diagnostics", there's a firewall rule checker, which also includes your mapping rules. So, when you've set it up, use this as the first step to validating it — put in an external (source) IP (e.g. 8.8.8.8), give it your intended port, traffic type and destination IP, and see what it tells you about the routing.Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-66362181132672061772018-04-14T07:00:37.244+01:002018-04-14T07:00:37.244+01:00Except the web UI follows the XML structure and us...Except the web UI follows the XML structure and uses all the same attribute names, being as it is just a “friendly” way to edit the XMLRevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-35970451140116380352018-04-14T06:58:22.054+01:002018-04-14T06:58:22.054+01:00We’re still coding the ACME stuff, but yes, that i...We’re still coding the ACME stuff, but yes, that is the plan.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-74416899710346355972018-04-13T22:39:28.741+01:002018-04-13T22:39:28.741+01:00Does the FB send any warning if it fails to renew ...Does the FB send any warning if it fails to renew the cert? I'd assume you're using the reasonably standard practice of renewing after 60 days - if it warns on day 60 that's a decent 30 day window to fix it :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-31502525122133462952018-04-13T22:35:37.443+01:002018-04-13T22:35:37.443+01:00>Pepwave Surf SOHO
Charges for VPN licenses, o...>Pepwave Surf SOHO<br /><br />Charges for VPN licenses, only does 120mbit, and I can't even find a retail price anywhere. Not to mention I don't see a single reference to IPv6 *anywhere* on their site.<br /><br />I don't see how this is a good product choice for a comparison!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-81342214980149390722018-04-13T21:13:16.005+01:002018-04-13T21:13:16.005+01:00There were some things that I could not find in th...There were some things that I could not find in the web UI. Also whenever I asked on IRC or found examples of FireBrick config on the wiki, they always gave the XML. This implied to me editing the XML was the way to go. If wiki pages and IRC had said which web UI screen to use to set something then I might have been able to find it.<br /><br />I can see that saving web UI settings to put on a wiki page isn't easy. But saying that all config should be done using the web UI and then having most of the examples given as XML saved config is rather contradictory.Owen Smithnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-7414691106120157602018-04-13T17:44:00.111+01:002018-04-13T17:44:00.111+01:00It is a header we could add as an option for custo...It is a header we could add as an option for customers to select. I think we'll leave that for a bit as we expect a new release soon with more https work (we can get an "A" in ssllabs tests now). Maybe once the ACME code is all in place.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-69008000542895468542018-04-13T17:42:58.974+01:002018-04-13T17:42:58.974+01:00We've been using LetsEncrypt for customer appl...We've been using LetsEncrypt for customer appliances since the whole StartSSL fiasco. Never had a problem.Steve Hillhttps://www.blogger.com/profile/09798286430189689578noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-73868611261103991862018-04-13T17:39:27.774+01:002018-04-13T17:39:27.774+01:00Do you enable HSTS on your firebricks? We do on o...Do you enable HSTS on your firebricks? We do on our appliances, but I've started to debate whether that's going to come back and bite us in the backside at some point...Steve Hillhttps://www.blogger.com/profile/09798286430189689578noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-64712723114548003762018-04-13T13:51:13.392+01:002018-04-13T13:51:13.392+01:00All sounds perfectly sensible and not hard to do. ...All sounds perfectly sensible and not hard to do. Well, it has 4 ports but any arrangement, and the FB2900 has 5. Firewall of LAN is on by default. Firebrick can do IKEv2 IPsec VPN directly now as well. The web UI can set *ALL* things that you can in the XML and that is the config, so you do not have to touch the XML. The web UI also presents all the fields including some help text so making it simpler than XML.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-59790555573483853552018-04-13T13:48:52.357+01:002018-04-13T13:48:52.357+01:00So it's about twice as fast as the FB2700 then...So it's about twice as fast as the FB2700 then, since that can do about 350mbps on its gigabit ports.Owen Smithhttps://www.blogger.com/profile/00890951742186614705noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-72621427302748719022018-04-13T13:47:54.626+01:002018-04-13T13:47:54.626+01:00Not quite. I need at least one more port that is o...Not quite. I need at least one more port that is on the same network, and that doesn't seem to happen by default on the FireBrick. I also need an IPv4 NAT port mapping for my server, and some DHCP reservations since the SqueezeBox software gets upset if any of the IP addresses that system uses change. Then I need to change the DNS server in the DHCP response to my local Pi, because I have the DNS cache turned off on my WHS v1 server (because it is crap and doesn't expire things) and I don't want to be doing all DNS lookups direct to the outside world with no cache anywhere. And as far as I could tell the firewall in the FireBrick was off by default until I could work out how to set one up. But apart from that it's a standard internet connection :-)<br /><br />When I tried two years ago I was also trying to keep my VPN working, which meant more port mappings and not using 192.168... IP addresses. But Apple broke that in an iOS update so I can probably ditch that requirement.<br /><br />Part of my problem was the culture shock of the FireBrick config. I wasn't expecting a huge pile of XML, and the web UI appeared to be unable to set some things. I detest XML, it is an exercise in pointless complexity.Owen Smithhttps://www.blogger.com/profile/00890951742186614705noreply@blogger.com