Glen Shok, VP of Marketing, and Leon Dang, Lead Engineer, recently shared insights on the Multi-Instance Management (MiM) interface. This new cutting-edge feature offers a “single pane of glass”; a unified dashboard where administrators can seamlessly monitor and manage multiple pfSense Plus firewalls, delivering a solution that’s not only fast and secure but also highly affordable.
24.08 Sneak Peek: Improvements to Kea DHCP for Improved High Availability and Unbound DNS Resolution in pfSense Software
Netgate® is excited to announce important updates to the integration of Kea DHCP into pfSense software, adding support for DHCP High Availability and improved support for registration of DHCP hostnames with the Unbound DNS Resolver. With the release of pfSense Plus software version 24.08, users who require DHCP HA support or DNS resolution of DHCP hostnames can now migrate from the ISC DHCP backend to the Kea DHCP backend. The rest of this blog post will explain why this update is necessary and how it benefits you while also providing more information about the migration timeline and some explanation of how Kea DHCP works.
If you are getting started with OpenVPN on pfSense, you will find that there is more than one recipe for setting up an OpenVPN secure private network. In this pfSense software tip, we will set up a point-to-multipoint VPN design, and show you how to avoid a common misconfiguration that causes problems. It is a subtle issue that can have unexpected effects on the successful operation of your secure private network.
In this sample configuration, we will use Client and Server device certificates for authentication in addition to the Server’s SSL/TLS key, and we will not define any users.
Our focus will be on the Tunnel Network, the subnet used for the OpenVPN tunnel operations. The following illustration shows the VPN topology:
In the course of setting up OpenVPN, you will need to navigate to VPN,OpenVPN,Client or Server, depending on which device you are on and set up a corresponding configuration. In that set of configurations there is a section called Tunnel Settings. There, you will have a field to enter the tunnel network/mask, in this case 10.3.101.0/24, on your clients and on your server.
On the server, under VPN,OpenVPN, there is also a Client Specific Overrides tab. When you configure manual overrides for your clients, you have a similar prompt for tunnel address information, but there, we are looking for a tunnel address/mask for a given client, as opposed to the network/mask. This sets the IP address and mask of the client OpenVPN tunnel interface. You can either enter an IP address/mask that you know is unique on your tunnel subnet for each client, or leave this blank. However—and this is the problem—if you enter the tunnel subnet/mask here, and not the address/mask, you will see some very strange behavior on your VPN.
The screenshot below shows where this can happen, and shows a bit of information intended to explain this difference.
If you enter the tunnel subnet/mask here, (as shown above) it will cause a series of intermittent issues.
In the screenshot below, you can see symptoms that include the client VPN sessions showing successful and working, yet there is intermittent data loss across the tunnels.
Pings from the server always succeed to the client’s LAN addresses, but pings sourced from the clients to the server LAN address sometimes work and then stop working, leading to discrepancies in bytes sent and received during testing with, e.g. ping.
Other symptoms include intermittent cryptography errors, and routing anomalies seen on the server, under Status,OpenVPN. Check the virtual addresses shown in the following image. If they show the tunnel subnet and not IP addresses, you know you are facing this misconfiguration problem.
To avoid all this, remember that the only place you need to enter the tunnel subnet/mask is on the server, under VPN,OpenVPN,Server configurations. You can leave it blank in the Client Specific Overrides on the server, and also leave it blank on the clients, under VPN,OpenVPN,Client configurations. If you do that, OpenVPN will dynamically assign unique tunnel addresses for the clients, and everything clears up as you see in the following image:
Notice the virtual addresses in the above image are dynamically chosen by OpenVPN, the routing is correct now, and there’s no data loss.
If you have a reason to manually assign the OpenVPN tunnel addresses for your clients, you can do so on the server, under VPN,OpenVPN,Client Specific Overrides for each client. However, be sure to choose an IP address that’s unique on your tunnel subnet for each client, and then enter that IP address/tunnel mask for the client, such that every client has a different OpenVPN tunnel IP address.
The following image shows the setting for client 1:
Here’s what the server Status,OpenVPN looks like when we manually set client specific overrides correctly:
Notice the virtual addresses have changed to what was manually set, and the routing reflects them as well.
This tends to be a common misconfiguration, and we hope that this step-by-step guide helps!
TNSR® SoftwareTip - TNSR Gets a Logging Upgrade!
Logging hosts are inundated with very critical information, completely irrelevant information, and everything in between. One request from the TNSR user community was to get more detailed logging information, filter it, and send it to a logging host.
TNSR software's improved logging allows system data to be retrieved using both the RESTCONF API and CLI. Results can now be filtered by category, service type, and date/time range. VPP logging now defaults to SYSLOG. TNSR logs can now be forwarded to remote logging hosts such as Splunk® as of the most recent TNSR release.
The TNSR show logging command will simply pour out the most recent logs data, but you can use the optional priority argument to limit log message output to messages with the specified priority level and higher.
This limits log message output to messages with the given priority level and higher. The order of priorities is as listed above. For example, if you specify priority crit, the output will also include messages for alert and emerg priorities.
alert and emerg messages will most likely require that some kind of action be taken. This can be kicked off by RESTCONF API or via your logging host, such as Splunk. See Send Logs to Remote Host to learn about configuring remote logging in TNSR software.
For more information on TNSR logging options, check out System Logs in our TNSR documentation.
In the Cloud
Did you know that Netgate offers pfSense Plus and TNSR software on the AWS and Azure marketplaces? You can choose to use the products on a “pay-as-you-go” (PAYGO) basis or subscribe to one- or three-year terms for a discounted rate. If you are looking for the maximum discount possible, contact us to discuss a private offer from Netgate.
Netgate Presents New Multi-Instance Management on AWS!
Join us for an exclusive live demonstration of our latest advancement: the Multi-Instance Management (MiM) controller running on AWS.
Netgate will present this demonstration on an upcoming episode of the AWS Howdy Partner program. Howdy Partner is a weekly Twitch series that highlights innovative solutions built by AWS Partner Network (APN) Technology Partners.
Do you need to protect your cloud workload or need to establish a secure VPN edge to cloud connection? See if pfSense+ or TNSR is right for you! We are happy to offer zero-cost Proof of Concept, or PoC, trials. The cloud platform credits your account for cloud resources associated with the PoC (certain limits may apply), and Netgate covers the cost of our products. Check out Try Netgate in the Cloud for more details and to get started!
End of Life and End of Sale Notifcations
End-of-Life Announcement for Netgate 3100
Please be advised that as of October 2023, the Netgate 3100 has reached end-of-life status. Consequently, this model will no longer receive software updates, which could expose your network to potential security vulnerabilities as time progresses.
Upgrade Recommendations:
To maintain the security and performance of your network infrastructure, Netgate strongly advises upgrading to one of our newer models. Here are some recommended options for your consideration:
Netgate 2100:
With firewall throughput performance benchmarking at 964 Mbps for iPerf3 and 249 Mbps for simple IMIX, the Netgate 2100 is ideal for home or small business networks with throughput requirements of 1 Gbps or less.
The Netgate 4200 is designed to accommodate networks with high throughput requirements. The unit supports firewall throughput of up to 8.61 Gbps with iPerf3, and 3.21 Gbps with simple IMIX, making it ideal for demanding network environments.
Upgrade Your Network Performance With the Netgate 6100:
For users of the Netgate 5100 or Netgate 7100 DT seeking enhanced performance and increased bandwidth, we recommend upgrading to the Netgate 6100. This model, equipped with pfSense Plus software, stands out as one of the most versatile security gateways in its category.
Key Features:
Processor: Powered by a Quad-Core Intel® Atom® C3558 CPU, ensuring robust processing capabilities.
Cryptographic Acceleration: Features integrated QuickAssist Technology (QAT), SHA - Intel Secure Hash Algorithm Extensions (Intel SHA Extensions) and AES-NI for enhanced performance of cryptographic operations.
Memory: Comes with 8 GB of LPDDR4 memory to support a seamless and responsive user experience.
Firewall Throughput Capacity: Delivers up to 9.93 Gbps with iPerf3 and 2.73 Gbps with simple IMIX. The 6100 is equipped with eight independent ports that include 1 GbE, 2.5 GbE, and 10 GbE configurations, offering flexibility for both WAN and LAN connections.
The Netgate 6100 is engineered to excel in high-performance networking scenarios, offering an optimal solution for organizations aiming to enhance and expand their network capabilities with efficiency and precision.
If you are currently utilizing the Netgate 7100 1U, we recommend considering an upgrade to the Netgate 8200 for substantial enhancements in performance and future-proofing. With dual 10 GbE SFP+ cages, the Netgate 8200 is equipped to handle both 10 Gbps optical and copper connections, ensuring robust connectivity and scalability for your network infrastructure.
We are pleased to announce the introduction of promotional codes to our Shopify store for exclusive discounts when TAC is added to our latest network appliances:
REFRESH2100
REFRESH4200
REFRESH6100
REFRESH8200
Promotion Details:
When you purchase any of the above models and opt for either TAC PRO or TAC ENTERPRISE support, your 12-month Technical Assistance Center (TAC) subscription will be extended by an additional three months at no extra cost. This extension will be applied upon shipment of your order.
Monthly Customer Highlights from PeerSpot
“pfSense offers very good flexibility. There are good plugins you can integrate into the software. We can use it for a firewall and to monitor internal traffic. We can do many things.
It's not very difficult to integrate and configure features. At the install level, using the wizard is very simple. As a firewall, it's easy. You can watch usage and target effectively. If I have difficulties or questions or I need to understand how something works, there are videos and tutorials.
We noticed the benefits of using pfSense pretty immediately.”
Our Premier Partner, IT and General, a UK-based company renowned for their specialist IT support, network security, and managed services, is dedicated to helping businesses optimize their IT environments. They recently assisted AIM Academies Trust in addressing their evolving IT needs using Netgate appliances with pfSense Plus software.
The Challenge
AIM Academies Trust was nearing the end of its contract with Smoothwall. While the filtering service from Smoothwall was satisfactory, the firewall component was not meeting their expectations. They required a more comprehensive, cost-effective, and straightforward solution to better serve their needs.
The Solution
After evaluating their options, the client chose the Netgate firewall with pfSense Plus, impressed by its simplicity, cost-effectiveness, and functionality that paralleled their previously more expensive options. Now, IT&G is helping them to implement this firewall solution across all of their three academies.
The Netgate Technical Assistance Center (TAC) provides technical assistance with pfSense Plus software & TNSR. Every Netgate Security Gateway and cloud instance comes with TAC Lite included. TAC Lite offers Zero-to-Ping assistance, ensuring a smooth setup and configuration. Zero-to-Ping assistance will get your Netgate appliance with pfSense Plus & TNSR software, AWS, or Azure firewall connected to the Internet and one client on the same network online.
In addition to TAC Lite, TAC Professional and TAC Enterprise levels are available for faster response times and a much wider variety of assistance topics. Regardless of support level, TAC is here 24/7/365 to help.
Netgate Holiday Schedule
As the holidays near, please be aware that Netgate will be closed on the following dates except for Technical Support. Considerations should be made for possible delays due to these closures:
September 2- Labor Day
November 28- Thanksgiving
November 29- Thanksgiving
December 24- Christmas Eve
December 25- Christmas
Our 24/7/365 Global Support Technical Assistance Center (TAC) is fully staffed and operational for all holidays. The engineering, sales, manufacturing, and shipping teams will be off for the holidays listed above.
We Want Your Feedback
Thank you for subscribing to the Netgate newsletter, and for your continued support of Netgate and our products. We are always looking for ways to improve and value your feedback. If you have suggestions, please reply to this email, contact us, or send an email to mktg@netgate.com. You can also talk to us on social media, or visit our forum.
Netgate is a registered trademark of Rubicon Communications, LLC TNSR is a registered trademark of Rubicon Communications, LLC pfSense is a registered trademark of Electric Sheep Fencing, LLC
OpenVPN is a registered trademark of OpenVPN, Inc.
Splunk is a registered trademark of Splunk, Inc.
Intel and Intel Atom are registered trademarks of Intel Corporation Other trademarks are the property of their respective owners.
Netgate, 4616 W Howard Lane, Suite 900, Austin, TX 78728, USA, +1 (512) 646-4100
%201000px-1.png?upscale=true&width=600&upscale=true&name=Netgate%20Logo%20White%20(horizontal)%201000px-1.png)
.png?upscale=true&width=1120&upscale=true&name=config%20overview%20(1).png)
