Hmm. I see. So, that means if i upgrade to 25GbE flash system later then my OPNSense firewall also needs to be upgraded to 25GbE network or the speed will be capped?
Of course. For a firewall to do firewall things the traffic must pass through the device. In to one interface and out of a different one.
Devices connected to the same network via a switch will communicate directly with each other without any firewall having a say in the matter.
Umm, I donât know how to explain but its like there is a OPNSense box (1GbE), two switches (10GbE main) and 25GbE secondary for main systems. So, my question is letâs say i do a file transfer from the 25GbE switch but as the OPNSense box is connected to both the switch, will the switch be limited to 1GbE despite the fact the secondary switch is 25GbE? If so, is there any way to bypass this speed but still have the firewall benefits?
All systems connected to the 25 G switch will be able to communicate at 25 G with each other. Assuming they have 25 G network interfaces.
All systems connected to the 10 G switch will be able to communicate at 10 G with each other. Assuming âŚ
A system connected to the 25 G switch and another system connected to the 10 G switch will be able to communicate at 10 G with each other.
Only traffic going through OPNsense like in to one interface, out to another, will be limited to 1 G. So Internet access by any system will probably be limited to 1 G. Assuming you will use your OPNsese for your Internet uplink.
If you want to create a separate network for publicly reachable servers and another one for more trusted systems, and you use OPNsense for that, then the systems of each side of OPNsese will be limited to 1 G if the traffic crosses OPNsense.
The switch will of course not be limited to 1 G if you connect a single 1 G device to it. That would be ridiculous and is not how switches work.
HTH,
Patrick
1 Like
Thank you for explaining. So, just the OPNSense traffic will be limited to 1G in my case and thatâs probably the internet and the switches will perform at their advertised speeds provided that they have the appropriate network interfaces on the system side. Did i understand it correctly?
First thing you have to understand is, that internal traffic will never even touch your firewall.
Your PC connected to a switch on VLAN1 (that is the default if you donât configure VLAN at all) and your TrueNAS on the same switch also on VLAN1, will directly communicate with each other. Traffic will not touch your firewall.
If you however have your PC on VLAN10 and TrueNAS on VLAN20, and set a firewall rule on your firewall that your PC is allowed to access TrueNAS on VLAN20, then all traffic would have to go trough the firewall. Or you simply add the interface VLAN10 to your TrueNAS, so that TrueNAS is in the same VLAN as your PC and you again donât have to go through the firewall.
That hopefully explains why your PC can be connected with 25GBit/s with your switch, and the same for TrueNAS and they can communicate at 25GBit/s with each other, despite your OPNsense only having 1GBit/s. Since it is not touching your OPNsense.
This just popped up in my YT feed, though it seems the change was made a couple of years back. Apparently itâs no longer possible to just download a .iso (or .img) of pfSense. You instead have to go into the Netgate store and âbuyâ (for $0) the âNetgate installer,â which requires a valid email, phone, and physical address. You can then download and boot the installer, which requires a live Internet connection to actually install.
If I didnât already have enough reason to avoid Netgate, I think this would do itâI donât even like iX asking for an email address to download TrueNAS, even though they let you skip it.
1 Like
As long as the users put up with those types of shenanigans, donât expect the stupidity to stop?
However, it would not surprise me if the company legal
Department put them up to this as itâs entirely possible that pfsense landed on some ITAR list and hence even downloading the community edition needs to include a minimum of fig leafing re: compliance.
2 Likes
While the video is correct about the removing of the ISO downloads and the new installer, the video is not correct about Netgate buying pfsense. Netgate HAS ALWAYS been the maintainer of pfsense since it was forked from m0n0wall. Then OPNSense was forked from pfsense in 2015. Then as noted (showing the discussion in my forums) pfsense changed the installer.
2 Likes
That would be fair if true.[1] So why not say so? Of course, IP-based geoblocking would accomplish the same (legitimate) objective.
Right, the corporate enshittification of pfSense has indeed been going on for a very long time. They desperately want to be seen as an open-source project, but they donât want to act like one. Itâs kind of interesting to me that this is the straw that broke the camelâs back for him, though; perhaps he just isnât aware of Netgateâs former misdeeds.
Leaving aside the problem of needing to use a closed-source installer to install a supposedly-open-source OS, the idea doesnât greatly bother me: download a single installer, which in turn will install the latest CE or Plus version. It makes offline installation a bit of a problem, but youâre likely to have Internet access on a pfSense box in any event, I guess.
But the data collection bothers me. You must give a name, email, phone, and valid physical address, to download the installer for something thatâs supposed to be open-source software. Itâs obvious why that want that informationâtheyâre going to use it for marketing, and/or theyâre going to sell it. But thereâs no legitimate reason for them to require it.
Been there, done that, got the T-shirtâliterally. âThis T-shirt is a munition.â âŠď¸
2 Likes
I want to call out the low effort it took to invalidate this claim. I feel like people will go through trouble of complaining but not even bother going to the web site, test putting in BS information, and getting the installer link. While YES, it does check to see if the address is real but you can put in ANY real address, such as Netgates Corporate address & phone number. And it does not have to email you the link, it gives you the link in the page.
1 Like
âŚexcept that you did not invalidate it, though I admit I could and should have been clearer. You must provide a valid physical address. Youâre right that it need not be your physical address.
So, having established that you can use a a real address that isnât yours, does it really affect the problem of Netgate demanding this information?
3 Likes
Given the trivial levels of verification being undertaken, itâs borderline malicious compliance. 
On which side of the border?
2 Likes
Is that SomeUser@Somewebsite.com the actual email you supplied? Because it seems to just check if itâs proper email syntax, but not if itâs even valid domain.
Yes. Not sure how deep it does validation but that did work.
1 Like
I was updating my password vault, and ran across an old pfSense forum account. Based on prior issues and the most recent installation problems, I decided to see if I could delete my account.
Well, that turned into a mess. Of course my password expired, so I had to reset it. Then, after logging in, it REQUIRED me to CONSENT to some data gathering for external use. Which I was forced to do before I could do ANYTHING else. So I did. This then let me delete my account, (and I updated my password vault to reflect that account is gone).
Donât ask me the details of that consent to âstuffâ, I was just clicking through⌠as I said, my account was going bye bye. (I donât use pfSenseâŚ)
Anyone looking for yet one more reason to not use pfSense, this could be the tipping point.
2 Likes
Be careful when you do things like that.
That domain is registered.
Hopefully you donât do the same with stuff that could result in data leaking out, or account takeovers if someone actually reads the emails sent.