Thursday, July 2, 2020

PFSense And Brocade

For the small office, I still like the idea of the PFSense box by Netgate and a couple of Brocade switches.

Monday, June 22, 2020

Pfsense: DHCP And What It Won't Do

I always like to talk about what a firewall will do. But sometimes I have to talk about what a firewall won't do. Today, it's PFSense's day to get this kind of talk.
I have a lot of customers that run DHCP on the firewall. Right, wrong, or indifferent doesn't matter for this conversation. What does matter is that Pfsense will do DHCP for any directly connected network. What it won't do is DHCP for a non directly connected network. Is that a need for some people? Yes. Is that the firewalls job to do? It doesn't matter if that's what the customer wants. I personally wouldn't do it there, but in reality, it doesn't really matter. If the firewall goes down, you have bigger problems than DHCP.
So why doesn't PFSense do DHCP for non connected networks? I don't know the answer. What I do know is that other vendors, like Palo Alto and Sonicwall will do DHCP for non directly connected networks. It's not the end of the world, but just something to note.

Sunday, June 21, 2020

Sunday Thought: Evidence for Jesus Outside the Bible

I like evidence. Especially when it comes to my faith. You see, you can have faith and evidence of that faith at the same time. I recently reread the below and just wanted to share with anyone interested.

The below writing is direct from Delve Christian Ministries.  I can't recall when I got this, but it was online somewhere on their site. But credit goes to them for creating this material.

Evidence for Jesus Outside the Bible
Before we look at the evidence for Jesus outside of the Bible, it's important to pause for a moment
and examine how the books of the New Testament were chosen to be included. For the most part,
the books selected for inclusion into the Bible were those which were already widely circulated and
widely respected. There was very little debate at that time about most of the books, and there was
almost none about the Gospels. The four Gospels had already been in use for hundreds of years
by Christians everywhere. The process of selecting the New Testament was much less about
selecting which books to include, as it was about formally recognizing which books were already
widely accepted.
There were many other accounts of Jesus life which were never seriously considered for inclusion,
for by that time, it had already been recognized by most Christians everywhere that these books
lacked the authority and divine inspiration of scripture.

Other Gospel Accounts
This is important to note, for it is very frequently asked by non-Christians how it could be that only
four books were written about the life of such an important man. In fact, we know of dozens of
other books which have survived, and it's very likely that thousands of books were written about
Jesus in the first three centuries. The reason that almost everything we know comes from only four
books attests to the fact that the early Christians felt that these four books alone contained the
most vital information. All the other books did not survive simply because they were not as
important. In a very real sense, it was an example of 'survival of the fittest'. Those books which
had merit survived; those that did not were lost.
So, to begin, the first place we can look outside the Bible for corroborating evidence of Jesus' life
is to these extra-biblical gospels. There are dozens of these, mostly written between the second
and fourth century. Despite having titles such as 'The Gospel of Thomas', 'The Gospel Of Judas'
and the 'Gospel Of Phillip', these gospels were not written by any of Jesus' disciples, rather, they
are told from the perspective of that disciple, or are told by a descendant of that disciple.
From an historical, objective point of view, these books suffer from the same problem as the Bible
itself, which is whey were written by followers of Christ. What most people are looking for is
something objective, written by someone who was not a follower of Christ. For that we, look to
some early Jewish and Roman writings.

Josephus was a 1st century Jewish historian born in AD 37 who wrote a comprehensive history of
the Jewish people near the end of 1st century. In this book, he recounts the stoning of James,
calling him 'the brother of Jesus, who was called Christ.' This passage is considered by most
historians and scholars to be authentic and is not generally in dispute. This an important piece of
evidence which tells us that someone name Jesus actually lived in the first century and that some
considered Him to be the Christ.
Josephus wrote another passage which is more controversial. He wrote:
About this time came Jesus, a wise man, if indeed it is appropriate to call him a man. For he was a
performer of paradoxical feats, a teacher of people who accept the unusual with pleasure, and he
won over many of the Jews and also many Greeks. He was the Christ. When Pilate, upon the
accusation of the first men amongst us, condemned him to be crucified, those who had formerly
loved him did not cease to follow him, for he appeared to them on the third day, living again, as the
divine prophets foretold, along with a myriad of other marvellous things concerning him. And the
tribe of the Christians, so named after him, has not disappeared to this day
There is still much debate over the authenticity of this passage. The current consensus is that
Josephus did write something about Jesus here, but that later edits were made by a follower of
Christ. The parts in bold italics are those parts which are commonly believed to be later edits, for
there is evidence that Josephus was not a follower of Christ and would not have characterized
Him in this way. The description of Jesus as a 'wise man' and and 'teacher' are more consistent
with Josephus' style and vocabulary found elsewhere in his work, and are probably the actual
descriptions he used.

The Roman Historian Tacitus wrote of Jesus (whom he refers to as 'Christus') and the spread of
Christianity throughout Rome in his work Annals, approximately AD 116. He wrote:
Consequently, to get rid of the report, Nero fastened the guilt and inflicted the most exquisite
tortures on a class hated for their abominations, called Christians by the populace. Christus, from
whom the name had its origin, suffered the extreme penalty during the reign of Tiberius at the
hands of one of our procurators, Pontius Pilatus, and a most mischievous superstition, thus
checked for the moment, again broke out not only in Judaea, the first source of the evil, but even
in Rome, where all things hideous and shameful from every part of the world find their centre and
become popular. Accordingly, an arrest was first made of all who pleaded guilty; then, upon their
information, an immense multitude was convicted, not so much of the crime of firing the city, as of
hatred against mankind. Mockery of every sort was added to their deaths. Covered with the skins of beasts, they were torn by dogs and perished, or were nailed to crosses, or were doomed to the
flames and burnt, to serve as a nightly illumination, when daylight had expired
There is a great deal of important information in this passage. First, it confirms the life and death of
Jesus in Judea but even more importantly, confirms that his death was by crucifixion. According to
Christian scholar Edwin Yamauchi, this is an important piece of evidence because death by
crucifixion was the 'most ignominious death' and reserved for the lowest and most worthless
criminals. By Tacitus' own admission, people continued to followed Jesus despite his ignominious
death and were prepared to follow him even to the penalty of their own death. This account of the
faithfulness of early Christians by an unsympathetic witness is powerful testimony of the life of

Pliny The Younger
We also get an account of the spread of Christianity from a Roman provincial governor named
Pliny the Younger in A.D. 112. Though he does not speak of Jesus directly, he does recount that
Christians in his province cause trouble because they worship Christ and not the Emperor.
They asserted, however, that the sum and substance of their fault or error had been that they were
accustomed to meet on a fixed day before dawn and sing responsively a hymn to Christ as to a
god, and to bind themselves by oath, not to some crime, but not to commit fraud, theft, or adultery,
not falsify their trust, nor to refuse to return a trust when called upon to do so. When this was over,
it was their custom to depart and to assemble again to partake of food-but ordinary and innocent
food. Even this, they affirmed, they had ceased to do after my edict by which, in accordance with
your instructions, I had forbidden political associations.

Perhaps most controversial of all historical references is a possible reference to Jesus in the
Jewish Talmud. The passage speaks of someone who was 'hanged' because he 'practiced
sorcery' and 'enticed Israel to apostacy'. If this passage refers to Jesus, then it is an interesting
piece of evidence because it confirm Jesus' influence and that Jesus did perform miracles and
healing, though the Talmud attributes His power to sorcery rather than coming from God.

Thursday, June 18, 2020

PFSense: 1:1 NAT Configuration

Vendor documentation is really key to helping admins setup and configure, well, really anything.  You can say that about firewall vendors, network vendors, server vendors, etc.  One thing I always admired about Cisco was their documentation on how to configure different things.  I still believe they are one of the best at documentation.
PFSense has some decent documentation, but not always the most clear documentation.  1:1 NAT'ing is one of those things to me.  So I have outlined what you need to do for a 1:1 NAT'ing when you need access to an internal device from the Internet. 
Now first, I hate when people go into these long paragraphs of how things are supposed to work.  I just want the answer I'm looking for.  But, one thing needs to be clarified here.  1:1 NAT and Port Forwarding are two different things.  Port forwarding uses the IP address of the firewall interface to get to your internal traffic, via different ports you configure.  1:1 NAT uses an IP address on the same network as your WAN interface, but not the interface of the firewall itself.  Clear?
Ok, so in most firewalls, you generally need a couple of things to make getting to an internal device from the Internet happen.
1.  A NAT rule.
2.  A firewall rule.
In Palo Alto, Cisco, Check Point, SonicWall, etc, that's all you need.  However, in PFSense, there is one more thing you have to do to make this work.  Its called a virtual IP (under Firewall --> Virtual IP).  What you do with a virtual IP address is that you are telling the firewall that it needs to handle requests for an internal device you are trying to NAT to.  If you don't, the firewall wont respond to ARP requests made on the WAN side.  If you do add the virtual IP address that you want to use for the WAN IP address you want for your web server, etc, then it will respond to the ARP request and NAT your traffic through.  I verified this with a packet capture, so you can be sure you do need this.
So for a PFSense 1:1 NAT, you need the following:
1.  A NAT rule.
2.  A firewall rule.
AND 3. A virtual IP address that is the same as your WAN side NAT that you configured in #1.  (The subnet mask will be the same as your WAN interface subnet mask.)
Note that you can use this for port forwarding also. 

Wednesday, June 17, 2020

Palo Alto 820

Palo Alto has a really good firewall solution. These 820s are reasonably priced and work really well.

Tuesday, June 2, 2020

PBR (Policy Based Routing) And PFSense

I went to a customer site today where they had a Toshiba IP phone system that would not route but to only one destination (the default gateway).  But the need was to have certain traffic go out one internet connection (smtp) and the voice traffic out the other. So, I put a Netgate SG-1100 in to do the PBR and it worked great. Doing PBR on PFSense was easy and made sense for this customer. And yes, it's setup with only the LAN port. It's all they needed.

Monday, June 1, 2020


If you like the idea of homesteading, my brother does some pretty cool videos on his family journey into it. They are starting fresh, learning as they go, with a lot of interesting experiences along the way. Check them out.

The Little Orchard Farm

Saturday, May 30, 2020

What Kind Of Joy

I like music. Especially from my teenage years. The link below is to a song that I really like and haven't heard in years, until recently. I hope you enjoy it as much as I do.
What Kind Of Joy

Tuesday, May 26, 2020

The Truth About Firewalls

I had someone comment about a statement I made about PFSense and Sonicwall. I said that PFSense was a better firewall than Sonicwall. They said that was a bold statement. 
Well, if you look at the features and capability, it's just a simple fact. Dell doesn't like for me to say that. Well, I honestly don't care. If you don't like for me to tell the truth about your product, then make your product better. It's that simple. 
Is PFSense a perfect firewall and the best there is on the firewall list? No. But if it has more security features than another firewall and performs well, it's definitely recommended over the lesser.

Tuesday, May 19, 2020

PFSense: PFBlockerNG

I've been working with PFBlockerNG for URL filtering quite a bit lately, and I have to say it works pretty good.  What it does is that it blocks URLs (web filtering) based on DNS instead of a URL category. Yes, Squid does do URL categorization, but if you don't want to have to do anything on the client side for HTTPS inspection, then DNS filtering (so to speak) is a decent choice.  I'm not saying its perfect, but I do like it enough to use it.
I wont put up a "how to", as there are plenty of those out there for doing what you need to do.  Just know that I find it a good alternative to URL filtering.

Saturday, May 16, 2020


My apologies for not responding to comments and posting them. Somehow, Google Blogger didn't notify me that comments were being put on the Network Fun blog. I just went through them all last night and posted them for the last year or so. I'll try to go back and answer the questions as I can. For some reason, Google Blogger took my email address out. I fixed it, so I should get these notifications again. Take good care everyone.

Thursday, May 14, 2020

Instagram: OnTheRoadInternet

My wife does an Instagram account for one of the travel firewall and VPN services that we offer at White Rhino. Her Instagram handle is ontheroadinternet (on the road internet) if you want to see some good photography.