Computers and Tech

Goodbye pfSense, hello Untangle

After all my blogging about the wonders of pfSense, you’d think I’d stick with it…but I didn’t. Both my firewall and my mom’s have been moved to Untangle, and I regret neither. Now, don’t get me wrong – pfSense is still an EXCELLENT firewall that I thoroughly recommend for a number of reasons, which I’ll get to in a minute. However, Untangle works much better for my needs.

pfSense, pros:

  • much more lightweight
    • ’embedded’ version runs off USB flash drive.
    • faster startup time.
  • faster, more simplistic UI.
  • deals with multiple static IPs better.
  • actually taxing the CPU and RAM is a bit of a project.
  • great SIP support; generates OpenVPN files for Yealink VoIP phones directly.
  • BSD-based (generally considered a better router distribution than Linux due to better TCP/IP performance).
  • firewall rules and NAT translation can be “Linksys simple” or “Sonicwall complicated”, depending on what you need.
  • the only paid things are support and “supporter” subscription; all functions included regardless.

pfSense, cons:

  • UI can be a bit confusing.
  • plug-ins are inconsistent with their operation and UI.
  • ad-blocking is a pain, and requires manual updates.
  • adding multiple physical interfaces to the same LAN segment is handled by NAT rules.
  • I wasn’t able to get Squid to do much good with transparent caching.

Untangle, pros:

  • beautiful, intuitive user interface.
  • very simple ability to assign network interfaces to LAN segments; changing them is a drop-down.
  • great reporting features.
  • the free modules are excellent:
    • ad blocking is great, and auto updates.
    • single simplest OpenVPN implementation I’ve ever seen (for desktops and laptops, anyway).
    • even the free virus scanning and spam options are quite functional.

Untangle, cons:

  • paid plugins aren’t clearly labeled until you try to install them.
  • …also, there are paid plugins. While the home version is pretty cheap ($54/year for everything), it gets pretty expensive, pretty quick if you aren’t a ‘home user’.
  • the free web filter picks the ‘wrong’ categories, in my opinion – filtering porn and gambling is free, but malware and torrent filtering is paid??
  • the network configuration area could be organized a bit better.
  • significantly longer startup than pfSense, and requires hard drive.
  • in my particular circumstance, Untangle will only boot in ‘safe hardware’ mode. I’ve had no issues with it, but an Optiplex 755 is pretty standard hardware.
  • distro relies exclusively on NAT for firewalling by default, though to be fair, the firewall plugin is free.
  • no geo-ip blocking capabilities (beyond making firewall rules out of IP blocks).

 

So, there you have it. two great distros.

March 4, 2016 by Computers and Tech 0

Never get tech you can’t mod

I’ll flesh this out with more detail later, but the short version is that I bought a refurbed Linksys EA6900 for $89 at Microcenter – not bad for an AC1900 router, since the Tenda version is $99, and the name brand units tend to be $150-$300. Of course, Linksys still hasn’t learned to make firmware that doesn’t suck, and amongst the reasons this router was so cheap was the fact that it’s got a bootloader issue that caused issues for a lot of people – indeed, I was getting about 600KBytes/sec of throughput with it, which was a huge downgrade from my Asus RT-N56U. Turns out, some enterprising modders managed to patch the bootloader, and in a bizarre moment of win, managed to put the “Merlin” firmware on it, making it work very similar to the Asus unit I’d discarded. Well, that worked just fine for the 2.4GHz band, but not the 5GHz band, which would throw up no matter how I set it on my laptop. So, another firmware flash and minor reconfig later, and I have Tomato running on this router, which is faster than anything I’ve run before, has loads of wonderful features, and gives me the dual band functionality I need. I was hoping to get the WRT1900 in the box, but this unit with Tomato is most definitely a great piece of SOHO networking hardware.

Links and stuff to follow…

February 23, 2016 by Computers and Tech 0

“Because I Can” vs. “Because I Should”

A client at work had me build him a home media server. The client asked that I, specifically, build the server for him, and that it be a built machine, rather than a purchased one. Why? Because he knew that I’m the kind of person who still prefers a customized, built computer over an off-the-shelf Optiplex with a four terabyte hard drive hanging off the USB port…but then again, he’s the kind of chap who is just fine with spending four figures on a computer that doesn’t have a glowing fruit on it.

My boss and I have a different relationship with Sonicwall routers – he swears by them, and I swear at them. I’ve become a fan of pfSense as of late. It’s what lives at my house, and at least one of my dear readers also has one – not that she’s consciously aware of it in any meaningful sense, but that was one of its selling points. The problem with pfSense is that it’s generally intended for installation on one whatever hardware you’ve got lying around…which is nice for people like me who have old Optiplex desktops camping out doing nothing, but less of a bargain for people who would need to buy things.

I’ve got somewhere I may need to install a rack-mountable router, which has got me looking into doing a custom build for the project. I was happiest with a $600 build I spec’d out today on Newegg, but given that pfSense sells rack mountable, supported iterations of their firewall for $800, it’s not exactly a huge money saver in the context, and the money that’s saved is lost by the fact that their device takes 8 watts of power when running, whereas mine takes closer to 100W. On the flip side, mine was engineered for silence, there’s no way my build doesn’t run circles around them in raw performance, and it’s trivial(ish) to migrate between pfSense, Untangle, and Smoothwall with nothing more than an hour’s time and an external CD drive.

But there’s a reason I filed this under ‘Philosophy and Faith’, in addition to ‘Computers and Tech’ – I started to think beyond the build, and into the bigger questions involved. There was a scene on The Big Bang Theory several seasons back, where the guys were experimenting with home automation in a manner that involved sending a signal around the world to turn on a lamp. When Penny walks in and asks why they would do something that ridiculous with literally no advantage over a simple light switch, their answer, in unison, was “because we can”. They said it in such a matter-of-fact way that gave the sense that such an answer should have been as obvious to her as it was to them. Although I’ve never done that sort of project, I’ve got my own portfolio of things I’ve done under the heading “because I can” – I’d argue that “installing pfSense at home” would reasonably fall within that category, when there was nothing technically wrong with my Asus RT-N56U that’s still serving as an access point.

For an organization who will never need the gargantuan amount of throughput that will be happily shuffled around via pfSense on a custom build that’s at cost parity when power usage is factored in, why am I pursuing a custom build? Is it because I’m treating it like a grown-up Lego set? Is it because of a desire for the sense of personal investment? Is it because I prefer the responsibility of keeping hardware running over the perceived safety of having that task handled by a third party? Has my deep-rooted hatred for Sonicwall, combined with my luck-of-the-draw experience with calling tech support, given me the default stance of “I want something I can fix, because nobody else will”?

Or, maybe the fact that I refuse to be dependent on a third party is the reason I am good at what I do. Perhaps there is value in the de facto requirement that I alone be responsible for its upkeep. Maybe my sense of security comes from the fact that a showstopping problem on a custom built pfSense appliance could be rectified with a set of procedures that start with “install Untangle”, “install SmoothWall”, or “install Endian”.

Then again, perhaps “because I can” is a phrase that doesn’t make sense to most people, for the sole reason that, for the majority of people, “building a custom made router” is not a task that falls into that category.

January 21, 2016 by Computers and Tech Philosophy and Faith 0

My first rant…

Whoever designed Sonicwall devices, and thought they were a good idea, needs to spend a year in Gitmo. After that, they need to go back to first grade for a year…but with an old-school Catholic nun with a ruler in her hand and a trigger finger. Once they graduate from first grade again, they must go back to high school for the math chapters in logic, they must join debate team (and win a championship somewhere), and they must go through Professor Maurer‘s critical thinking class. Then, they need to spend some time with the folks over at pfSense, taking copious notes on how to make a useful UI, and take every word they say as if it was spoken by God Himself. Then, and only then, will they be granted the privilege of being allowed to pay for their sins by rebuilding the Sonicwall UI, from the ground up.
The final test will be to give them a week to show their first grade class (now third graders) how to configure a Sonicwall. If they finish their tutorial, and not one of the students can figure it out, the process repeats again.

I have spent far too much time this weekend reconfiguring Sonicwall devices and it’s starting to get to me.

</rant>

January 18, 2016 by Computers and Tech Microblog 0

#ThrowbackFriday

Why thirteen-year-olds shouldn’t be allowed on the internet:

I NEED CHANNELWOOD HELP!!!!!

I STILL NEED CHANNELWOOD HELP!!!

And yes, that thirteen-year-old was me. This, dear readers (all four of you) was me, on Usenet, back in 1999. At the time, my dad and I shared an e-mail address, and Outlook Express for Windows 95 was also setup for Usenet access (thank you, Suffolkweb!), which helped me get through the game Myst. All caps, lots of exclamation points, and plenty of obnoxiousness in the posts. I was terrible at internet communication back then. Luckily, just a few things have changed…

Side note: if you’re going back in the Google Groups to the point where your browser crashes, check out the excellent NoScript plug-in for Chrome or Firefox. Google Groups will give static HTML links with zero window dressing, 20 at a time. You can jump ahead by tweaking the numbers in the address bar, as long as they’re exactly 20 apart. It’s ugly, but the ‘next’ buttons load *instantly*.

January 15, 2016 by Computers and Tech Microblog 0

Dear Canon

Dear Canon,

I generally love your printers. Your copiers are a different story. In addition to being problematic work emailing via SSL on non-standard ports, it’s 2016…and changing the IP address requires a full restart of the copier, a problem solved by Windows in 1999. Firmware updates, please!

January 12, 2016 by Computers and Tech Microblog 0

Altaro’s ‘Gotcha’

A client at work has had an issue with the Windows Server Backup application destabilizing his server. I’d like to actually poke around and resolve the issue, but with the time factor involved, I decided to try out the excellent Altaro backup program. It’s pretty, it’s intuitive, and given that he only has two virtual machines, the free version perfectly fit his needs…or so I thought.

Protip for everyone: “Offsite Backups” are one of the features that are not included in the free version. Initially I thought that statement simply referred to WAN-based file transfers, but it apparently also applies to hard disk rotations, so it you use multiple hard disks for backup, you’ll be stuck getting the paid version. That being said, at $395 for the standard version, it’s one of the least expensive server backup programs available.

January 7, 2016 by Computers and Tech Microblog 0

…Spreadsheets are no better.

So, I’m certain you’ve read my prior post regarding how shopping for self-hosted chat/collaboration software is a pain, right? Well, browser-based office suites aren’t much of a picnic, either…

OnlyOffice was my frontrunner, even if it did require 6GB of RAM on my server. Yes it’s shiny, yes it’s got a Linux base to it, yes it does users and groups and has a web server and a database server powering it…but Lotus 1-2-3 required 192K of RAM (yes, Excel had a predecessor that single-handedly transformed desktop computing, you young whippersnapper), so a thirty thousand fold increase in RAM requirements would understandably seem a smidge excessive…but even with eight CPU cores and 8GB of RAM allocated to it, the software *lagged*. Not just ‘a smidge sluggish’, I mean ‘one-minute-per-page-load’ sluggish. I want to try it on my laptop at some point, but I’d rather rant on my blog at the moment. Suffice it to say, OnlyOffice didn’t last long.

FengOffice was my next attempt. It had a slim installation, ran just fine in 1GB of RAM, simple interface, good administration…and a patent inability to use relative URLs. Thus, it kept trying to direct me to 192.168.0.146, even when I accessed it externally through an opened port and used a dynamic DNS address. I went so far as to reinstall it using the DDNS URL when prompted…but even then it did a reverse DNS and forced itself to be tied to the external IP address, rather than the URL, which made no sense…something that further astounded me when I did a port 80 redirect. So, Feng is great for internal use, but external use clearly requires a static IP. We’re working on that.

eGroupWare seemed to have a spreadsheet module involved…but it didn’t…and I think the people who made the software went out of their way to make it as ugly as conceivably possible. Now, to be fair, their installation process was all of three cut-and-pastes on a plain Debian install, so props to them for having the simplest installation here (Really OnlyOffice? creating an OVA or including a VMDK file in the zip archive was *that* hard?). While Lotus 1-2-3 may have been the spreadsheet that brought a computer to every desk, eGroupWare brought flashbacks of Lotus Notes…and if you’re blissfully unaware of what it’s like to use Lotus Notes, thank your IT department for showing you love and care and concern and respect.

ZK Spreadsheet Server is what I’d love to go with…if I could. It’s a one trick pony that is *beautiful*…I mean, it is the most visually appealing spreadsheet software I’ve ever used. Every useful thing that Johnny Ives has ever said was distilled into what would make this software be desirable to use, and then implemented perfectly, with no middle management getting in the way. Moreover, the Windows installation couldn’t be simpler – a single executable Installshield wizard that installs a service that has a small config panel. Couldn’t be simpler. Unfortunately, Mr. Ives clearly had no say over the website. The site indicates that the download is simply an evaluation, but nowhere does the website list a price, or have a ‘buy now’ button, or anything to that effect. I have no idea how much this thing actually costs, or how it’s licensed. Also, there didn’t seem to be any way to assign users and groups, so a login ends up being a direct path to making a spreadsheet…not the best for security.

I probably should have spent the last six hours editing and uploading the podcasts and just using our access to Excel Online via our free Office365 subscription.

But where’s the fun in that?

January 3, 2016 by Computers and Tech Uncategorized 0

The devolution of web design, and frustration with chat software…

First and foremost, happy new year to everyone. Here’s to hoping that 2016 isn’t as bad as 2015…I mean, let’s be real – for 2015, Dave Barry didn’t even have to try.

That being said, it’s time for a rant.

I’m looking to get some form of chat/collaboration software up and running for a church where I do some tech work. There’s a relatively new trend in web design that’s quite annoying: the single scrollable site. Now, a part of the problem is that no one actually puts any content on sites like this, it’s just some shiny graphics and a vague sentence or two. Now, when I land on one of these hipster pages, it tends to inform me that it’s not the product I’m looking for.

As most of you know, I’m a bit old school, so data lives on my servers, period…except for e-mail in this one particular case, because when Microsoft offers free hosted Exchange for nonprofits, there’s no conceivable way to argue that. Here’s the list of products I’ve looked into so far…

Skype for Business: quirky, its integration features aren’t what they should be, desktop installs aren’t as streamlined as they could be, having issues with the mobile app.
Trillian for Business: won’t give me a price on their website for the self-hosted version.
Convo: won’t give me a price on their website for the self-hosted version.
HipChat: wants $1,800/year for 25 users, for software that lives on my server…but $600 for the version that they host? How is it triple the price to *not* deal with the infrastructure?
Unison: won’t give me a price on their website for the self-hosted version.
Campfire: ‘meh’ product, no self-hosted option.
Glip: No self-hosted option.
Brosix: Not the prettiest UI and no self-hosted option, but at $1.70/user/month, if we’re stuck going for a cloud-based option, they’re in the running.
OpenFire: Requires third party mobile app; XMPP-only protocol would require a lot of work to secure properly, browser-based UI hasn’t been updated since 2008.
MatterMost: Promising, but relatively lengthy install process and mobile apps are still pending.
Rocket.Chat: This was the one that I was really, REALLY hoping would do the job – it’s free (love the price!), self-hosted (love the control!), runs on Linux (love the freedom!), and took about half an hour to spin up – incidentally, it was the first time I’d ever used a Docker container. However, I ran into two problems: first, the mobile apps wouldn’t work properly. Second, user accounts are backwards: anyone can go to the login page and create an account, and the admin user can’t create users or groups. I need the opposite – to be able to create users, and only users I create can log in. So, that got put on ice until they get all that stuff worked out.

I also configured Yammer, until I realized it was just a private Facebook with no real-time chat capabilities. Same for eXo.

 

And this, friends, is how I spend my New Year’s Day…because this is the cost of being old school.

January 1, 2016 by Computers and Tech 0

pfSense Adblocking tutorial

This is more a bookmark for me than anyone else. I’m torn on the topic of ad blocking. I do want to support websites that provide useful content, but at the same time, I’ve seen far too many misleading and malware-laden ads on reputable websites to not have my guard up. So, as I’ve got a pfSense box up at box up at my house, as well as my mom’s, and two parents who are far more likely to erroneously hover over a malicious ad than buy a product based on an ad (though I must say, I’ve never actually had to do a major malware cleaning on either of their computers so far), my greater concern is for them, so ad blocking is something I am okay with.

 

Thus, I shall implement this at my next opportunity:
https://forum.pfsense.org/index.php?topic=19756.0

I look forward to the task. Now if only I could find a tutorial for having a pfSense box create multiple isolated LANs….

December 26, 2015 by Computers and Tech Microblog Tutorials 2
x Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security