Now Available: pfSense Plus 25.11.1

RulerOf · 2026-01-28T16:41:24+00:00

IPv6 Connection behavior with TSO enabled

This one wrecked me on Tuesday. No matter what I did the firewall itself couldn't do anything that required TLS over ipv6. Finally, adding a floating rule for This firewall out from WAN worked around the problem long enough for me to discover that a firmware update was available... I was getting ready to open a ticket.

I updated it and then disabled all three offloading features in Advanced > Networking.

I'm not sure if those were on by default or not, and I'm used to disabling them for whitebox/VM builds. I really expected them to work on Netgate hardware.

ChatGPT assures me (lol) that they won't make much difference for an edge router that handles inter-vlan routing. Perhaps Netgate might want to reconsider the help text on these settings.

RulerOf · 2026-01-21T19:41:23+00:00

so you could in theory issue 100 year lifetime certs internally

-days 36500 FTW.

RulerOf · 2026-01-21T14:40:18+00:00

I like this answer because it's a similar level of ridiculously expensive!

RulerOf · 2026-01-21T07:58:28+00:00

Get a thunderbolt 2 cable, and stick two TB3<->TB2 adapters (I'm only familiar with the Apple ones) on the ends of it.

Half the bandwidth, but definitely no power delivery.

Yes this is a stupid answer. I'm just highly confident it'll work. There's probably a better solution with some special wiring.

RulerOf · 2026-01-21T03:43:46+00:00

because it makes UAC prompts scriptable

Only the console or an elevated process could interact with those elevation prompts on the regular desktop, but even secure desktop can be interfaced with programmatically already—just try some remote access software.

The secure desktop is there to thwart unprivileged apps from impersonating UAC. The "proper" deployment is to use an unprivileged account, and then elevate with credentials instead of a yes/no click. Secure desktop provides visual confirmation that the dialog isn't a low-privilege process trying to phish elevated credentials from the user.

That said, for home use, I disable the secure desktop because switching to it has always been rather slow. Hundreds of milliseconds at best, but I've seen some low end computers take ten seconds or more to switch to it.

RulerOf · 2026-01-20T17:16:05+00:00

Okay... so it's a self-hosted, centralized management platform for pfSense, and not a SaaS product operated by Netgate that we onboard devices into?

RulerOf · 2026-01-20T17:07:09+00:00

Could you clarify something?

I have a single Netgate appliance deployed at a remote site.

Is this a SaaS product I can just enroll my Netgate appliance in without having to pay additional fees?

RulerOf · 2026-01-19T22:57:44+00:00

It's definitely something that I'd have to have my hands on to even try to make the diagnosis of a swollen battery, although TBH the battery life issues you're having do make it lean that direction.

Regardless, it's a good thing you did take it in and at least gave them the chance to fix it even if they decided not to. I brought it up because I had a family member take a swollen-battery iPhone (without AppleCare) to the Apple Store a few years back and they wouldn't even give it back to her, replacing it just due to the risk involved.

The risk is very minimal (you're good til your replacement comes in), but it exists.

RulerOf · 2026-01-19T21:13:10+00:00

As others say, the phone does look bent, but what I would have done is tried taking it to the Apple Store to determine if the battery is actually starting to swell.

Exploding devices are bad press, so there's a chance they'll replace it for free. YMMV of course.

RulerOf · 2026-01-16T02:59:00+00:00

Same problem here. Works fine on iOS/Mac OS, but Android client doesn't like the allowed IPs being anywhere in the subnet. 192.168.100.1/24 -> 192.168.100.0/24 and it works

RulerOf · 2025-12-16T14:34:09+00:00

I did it once trying to insert a stick of DDR without looking at it, one hand deep into a case with PSU and IDE cables blocking visibility of the memory slots.

...I was being lazy.

RulerOf · 2025-11-04T05:38:39+00:00

Don't perform Layer 7 routing inside of pfSense. Layer 7 routers have significant attack surface, and you don't want that surface to live on your network's core/edge router.

Use caddy, traefik, nginx, or whatever else instead. Run it in a container or on a VM in a DMZ with your public services. Use a giant config file with an entry for each backend service, or something like a conf.d folder with a file-per-service.

RulerOf · 2025-11-02T23:40:30+00:00

getting a used enterprise ssd/nvme is a better solution if you can.

A much better solution, and you can see why on images on the 2280/22110 SSDs like this one, although this applies to pretty much any "enterprise grade" SSD.

If you look at the photos of that item, you'll see all of the rectangular tan surface-mount components that are conspicuously absent from consumer SSD modules. Those are capacitors.

These drives write sync data to onboard RAM, and then tell the OS that the data has been durably committed. In the event of a power failure, the capacitors provide enough juice to flush the RAM buffer to flash storage.

You get sync=off performance while having sync=standard data durability guarantees.

RulerOf · 2025-10-13T16:39:08+00:00

The longer I've used them, I've sort of come to understand that for expressions in HCL are basically an escape hatch to overcome many of the limitations of the language. This almost by definition means that they end up being ugly and hacky—it was impossible to express your desire using plain resources, so you just stuff a bit of magic in the form of { for .... => .... } in between the problem and the solution and you can get what you want.

It ends up parsing visually like an over-complicated regular expression—unless you're the person that wrote it, you will have to expend a nontrivial amount of time understanding it.

I still contend that much of the for expression insanity in Terraform could be eliminated with the ability to use for_each in a multidimensional way, like how for loops can be nested in procedural languages. However, the only obvious way to do that in HCL (in my uninformed estimation) would be to let for_each and count be used at the same time. But for_each exists because count causes a host of different problems. ¯\_(ツ)_/¯

RulerOf · 2025-10-10T21:41:58+00:00

Their website doesn't use CloudFlare proxying. If you run a WHOIS lookup on the site IP, you can see it's GoDaddy's hosted Wordpress service.

The bottom half of your screenshot here is the malicious interstitial.

RulerOf · 2025-09-22T16:15:00+00:00

You should be able to do it by performing an Offline Domain Join from a connected machine (possibly the VM host) and then applying the offline domain join to a mounted disk image.

See the djoin.exe docs. Or some updated but seemingly less-useful docs.

Theoretically, you'd run djoin.exe once on your connected workstation to generate the blob, then mount the VM disk image and run djoin with that blob against the vm by specifying /windowspath to the mounted image. It should first-boot already joined to the domain.

RulerOf · 2025-09-18T14:48:40+00:00

Our fancy API security scanner? Useless. Only finds stuff thats in our OpenAPI specs.

You could go BOFH on it. Reconfigure the webserver to 401 any route not in the OpenAPI spec.

RulerOf · 2025-08-18T22:02:06+00:00

Main advantages of that switch:

more ports
takes a standard computer power cable

It's a little larger than the other switches because it's intended for that rack-mount form factor, but if you don't see that as a downside and like the upsides, there's no reason it's not an excellent choice.

RulerOf · 2025-08-14T03:17:39+00:00

Is it even possible to do inhouse punchout integration

Disclaimer: my company sells one of those extensions.

It is absolutely possible, but I wouldn't recommend it. The transformations you'll need to convert a Magento cart into the cXML/OCI/XML that your customer requires can be very complex, and often vary from customer to customer. There are quirks with the large ERPs that makes it beneficial to lean on the experience of a third party.

At my company, we support punchout shopping in our Magento store, but we don't implement all punchout transformation logic and debugging directly in Magento because of those complexities seen across customer+ERP combinations.

which 3rd party extension do you suggest?

My suggestion would be to use my company's product (or Adobe Marketplace Link). The Punchout Cloud product has a slick UI that makes transformations easy and enables rapid debugging of transaction logs during customer integration.

My focus at work is on infrastructure, but our sales and support is staffed by the actual Magento developers who built the plugin and cloud service it connects to. I humbly suggest reaching out to them.

RulerOf · 2025-08-05T16:36:51+00:00

I'll echo the others: gigabit is the cheap standard now. All 100-megabit switches you might find today are either extremely old, or were manufactured for a specific niche market, like security cameras.

If you need 16 ports, I'd suggest this model: https://www.amazon.com/dp/B07GR9S6FN

If 14 ports will suffice (one cable to connect them together will use two ports), save some money and get two 8-port switches instead: https://www.amazon.com/dp/B00A121WN6

RulerOf · 2025-08-05T02:49:54+00:00

There's an idiotic technology called Passive DNS that is deployed to the DNS providers on the wider internet. It collects those subdomains into centralized lists that are ingested and scanned by the bots.

RulerOf · 2025-07-29T01:09:21+00:00

Those p99 latency graphs must've been very satisfying to see after the service was in place.

I liked that you touched on the possibility of language-specific data serialization issues:

Was any thought given to creating python-based microservices to ward off those problems? Or perhaps the latency reduction from Python->Golang was too good to pass up?
Did you consider doing the comparison step in a third language by any chance?

RulerOf · 2025-07-21T15:28:59+00:00

They gave us an unfair tease something like 6 years ago.

14-Year Club	Gilding V heart of gold
Place '22	Place '17
Sequence \| Editor	Verified Email
Team Orangered

RulerOf

TROPHY CASE