LAB: WAN Issues w/ Realtek + PFSense

It’s a pret­ty com­mon issue. Real­tek devices are inex­pen­sive an pro­lif­ic but they’re flaky and not rec­om­mend­ed by most. Cou­pled with pfsense, one can have a pret­ty sol­id lab if you can get them work­ing reli­ably. I went down the path of build­ing out a new lab with a giga­byte box as a pfsense one-arm-router. I paired it with a man­aged PoE switch run­ning a few Ubiq­ui­ti APs so I could pow­er and pull net­works from some IoT devices I was research­ing.

Every time my nic was under load, my WAN inter­face would go down. Reload­ing the inter­face was a quick fix but it was one need­ing a more per­ma­nent fix.

This was the solu­tion:


Unzip & Place “if_re.ko” file in the “/boot/kernel” fold­er

Ensure own­er­ship and per­mis­sions on the if_re.ko file are:

  • chown root:wheel if_re.ko
  • chmod 0555 if_re.ko

Add this line to “/boot/loader.conf”:

  • if_re_load=“YES


Once you reboot, you can run kld­stat to ver­i­fy the dri­ver is loaded. Most folks were hav­ing issues with “smart quotes” on their copy-pastes.

This solved all the sta­bil­i­ty issues I was expe­ri­enc­ing in my lab.


PFSense 2.4.4 on an ACEPC T11

I bought a sil­ver ACEPC T11 for doing some lab work for $127 (link). It sports an Intel Cher­ry Trail Atom Z8350, quad-core CPU, 4GB of RAM, and 64GB emmc, and a dual-band 2.4ghz and 5ghz wire­less card. I tried boot­ing off the pfsense media and it kept hang­ing at ppc0: cannot reserve I/O port range. After pok­ing around, I ran across this arti­cle:

I reboot­ed and select­ed 3. [Esc]ape to loader prompt on the boot menu. At the OK prompt, I entered:

set hint.uart.0.disabled="1"
set hint.uart.1.disabled="1"

It boot­ed right up and pfsense installed with­out any issues.

Next, I’ll be rip­ping it open and installing exter­nal wire­less adapters and an SSD for stor­ing pcaps. DNS Requests Every Few Seconds

Over the week­end, I updat­ed my wire­less router to the lat­est revi­sion of ASUSWRT-Mer­lin. I also decid­ed to update my Diet­Pi Pi-hole to their lat­est builds. Due to a full code rewrite of Diet­pi, it meant a com­plete rebuild for that sys­tem. The release of ASUSWRT-Mer­lin also sug­gest­ed reset­ting to fac­to­ry defaults due to some major changes. Every­thing was about to be new again.

Once I got every­thing rebuilt and run­ning, I noticed requests com­ing from my fire­wall to my diet­pi every 10 sec­onds or so for I imme­di­ate­ly assumed this was some Microsoft teleme­try noise on my net­work from MS NLA. How­ev­er, the queries were com­ing direct­ly from my fire­wall which seemed odd. Anoth­er search led me to a post on the Pi-hole dis­course. After I ran nvram show | grep dns_probe, it was clear I found the cul­prit.

admin@gw:/tmp/home/root# nvram show | grep dns_probe
dns_probe_content= fd3e:4f5a:5b81::1

I ran the fol­low­ing three lines and con­firmed the traf­fic stopped. No reboot was nec­es­sary. The first post I read rec­om­mend­ed set­ting dns_probe_content to and dns_probe_host to “” (effec­tive­ly blank). I lat­er found a post by RMer­lin that explains set­ting dns_probe_content to blank dis­ables the watch­dog ser­vice but effec­tive­ly dis­ables the dual WAN fea­ture. It would make sense that dual WAN would require a watch­dog ser­vice. So, if you use dual WAN, don’t do this. Oth­er­wise, you should be fine.

admin@gw:/tmp/home/root# nvram set dns_probe_content=
admin@gw:/tmp/home/root# nvram set dns_probe_host=
admin@gw:/tmp/home/root# nvram commit

RPM/yum Database Corruption

Jumped onto my serv­er and noticed a few out of date pack­ages. A quick % sudo yum update report­ed the fol­low­ing:

error: rpmdb: BDB0113 Thread/process 12323/139745043400512 failed: BDB1507 Thread died in Berkeley DB library
error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery
error: cannot open Packages index using db5 - (-30973)
error: cannot open Packages database in /var/lib/rpm

For­tu­nate­ly, the fix was easy:
% sudo rpm --rebuilddb

Once com­plete, yum update worked like new.

Weekend Reading - April 22, 2016

Blogs / News

Weekend Reading - April 15, 2016

Blogs / News

Weekend Reading - March 25, 2016

Con­fer­ence / Mee­tups

Blogs / News

Announcing New YouTube Channel: InfoSecTech Tools

infosectech-logoFor a while, I’ve been trolling the rich world of infos­ec tools offered in dis­tri­b­u­tions like Kali Lin­ux and BlackArch. Many of these tools have been a huge boost to my pro­duc­tiv­i­ty and effi­cien­cy. Whether look­ing to defend a net­work, do net­work dis­cov­ery, or just get a bet­ter idea of what tools adver­saries use, learn­ing these tool sets is crit­i­cal to the suc­cess of today’s IT pros.

I’ll be cov­er­ing tuto­ri­als on some of the more rel­e­vant infos­ec tools, scripts, and appli­ca­tions to the every day IT pro­fes­sion­al. For starters, I’ll be doing tuto­ri­als and demos of infor­ma­tion gath­er­ing tools direct­ly list­ed on the Kali Lin­ux tools web­site. As I build out a stream­lined process and home stu­dio, I hope to improve the for­mat and pro­duc­tion qual­i­ty, even­tu­al­ly intro­duc­ing per­son­al nar­ra­tion instead of text only, onscreen guides.

I’d love your input and feed­back as I start down this path.

Fol­low along here on my blog or sub­scribe to the Info­S­ecTech YouTube chan­nel.

Thanks for your sup­port. I’m hop­ing this becomes a valu­able con­tri­bu­tion to the rich com­mu­ni­ty of exist­ing IT and infos­ec pros.

Weekend Reading - March 18, 2016

Blogs / News