Some Notes on the Machines

This can be very useful; apparently Watchguard is documenting some CLI data publicly:

techsearch.watchguard.com/KB/WGKnowledgeBase?lang=en_US&SFDCID=kA10H000000g2wFSAQ&type=Article

Here are two ways:

1. If IPS is in use, set it to Fast Scan. This is in Policy Manager —> Subscription Services —> Intrusion Prevention Service..
2. By default, internal certificates are not updated. If they are not up to date, they can cause slowdowns. This is in Policy Manager —> Setup —> Certificates —> Trusted CA Certificates.

with the right router/firewall. I’ve had at least three different Netgears at home over years, all mid- or mid-high range in their consumer range at purchase. Every time, I tested using OEM up-to-date firmware, and tested with DD-WRT, many tweaks on both. DD-WRT gave a little improvement. On a little divine inspiration, I just did this:

• Took a ten-year-old quad-core Vista box with three gigs of RAM
• Put in a $40 quad Intel server NIC I bought from Amazon.com
• Installed pfSense and set it up in very default fashion, exceptions being use of 192.168.2.0/24 as LAN subnet, 192.168.2.1 as LAN IP. Not using the motherboard NIC, just two on the Intel card so far.
• Set my current DD-WRTed Netgear to do DHCP forwarding instead of serving, set it static to 192.168.2.2, left it otherwise alone
• Connected one LAN port of the Netgear to the LAN port I set up in pfSense
• Disconnected the WAN port of the Netgear, plugged Internet directly into the WAN port in pfSense

Suddenly WWW and Roku respond much faster, much less latency and jitter and other delay, and most unexpectedly, Internet download speed is much, much faster, even though the wifi is still running through the Netgear. And after a bit of performance tweaking, pings are lower, from 28ms down to 22 wired and 24 wireless.

Haven’t tried Squid proxying yet, or IPv6, but will be!

Here are some important settings in the Labtech documentation.

This is specifically for Watchguard IPSec mobile user VPN, but is probably applicable in other IPSec situations also.

When setting up IPSec VPN, at least in some paradigms, the server side is set up without DNS/WINS settings, and then in the client profile, after the import, one does this in “IPsec Address Assignment”:

Local IP address (takes the IP from the local LAN)
DNS Server:  <destination LAN DNS or general>
WINS Server:  <destination LAN WINS or none>
Domain Name:  <destination LAN-local domain>

Some notes on the destination side.

1. In the Watchguard IPSec VPN configuration, the “virtual IP range” under resources, has to be a range (a) included in the DHCP distribution but (b) excluded on the DHCP server (if any) at the destination; it has to be part of the destination subnet. It is reportedly also possible to set the router up to use a new subnet for this, but this requires adding a rule in the router and is more complex.
2. If there is a Windows domain controller at the destination, recommended is to set the Watchguard IPSec VPN for Active Directory authentication. In such a case, the “Group Name” has to be a Security Group in the AD of exactly the same name, case significant, as exists on the server, and any user has to be a member of that group. If a user attempts to connect who is not a member of that group, connection will occur, but RX will remain at zero bytes.

Here is a very good list:

http://www.garykessler.net/library/file_sigs.html