In part 1, Tom Lawrence of Lawrence Systems joins us for a wide-ranging discussion about how he got started in tech and on YouTube and gives us a clinic on network security and pfSense.
Look for Part 2 coming very soon as Ed and Tom talk ZFS, answer some audience questions, talk about the future of open-source, and much, much more!
If you enjoy the show, please do us a favor and rate/review us on your pod platform of choice!
Other Ways to Support and Connect with the Uncast
In part 1, Tom Lawrence of Lawrence Systems joins us for a wide-ranging discussion about how he got started in tech and on YouTube and gives us a clinic on network security and pfSense.
Look for Part 2 coming very soon as Ed and Tom talk ZFS, answer some audience questions, talk about the future of open-source, and much, much more!
If you enjoy the show, please do us a favor and rate/review us on your pod platform of choice!
Other Ways to Support and Connect with the Uncast
Hey everyone and welcome back to another episode of the Uncast Show. Now, today we've hit the jackpot because we're chilling with no other than Tom Lawrence, the man and mind behind Lawrence Systems. Now, if you've ever fallen down a rabbit hole about tech and cybersecurity, well, you've probably fallen into Tom's rabbit hole YouTube channel, where he's dropping knowledge bombs left, right and center. Anyway, good morning Tom. Thanks a load for hopping on with us today.
Tom Lawrence:Hey, happy to be here. Thank you for the great intro there, because I definitely go on a bit about cybersecurity and then I'm back to doing my tutorials. It's usually when there's something that has upset me in the cybersecurity world or maybe that you should be concerned about, like the screen connected For those of you that use that tool. We had to jump on a live stream because that was bad.
Ed Rawlings:We've actually been trying to get this podcast together for quite a while now, haven't we, Tom? But life's been busy I think last time you were in the middle of some pretty major shifts, yes, but I'm super curious really, and probably the listeners are as well what exactly sparked off your interest in not only setting up the YouTube channel but your company Lawrence Systems as well, and also, I guess, what triggered your recent sort of change? And well, first you better tell people what the recent change is.
Tom Lawrence:Yeah, yeah yeah, yeah.
Tom Lawrence:Yeah, the I mean I've had my company Lawrence systems since 2003. That's when I formed it. I used to work in corporate IT, so when that job kind of went we'll say sideways a little bit due to company drastically changing, due to bankruptcy, I was supporting all the technology for that company that split the pieces to a contractor that managed multiple divisions of the company. But the more advantageous thing for me to do was talk to an accountant and say, hey, how can I set this up as a business and turn them into my first clients? And so my first clients were actually my previous employer, who then became split into pieces. So that was like where the origin story, if you will, is. It was years and years later I figured out you can't have just two customers, because when one of them finally closed, then you go. Well, I guess I gotta learn how to market. It turns out just having skills is not the same as marketing. So I made money and then I lost a lot of money and then I was doing bad for a while in terms of like I had the skills but didn't have any way to figure out how other people would learn that I had skills out of work on tech. So it took me a long time to build the company back up. But some of that and this is what leads into that next question of what made you start YouTube is I've always enjoyed public speaking.
Tom Lawrence:I did this already my participation in a hacking or open source conference. I had no fear of getting up on the stage and talking about whatever it is I was doing and sharing that with people. And that also led to the business side where I would do more generic I call them like for the normal business owner talks, where I would talk about technology and things like that as a way to just get in front of people to teach some of me. They may want to use my company, lawrence Systems, to manage their technology, but I was at a conference once and it was a PFSense talk that really pushed it. That's why some of my earliest videos besides laptop repair videos because they had a retail store.
Tom Lawrence:I didn't know what to fill in between, but I think one of the very first videos and it's not actually published on my main channel. I think I've actually deleted it since because it's such an old version Someone couldn't make it into because there was all these sessions set up and there's only so many people could fit in each session. Or everyone wanted to talk about the open source firewall talk at a Linux conference and someone said hey, you'll see me later like hey, can you put that on YouTube? I'm like I don't know. Probably it seems technically possible by me, so I did, and then a lot of people watched it. I was like huh, there seems to be a lot of firewall videos that are really bad on YouTube and me taking the time to put one together that was better seemed to do pretty well. Matter of fact, if you still look, there's a lot of PFSense videos. You'll find where someone opens Notepad, types out I'm going to show a VLAN and then moves Notepad over and walks you through it. There's no sound in it.
Ed Rawlings:I remember watching those ones, Tom.
Tom Lawrence:What shocked me was the number of views. I'm like there's like 5,000 views on this and I realized it's the only person answering the question. And then your instance someone's wrong on the internet angry moment that every tech person has going. Some of this is really not correct on how to set these things up. They're showing the rules wrong. You're showing a rule that is less secure because you're not doing the rule order properly, and I'm like, well, I'm going to fix this. And so that started my PFSense videos. And the rest was me throwing spaghetti at the wall until I figured out what else people want to hear me rant about. There's only so many PFSense videos you can do. Well, I thought it seems to be unlimited right now. But yeah, I've slowly been building up the PFSense videos. I've expanded, you know, into storage, virtualization, all kinds of topics or sometimes, as we mentioned, cybersecurity topics, and that's what's led all the way to building the channel. And the channel is an inbound lead system that led to the merger with CNWR.
Tom Lawrence:Jason Slagle is the president of CNWR. He's a friend of mine and when I approached him about the merger, he's like oh, you want to also be president? I'm like the opposite. I said I want a job with no responsibilities that involve people. I said I'm not good at managing people. If I never have to look at a master service agreement again or deal with a contract negotiation again, two thumbs up for me. If I don't have to stare at financials all day, I care that the company makes money, but I don't want to get involved in those little details. I want to just live as a tech nerd full time. And he goes. Well, we can. We can do that. So all my recurring contract clients managed service clients moved over under there. All my employees eight of them moved over to CMWR and it's been happy ever since that happened in July of 2023.
Tom Lawrence:And, yeah, other than attending management meetings, I do consulting through there and all the leads. If you hire us for those leads, they'll still get processed. A lot of times you hear from me directly. Still, I do the solutions design. But if you say, hey, that service agreement has a question, I'm like, absolutely, I got a team that handles that. Let me know. And then I do things like I'm flying. When I mentioned when we first started, before we started recording, I was like I'm flying to new york and that's one of those things they kept negotiating back and forth of how they wanted to contract you, but I'm not involved in that. I just said let me know what day I'm going to new york, and they said you're going monday. I said, great, that means that means they sorted out whatever the lawyers had an argument about and they're like yes, they did. And then we got the deposit. Awesome that I don't have to think about those things now yeah, sounds perfect to it's a lot of fun I have landed.
Tom Lawrence:It's taken me, as I'm almost 50 now and 20 years of running Lawrence Systems, it's taken that long to land it to where I say I think I'm at that perfect spot where I want to be.
Ed Rawlings:I'm going to ask this kind of like at the beginning, because I normally ask it at the end. But if people want to find out more about you, tom, how do they actually contact you? Where can they find you?
Tom Lawrence:I try to focus everything at LawrenceSystemscom. It's got everything from my origin story, which I've been expanding on, because people always ask details and I always try to make sure I'm answering all of them. So I got everything for how to hire us, how to contact me, all my socials, because that sometimes can be dynamic, but I have them all linked down there. So whatever social media platform I am, or in some point in the future when you're watching this, I decided not to be on, or just another one that implodes or something like that or becomes so terrible that I don't think it's worth being on. But yeah, that's the easiest place to find me is everything. Launch systems dot com.
Ed Rawlings:OK, great. So we'll make sure that's in the show notes so everyone can check that out. Now, before we kind of jump into the main topics we're going to talk about, I have a little segment I like to call quickfire questions, tom. Basically I ask silly, random questions with very simple kind of answers, just for everyone to kind of get to know you a little bit better. Very simple kind of answers, just for everyone to kind of get to know you a little bit better. So if it's all right with you, we'll jump in with that and you can answer my silly questions ready when you are awesome, so here we go.
Ed Rawlings:So coffee or tea in the server room oh coffee coffee, yeah, um, and Star Trek or Star Wars.
Tom Lawrence:Oh, Trek all the way. That's the easy one to answer.
Ed Rawlings:All right, so we've got a Trekkie here everyone and desktop or laptop, desktop, yeah, that's easy. And monitor-wise? Do you like a nice big, ultra wide, large monitor or two single monitors? What do you prefer?
Tom Lawrence:I have. I have two singles and ultra wide in the middle ah, so both yeah nice.
Ed Rawlings:And keyboard, wise mechanical keyboard, or do you prefer kind of like laptopy membrane keyboards and stuff like that?
Tom Lawrence:I have two clicky keyboards in front of me, so I they make some noise, there's right.
Tom Lawrence:Yes, I like the mechanical clickies um and command line or gui oh command line yeah, yeah, I kind of thought you were going to say that I well, it's kind of a mix because, uh, we're going to be talking about ZFS or something like that later and there's a lot of things that do, and even in virtualization there's a lot I can do with managing it through a web UI. But I also kind of go back and forth. I think that makes it more accessible to people and I like doing those tutorials. Like PFSense, it really doesn't offer much for a command line because everything that you do through the web interface writes to an XML file. So changes you actually do from the command line don't stick. They all have to be committed to an XML file.
Tom Lawrence:But you know, long time Linux nerd, I started my Linux journey I think I loaded Red Hat in 1995. I hated it. Then I came back to it in 1996 and said I'm going to figure this out and I was a Linux admin by 1999. So I've been on the keyboard for a long time. Yeah right, and terminal UIs are absolutely my favorite UIs. But unfortunately, you know, I didn't. If I want to make tech accessible or my goal of teaching a lot of people, you're going to have to teach them about how to use a UI. There's times when a you know UI is going to be a more efficient way to do things, and I will surrender to that for certain scenarios.
Ed Rawlings:Yeah, I'm a bit the same. I kind of like the command line, but I'm also quite lazy as well, tom, and I like the GUI. There's been something built into Unraid, a file manager, and normally if I'm going to edit an INI file I'll use Nano. But sometimes I can't be bothered and the file manager in Unraid presently you can't edit an INI file. So, me being lazy, with one hand on my mouse, I'll rename it to txt, then open it, make the edit, rename it back to INI and at the end of it I think really, why did you do that?
Ed Rawlings:You haven't saved any time. And really, why did you do that, ed? You haven't saved any time and it's just laziness for me, but yeah anyway. So moving on to the next question.
Tom Lawrence:So python or bash scripting. Oh, bash I. I wish I was better at python. I can hack my way through it, but bash I've been. Bash has been forever, because that's the first one I learned and, um, you don't really want to change. You know, I started learning the bash stuff from the beginning and it just sticks with you.
Ed Rawlings:Moving on Docker or virtual machines.
Tom Lawrence:Virtual machines. I like the individual isolation. I mean I understand the use cases for Docker for efficiency and saving that, but individual virtual machines is generally. Most of my infrastructure is set up that way, so it's extremely isolated and self-contained.
Ed Rawlings:Is that for security, tom Like? Because it's more secure with a VM Because it doesn't share the kernel.
Tom Lawrence:Doesn't share the kernel. It creates to me like an isolation in my head of like this is an isolated, fully independent, locked down. There's no worry about crossover, no one has to access the system to update an adjacent Docker in it, so it's like that. I mean I do have some things running in Docker but I also have some things that are a virtual machine, that only run two things in Docker inside of it, because they complement each other and I think these things belong to each other. But yeah, because sorting out exactly and making sure I think it's easier to make a mistake in Docker when it comes to like breaking boundaries of security and I'm always worried about that shared kernel going. You know they're in that same space with each other.
Ed Rawlings:Yeah, I understand that for sure. Next, wireless or wired networking what's your preference?
Tom Lawrence:wireless or wired networking. What's your preference? Wired all day, despite the volumes of wired wireless consulting that we do in large-scale installs with things like you know, unify, uh, which I was just at their conference. But yeah, wired is that's my answer all the time. Everyone's looking for the best speed. I don't like what's the fastest wi-fi. I said wiring your computer directly to the wall. That's your fastest solution.
Ed Rawlings:Yeah, for sure I'd already know the answer to this question. I'm sure Probably Open Sense or PFSense.
Tom Lawrence:We're going to go with PFSense.
Ed Rawlings:Yeah, and IPv4 or IPv6?.
Tom Lawrence:It is the year of IPv6, I've been told, for I don't remember how many years. There's a talk at a local Linux group. It's a joke. Every January, now, for the last 12 years, maybe 13 years, there's the talk called it's the year of IPv6. It's not, though. It's IPv4.
Ed Rawlings:Yeah, Personally I don't like IPv6, probably because I don't understand it very well.
Tom Lawrence:Yeah, I always joke that I don't have a use case for it and it's one of those things that I I have a couple people that I troll on twitter, uh, by saying I I post kind of the same things where you know, hey, I, whenever there's a flaw found in ipv6, that one of the stacks that's using it, I say, hey, just a reminder, turning off ipv6 reduces your threat surface and this person like just jumps on my Twitter immediately. I love it. It has become their goal every time. Tom points that out. Well, ipv4 is not going to work forever, but I'm like well, yeah, but this reduces threat service by disabling it, because someone found another flaw in another feature that wasn't implemented very well and most of the IPv6 stack, because of the lack of use, is not as battle-tested, if you will out in the open public internet, as your IPv4 stacks. It doesn't mean there's not flaws in IPv4 that we're still not finding, but in terms of testing, ipv4 is getting much, much more scrutiny than IPv6 is.
Ed Rawlings:I'm really sorry to go off on a bit of a tangent now, Tom. I love tangents you made me kind of think of something. I was thinking about VPNs when you were just talking about IPv4 and IPv6, just because I had some problem with a VPN an office that only had IPv6 due to some cell data and their VPN just wouldn't work. I was just thinking there's been recent kind of things in tech media about. Was it a VPN called Avanti? Yes, they were using stuff that was really really old, and is that right?
Tom Lawrence:Yes, very old. Yeah, avanti was a good example and I had gotten into a long debate on LinkedIn, like I said, wherever socials. You can find me on LinkedIn sometimes where I rant about security problems, because I have an audience there for it, if you will and Avanti, one of the problems is they started as a company called Funk Software made a tool called Steel Belted Radius Server, I think is what it was called. This is back circa 2006. It was actually popular in the ISP market. Then another company and I can't remember the other party's name they had this whole VPN product. Then they bolted together the VPN tooling, which was like an SSL-based VPN, along with the Radius server, and then Juniper bought them as a company, and this is about 2012. And they put it all together or no? Juniper brought them in 2009 and then sold them to the worst thing you can hear in any tech thing a private equity firm. And what do you think the private equity firm did? Well, they repackaged it as Avanti Pulse. Well, it used to be Juniper Pulse Secure VPN, then it was Avanti Pulse Secure and now I think it's just called Avanti VPN. They've been through a few naming changes, but what happened was they slapped a pretty interface and hired a bunch of salespeople. They never updated.
Tom Lawrence:I think the curl version was like 13 or 14 years old when, when someone really when some cybersecurity people really started reverse engineering it, I had a whole breakdown of, I knew the preliminaries on it. So I had dumped that onto LinkedIn and someone told me I was wrong about what it was built with. And it was a day later. I'm like no, no, paul is Paul's company's reverse engineering it. I'm sharing these people's information. I said they're posting it on Twitter. They're going to be having a full write-up from their actual business, and the day after I posted it it kind of made the news going. It's not just built with old stuff, it's built with all the details. They dumped all the different pieces, the kernel being like 13-year-old two points, whatever kernel. And this is common with some of these companies they don't update their backend. They want the salespeople to do it, because refactoring code is hard and it doesn't make you money necessarily. It just keeps you out of the news, from getting you know.
Tom Lawrence:A security problem and the other problem with Pulse Secure is one. It's absolutely used everywhere. Cisa, the organization here in the US, said everyone has to patch it or shut it down. Then CISA got popped by their Avanti VPN they were using. So I was like, yeah, it's kind of a disaster and this is why we need things like they refer to it as SBOM or software bill of materials.
Tom Lawrence:That would have stopped and brought to a full stop. If you as a software company and I know you mentioned we'll talk about open source on this as well but if we can get companies to, when you're buying the product, make a list. Now that list may not be relevant to everyone, but there's enough people in tech that would go. That looks like a really old Linux kernel. If they would have had to submit like a bill of materials or what went into the product before it was bought, people wouldn't have bought it because they were still selling it right up until it was in the news. A lot, I think it may have hurt their sales finally, but software built materials would have definitely raised some red flags. So you just go.
Tom Lawrence:Why would I buy something that's based on this old technology that feels like there might be flaws? And, of course, where there's smoke there's fire. If they found one flaw, all they do they don't even really patching the flaw is not exactly the way they do it. They mitigate the flaw, and the reason I say mitigate, not patch, is because they're not replacing all the old kernels and stuff. They go how'd they get in? Create a regex that stops that data from going to where it doesn't go. Well, then they figure out reverse engineering with what the regex was and they go ah, we can bypass it and get in another way now. That's why there's like so many CVE after CVE.
Ed Rawlings:No one's fixing the code, they're just going to figure out how they get in, create some pattern matching to say don't get in that way again. That's why open source, you know what's going into it. I have people say to me I think a lot of people who don't understand open source code. They often say, well, surely if the code is there for everyone to see, a hacker can just read it and know how to, kind of like, get into it. But it's really the opposite, isn't it, tom?
Tom Lawrence:in my opinion, Well, in open source projects would be embarrassed if they were. You couldn't publish right now. If I want to invent some new product I want to get out to market and I said I'm going to use all these 10 year old libraries and everything else. People go, no, your product sucks, and you would probably. No matter how much marketing I even tried to put behind that product, no one would want to use it. It would be talked about.
Tom Lawrence:But these closed source companies kind of get away with it because you're not realizing that updating libraries on the back end it's just not very. It takes a lot of, it takes a very high skill to reverse engineer these at the level that Avanti. And so, because Avanti was in the news, this one company kind of took it upon themselves going, hey, let's get our smart people on it and let's take this thing apart. And they disassembled it and they were horrified as anyone would be. But yeah, there's no security through obscurity. All the code should be very viewable.
Tom Lawrence:I actually think open source is becoming much more front and center here in 2024. I've always, you know, wore the eccentric hat of open source advocate and heard that argument for years and years. But I built my career installing these open source systems at many enterprises, who are often failed by the Avantis of the world and other companies, and realized well, we tried it and we got burned, and well, we need something that scales. We need something that is secure, and having the ability to see the code now gives a level of confidence. And security has only bolstered that more, because first we have the problem of written with bad software. Then the worst problem we have is what if it's written with nefarious software and someone stuck a back door in there? Well, if it's open source, that is, it's not that you are guaranteed to catch it because it's open source, but you're denied the opportunity with closed source and given the opportunity that if someone wanted to scrutinize the build process and everything, they could now go back and audit this. There's an audit trail I have, so if I think something's suspicious, it still takes some, you know, relatively smart people to go through the code and kind of walk through the process. But that is 10 times harder with a closed source product because you're just reverse engineering binaries to figure out what they use versus. Ah, cool, I can look at this and maybe even go through the whole process of making a repeatable build, so my binaries match, so there's a full opportunity that exists, not to mention the open source community. If you ask them how something works, the developer will go. You want to talk to me about how it works? Can I join you in this discussion? You know they're excited that you're using your product.
Tom Lawrence:I work with so many open source developers. It's great actually just talking to them directly and having the conversations with them, and that's how I've helped do contributions back. I don't code very well, hence my liking Bash over Python. I'm not a great coder, but I can look through the code or look through the process and then reach out to developers, like you know, if this kind of change happened, like you did this. I think this is a way you could make this happen, because I can see enough of it and go. I don't know exactly what code needs to be there, but but I bet this feature would be pretty easy, based on how you implemented this and something to go. Well, that's clever, and then it becomes a part of the product.
Ed Rawlings:So moving on. I've got another question, quick question SSL certificates let's encrypt or paid.
Tom Lawrence:Oh, let's encrypt all day.
Ed Rawlings:Big fail. Let's encrypt and server builds. Do you prefer building?
Tom Lawrence:the server yourself, diy, or do you prefer an off-the-shelf solution? Everything for my home lab, I try to do as much as possible, uh, as diy, but for businesses and it's just kind of the way things end up um, they're not looking forward to diy and we need like five-year agreements on hardware and things like that.
Ed Rawlings:So yeah, for the yeah, you gotta have the support from the vendor.
Tom Lawrence:Yeah yeah, we just want to. No one wants to watch tom assemble um a series of surfer motherboards. Well, I know, possibly people do want to watch me assemble it, but not the clients, just the people on youtube when you're working.
Ed Rawlings:Do you prefer listening to tech podcasts or music playlists?
Tom Lawrence:I have the ringing in the ear problem, so I frequently listen to sometimes patterned music, anything to kind of stop. I'm in a sound. My office doubles as my studio and I did a great well, too great of a job. Soundproofing Awesome for recording things. Terrible if you have ringing ears because it gets much louder. So there's usually just some ambient on there. But I listen to a ton of tech podcasts. I go for walks or bicycle rides or walks in the woods. That's how I consume much of my podcasts. I have a lot of them I listen to.
Ed Rawlings:Anyway. So well, I don't. I wasn't going to ask you this question, but I can't help it because it's my favorite one. Really, if you could go forward in time or back in time, what would it be, and why?
Tom Lawrence:one, because then you can just go change a few things, but I don't know what I would change. That's the hard part. I'm so excited, I want to know what the future holds. But if I jumped ahead in the future, I feel like I'd just be confused. I feel like I missed the gap. But if you go backwards, I can change or modify or be like hey, people ask me about selling my company a lot because no one talks about after the exit. Oh, I'm like, do you regret? I'm like no, no, no, I regret not doing it sooner. So I might've changed my direction. I might've started YouTube sooner. If there's a easy one to go back in time, like I was just like I should have been doing YouTube in 2006, not 2017. I got a 10 year head start and then is it a Lawrence tech tips instead, instead of alliance tech tips. Is that what the future looks like as we rewound it?
Ed Rawlings:cool. Anyway, I guess I better kind of move on to proper topics. Like I was saying to you earlier, tom, you know I've been an avid follower of you for years and years um, I was watching your channel before I ever did anything to do with youtube and I've learned loads from you. So it's really cool for me to be speaking to you today. Basically, just so the audience knows what we're going to be talking about today, I'm hoping to talk about ZFS.
Ed Rawlings:I'd love to dive into ZFS with you. It's recently been integrated into Unraid OS, so obviously it's going to be of quite big interest to our audience. So your expertise in ZFS is going to be invaluable and we're all eager to learn about the benefits and applications from someone who's got as much knowledge as you as well. Obviously I want to talk about open source. We kind of started talking about it a bit in the quickfire question, so I'm looking forward to talking to you about that and also network security. If it's okay with you, I'd like to start a conversation focusing on that, specifically pf sense, because I often advise people. I say, hey, why don't you set up a pf sense box at home? You know, I say to my brother that kind of thing and he goes. Well, what's wrong with um my sky router, sky being a company over here where they give you a free five dollar router from you know?
Tom Lawrence:yeah, made in china the worst components never updated for years.
Ed Rawlings:He goes, well, the wi-fi works, and I tell him maybe you should buy a mini pc and put it on that. And he says, how much is the mini pc? And I said, oh, about 180 pounds. And he looks at me as if I'm absolutely crazy. So you know, I know that you're an advocate of PFSense and hopefully, if I speak to you about it, I might be able to persuade more people to actually switch from their horrible ISP router. So, tom, could you give us an elevator pitch for PFSense? What exactly is it and why should home lab enthusiasts take notice of it?
Tom Lawrence:PFSense. It is the longstanding open source firewall project that started all the way back in the days of Monowall that was its original name and then it, kind of Monowall, fell apart a little bit. I don't remember exactly the reasons, but you know, as open source projects kind of evolve or the teams that work on them stop evolving it, other people may pick those up, and PFSense was a pickup from that and has been going strong all the way here, still in 2024. It is owned by NetGate. They are the current stewards of that particular project and they are NetGate like Rubicon, something like that.
Tom Lawrence:I think that I'm exactly, I believe like they're a holdings company called Rubicon that then owns NetGate. They're all the same people involved in that and they have a lot of controversy because of a little bit of a split they did where they have PFSense CE or Community Edition, which is your open source edition, and then they have PFSense Plus, which is I try to describe it this way because people tell me PFSense Plus is a completely closed source. I'm like completely closed source is not exactly the right way to look at it. Pfsense CE, Community Edition 100% free, and the files, the configuration file you can move. You can export the little XML file, upload it to a Plus or CE. They still have the same base configuration, but PFSense Plus has a couple extra features added on top. So you start with that same base OS and then there's a few extra features, more leaning towards business features that they have, a couple that, uh, home users might be interested in. But those are those extras you get with plus and if you are using the neck gate hardware it's going to come for free with plus and right now I think they charge like, if you want to buy it yourself and load it on your own hardware um 120 a year but, as I said, completely not necessary. You can use the ce or community edition perfectly free.
Tom Lawrence:Um so, and I I try to make sure that part's clear. I wish they didn't complicate things like that. People ask me like, well, what do you think about it? I'm like I mean, I know some of the people that have known the devals. I've been using it for 10 plus years commercially. Um, I wish they didn't split it like that, but it the problem is in open source.
Tom Lawrence:It's just the you need to have people contributing, but it is a absolutely great firewall. It is certainly better than the one, like you said, like the ones provided by your ISB, which are always the ISB sought out the lowest bidder with the worst product, and the security follows with that. But PFSense gives you an amazing amount of flexibility. Something really popular, of course, is people who want to use privacy VPNs. I've done several tutorials on that as a topic where you say I want a privacy VPN, but I don't want everything going out that VPN. Pfsense gives you that granular level of control to say, route this traffic out, this VPN. Matter of fact, you can set up a whole series of them. I want this particular server to show up in Sweden, this one to show up in the US, and then my TV. Well, it may have to show my TV, or streaming device, I should say should show up in any country where I want to watch shows. And those are features you can do with PFSense.
Ed Rawlings:Yeah, it's super cool. I have a rule in my pf sense, because my wife's mother lives um in georgia and she often asks vanessa to help her with our online banking. And you try and connect normally to her bank from the uk and it says you're in the wrong region. So I've got a list of um, her bank names I think wood forest was Put the whole list of domains as aliases and so any computer on the whole network at home that tries to connect to that domain, then it goes through a VPN in Atlanta and it allows Vanessa to do the banking on her phone, on her laptop, without any issue. And yeah, it's super cool, things like that.
Tom Lawrence:It's kind of wild because, uh, this is a fully featured firewall. You can download, use, use the free version, set it up in your home. Uh, even the free version still has features like high availability. You can set these things up to fail over to each other. You can learn bgp and all kinds of advanced routing on here. It's got all these vpn featuresGuard, openvpn. You can tie it to Active Directory or just use it in a really basic case.
Tom Lawrence:It's always fascinating about this because we know a lot of banks that use it. We have a lot of very large enterprise clients using it, but it's also the same software that you as a home user can really dig into and learn networking on there. It's even got some cool packet capturing. So if you're wanting to dive deeper into your understanding as building your home lab to how networks work, pfsense is also your friend at that. I've got a whole tutorial on how to attach WireGuard to PFSense and have it stream the package right to a WireGuard session from all your different networks so you can do your own packet capture, and that's actually super easy to do with PFSense. I love that they have those type of features accessible to you when you do it, because it's all about tinkering.
Tom Lawrence:When you're building out your home lab and things like that, it's like start basic but then you've got to scratch that itch. What does the traffic look like? Or like solving the use case. You have not an average firewall can do that. Where I do policy routing to say send these domains out the usvpn um, I've got a question for you, tom.
Ed Rawlings:What, um, when, using a reverse proxy? Personally, I use a reverse proxy on my home server and I have pf sense like route 443 to there. Yeah, should I be using something like hard proxy to reckon on on pf sense on the edge? Um, it's more complicated, but would I be gaining anything other than?
Tom Lawrence:I find it less pf sense is always turned on well, yeah, I find it less complicated as well.
Tom Lawrence:The reasons I like the ha proxy function of pf sense. So the advantage of using it pf sense is I have my dns there already. That's the central dns for my networks is going to be my PFSense, for like a studio I'm sitting in now and also like at my office. Then that's where the certificates are. So it's already renewing the certificates automatically right inside of PFSense and then add on HAProxy HAProxy. If I have everything in my PFSense and it's a central spot for my network. I have servers that are on different segments of different networks but I can have one ATA proxy but because PFSense sits central to the network, it can talk to automatically everything downstream of it. So to me it's a simplification of everything's right there and it's one interface. I go into the BFSense interface, I add a new DNS entry, I add a new HAProxy entry and that HAProxy entry connects to some server that I set up for something. Now I've done 90%, well 100% of the reverse proxy work is all done inside of BFSense, from the DNS to the proxy itself, and then all I'm doing is attaching it to some other server.
Tom Lawrence:And HAPro proxy gives you a lot of flexibility. It's really popular because of the going all the way into load balancing and other features. So I've always just kind of been happy with doing that. But there's nothing wrong with the NGIN S for virtual proxy manager. What is the other one that people like a lot? I can't remember the name of it? There's a few of them, caddy. They all work well. Sometimes it just comes down to preference and you do have to remember you have to have a PF sense. Not that it takes a lot to run HAProxy, but you know it is something you have to have. That's fast enough to run HAProxy without any issues.
Ed Rawlings:I was going to ask you something. It's just gone from my mind. I'm sorry everyone. We can circle back to it. We'll tangent back to this later. Hopefully I'll remember in a minute. In a professional context, how would you approach sort of setting up PFSense for optimal performance, like for a new client you were setting up you know, what kind of things would you set up for them?
Tom Lawrence:Do you know one of the things I really like about the team over at PFSense and I've seen them answer this in the forums and it's maybe a little bit of a smart answer. They go, you know what are the best settings when you first set one up and I think one of the head developers said if there were better defaults they would be the defaults, and so the good news is it's very locked down out of the box. They don't offer, they don't have a default password. It's something you have to set when you log in, I mean technically the first login. There is a default password but it will annoy you to change it. It's one of the steps you're supposed to do is change it. It keeps bugging you. You could actually set the password back to default and it goes back to the bugging you process.
Tom Lawrence:But in terms of what we set for business, a lot of times you have to decide how many different legs of the network Do. They have a guest network, which is frequent. You know lots of professional services offices want some people to connect to Wi-Fi in the lobby, or maybe a hotel. So we'll set up all the different segments of the network, maybe set up another segment for any specific servers that they have, we'll load. If there's a VPN or any inbound ports, we're going to load something like a PF blocker, usually like geo-blocking Once again, kind of like you said, where you are trying to access a resource and if they're not servicing people in another country, why should the system be open to that?
Tom Lawrence:We also do use PF blocker to block Tor nodes. I've got a video on that. Even if you're not using it for like ad blocking and all those other things, the Tor node part is really important because the majority of these cyber attacks not all of them, but there is a pretty high percentage of them go on Tor nodes. So you can use PF Blocker to stop some of those inbound and outbound connections and they can be handy. So if something gets infected, if it can't reach the command and control server, that's where it stops. It's not a guarantee, it's a hope that you are being attacked by someone who's already on the known list. It doesn't help, for if you're getting attacked by the latest malware, I hope you have something else in your desktop to protect you. But if it's one of those older mailwares that's still sending out, but it's already made the list of block this and it's in the PF blocker list. Awesome, that's it.
Tom Lawrence:But the VPN setup is pretty popular. So there's still a lot of people, as much as we all say it's going to the cloud. There's especially in the manufacturing like we're here in the Midwest we have the automotive manufacturing and all the companies that support them. That stuff isn't going in the cloud, that's VPNing in. So VPNs are really a popular setup and if it's a more advanced VPN, you'll want people tied to their Active Directory. So another office setup might be hey, we want. You know, no one wants to have to manage multiple user bases. So you take their VPN, you tie it to their Active Directory so their username and password is the same for both, and allowing them to log in Once again. You create granular rules so that person's access is only to the resources they are supposed to have and then you send them a bill.
Ed Rawlings:I've just remembered what I was going to ask you, tom, because you mentioned the word VPN again. With things like Cloudflare tunnels, can they be connected into PFSense so you can have an actual tunnel? Say your ISP blocks 443. Can you put the tunnel going directly into PFSense? Is that a thing, Do you know? Say your ISP blocks 443. Can you put the tunnel going directly into PFSense Is?
Tom Lawrence:that a thing Do you know? So there's nothing native at the moment to get Cloudflare tunnels working on PFSense, so they don't have a plug-in for it, but that could always change in the future if they do. But Cloudflare tunnels are definitely. They solve so many problems where so many people in rural areas, for example, don't get public IP addresses. That's how it is here in the United States and of course, Starlink adds another layer to that. Starlink's become very popular. Once again, you're not getting a public IP address, but you especially if you're in a home lab you want to host something. Cloud4tel is an absolutely wonderful solution to get around that, but it's currently not natively built into PFSense.
Tom Lawrence:But something that is and kind of somewhat related is Tailscale and Tailscale is working on I think they're working on something and I got to look at this similar to tunneling that allows you to expose services. I do want to poke a little bit at that. But what the cool thing is, if you need VPN access, tailscale will work, even if it doesn't have a public IP address. And Tailscale is available on your Linux devices, your Apple devices, your Windows devices. So if you're wanting the most simple, easy to get, plug it in, let it go. Vpn that's one of the big go-tos that I'm so thrilled that they added.
Tom Lawrence:They've done a lot of good engineering with Tailscale and its integration into PFSense. I've been using it for a year and I wanted to really put it to the test. We've got some client implementations, but I was going to show at some point. I'm going to do a video on my use case for it because it's just smooth. When I was just doing some traveling in Chicago, I have it. Tailscale kind of creates an always-on VPN. So when I open my laptop up anywhere, even when I'm not within the walls of my studio, here I have complete access to all my resources, just like I was here, and it's great. It even handles like the DNS and it'll talk to the PFSense DNS and all my HAProxy and reverse proxies. They all work the same, even if I'm sitting in a hotel in Chicago.
Ed Rawlings:Nice, yeah, tailscales, pretty awesome Tailscales. That integration makes your life in PFSense so much easier. And for people listening, tailscale uses WireGuard on the back end. Is that right, tom?
Tom Lawrence:Yep, the underlying technology is that TailScale's a really interesting product, because my joke was oh, they're going to turn evil any day now, and I think that was a few years ago. Then they did it. They made changes, they gave away more for free. So when they updated pricing, they actually expanded how much you get on the free tier and I'm like, huh, that's interesting. I'm waiting for the what do they call it? The shoe to drop. When does the company go? Are all of you used to using this Because we want to raise prices? Because right now for a home user it's free?
Ed Rawlings:A hundred clients, isn't it?
Tom Lawrence:yeah, I think they used to give you 50 when they first came out. Now it's like 100 clients for free. I mean, if you have a more than 100 devices, I don't you. You have a bigger use case than your average home user.
Ed Rawlings:Yeah, for sure what would you say? Uh, kind of like your must-have packages for pf sense that you think are really good.
Tom Lawrence:I really like the end top NG because I love looking at all the traffic. I don't know, I probably spend too much time looking at pretty graphs, but I like to see where all the traffic's going and just kind of speculate on it. That's probably one of the must haves on there. Pf blocker definitely, you know, because of the geo blocking I don't always do the ad blocking and the reason why it's a pain when you block too much and your sites, because some of the sites are very sensitive to that and people like, well, don't use those sites. I'm like yeah, but some of those sites are like stuff I want to use or stuff especially I don't.
Tom Lawrence:If you block too much, my wife is upset because her clicker games stop working. Like she has those games and I guess her ads supported and they don't play if you block all the ads. So I don't use the blocking as much anymore. People always ask me like, well, I want to completely lock it down. I'm like you're going to, unless it's just you. If you have other normal, non-technical users who may like normal websites, it may not work for you, but PF Blocker is a go-to, but PF blockers are the go-to. I don't recommend it as much. It's fun from a security standpoint to understand what's going on, like Snort or Sericata, but I would not put them on my must-have list because if you turn on blocking with them, you realize you now have the job of tracing down false positives. It's not the job you may want.
Ed Rawlings:So that's a little bit less on the must. That's for deep packet inspection, those packages, yeah, yeah, um, and it doesn't work on um https traffic. Am I right in assuming that?
Tom Lawrence:yeah, because it's just doing pattern matching. Most of the stuff that's encrypted never matches the pattern that uh. So it's actually due to let's Encrypt, like you asked earlier. Let's Encrypt kind of changed the world from HTTP to HTTPS almost everywhere, so you've now reduced the efficacy of those systems like Snort or Sericata to be able to see the packets that are coming in and try to trace them. The old attacks don't completely go away. So things that are still done over plain text maybe it would see, but there's much fewer of them now in terms of the and they're less likely to be exploited. So those ones are kind of they don't provide you as much protection.
Tom Lawrence:There are some IP lists that get into Snort when you do the updates or Siricot as well. They use the same, mostly the same, some of the same rule sets so they can block like hey, we know this IP is a bad IP and nothing should connect to it or it'll set off an alert. But unfortunately some of those alerts, if you turn all the buttons on, are Tor nodes and some tools that even in the open source world use Tor nodes. So now you end up with alerts that block some of your open source tools and you get in a panic going. Why is my open source tool connecting to a tor node? What is it? Am I under attack? Did someone infect something? No, it's just the way. That's actually part of their service. They allow anonymity through tor. So the open source service they're wanting to add anonymity sets off security alarms right um, what, what services would you actually kind of block in the firewall?
Ed Rawlings:Um, would you block kind of like DNS and just force things to always use the DNS resolver in PF?
Tom Lawrence:sense or yes? Well, the only way to block it at that point is to start creating individual rules, knowing what IPs it's trying to connect to and saying, hey, don't let if it's a 443 request over here. I just kind of stopped chasing that, especially like people want to try to get their IoT devices focused on using redirection Redirection with the redirection, with the sorry redirection. So the IoT device forces to use PFSense instead of where it wants to go. The problem you run into with some of the IoT devices is they're almost hardwired to use the DNS they want to use, and some of them I've had people in my forums or Netgear forums post that, hey, every time I do this, the device stops working. I'm like they hard-coded it that way. Your choices are now let that device go where it wants to go or don't use that device. Well, I like the device, but I think I should be in control of the DNS. I'm like it's a nice thought, but, as we know, these IoT devices are how they are and many of them are kind of opaque boxes in terms of what's running on them or us having any control on them.
Tom Lawrence:Just put them on a separate network. Let them go where they go. You know I have some Google Chromecasts. They're all on a separate network. They're on my broadcast network for the one my friends will come over. That way they can connect to the Chromecast. I connect my phone to that network if I want to do the Chromecast. They're not part of my secure network because I know there's been flaws occasionally found and things like that. Just let all those devices be over there.
Ed Rawlings:Yeah, I've got the same. I think most people you know we've got our IoT network and I also have that network. Just exit out of a VPN in France. So any IoT device thinks I live in France. Yeah, and I'm happy they don't know where I live.
Tom Lawrence:Yeah, exactly, and that's actually a really policy. Vpn setup is probably one of the, like I mentioned earlier, a really popular feature, and sometimes you just take the entire IoT network and send it out. Oddly, there's a big business use case. I have pitched for this. Pfsense does not do there's a big flaw, so to speak but it's not something they're going to put any effort to and it's getting harder to do every day, and that's application level filtering.
Tom Lawrence:You know, this is something you'll see in your big enterprise firewalls like, hey, I want to block Facebook, I want to block Twitter, whatever that might be, only to these certain people. Well, it doesn't do a great job of that. But the other thing it's not going to do a good job of is blocking torrent traffic, and this is a problem for people who have guest Wi-Fi, because they don't want a notice from their service provider that someone was trying to stream a movie. My suggestion that has been well-received is set up a privacy VPN. You're like for my guests, why would I care about their privacy? I say you don't care about their privacy, you don't want the notice. So you VPN your guest network out to some place that doesn't care, some privacy VPN provider. And now you've solved the problem, because I don't know what they're doing on there, but it's not going to come back to your IP address.
Ed Rawlings:I'd do exactly the same because, like you never know, my son might have some of his friends around and they bring the laptop and God knows what they're downloading.
Tom Lawrence:Oh, yeah, yeah.
Ed Rawlings:I'd just rather it not be on my IP. I'd do exactly the same.
Tom Lawrence:I don be on my, on my ip, I'll do exactly the same. I don't know if it works the same, uh, where you are, but I mean we get the notice, um, from our isps that you know we're being investigated for downloading movie or something like that. If you were to try to download a movie, you'll get a copyright thing that'll. You get a letter physically mailed to you, um, because it's from lawyers who they've barely been successful pursuing those cases. But it is a concern and this is why there's such a rise in privacy vpn, because privacy vpns are in countries where they can't do that and because they don't know who had what ip when it's just. I know I know they send the notices to the privacy vpn companies who shrug their shoulders and go. I don't know, we don't track any of this another service.
Ed Rawlings:I just wondered if you've ever blocked, do you ever block ping at all?
Tom Lawrence:You know there was a I think someone wrote this rant a while ago some network engineer, I think it was on Reddit Like don't block ping. Will you for the love of God stop blocking ping? And I just laughed. By default, pfsense does block ping and I'm okay with that.
Ed Rawlings:I only block it on, which is the default on WAN, but I occasionally and I've done this for testing purposes opened it up to certain IPs because you can allow it on a filtered basis, sometimes just because I'm trying to track some type of issue that I might be running into. But, yeah, I'll leave that one blocked. By default. It's always open internally, of course, but externally, yeah, you can leave it blocked. Is it true, Tom, that the reason that companies like to block ping is you can actually, on the kind of like payload of ping, you can actually put data there and you could actually send data out through pinging to somewhere else and then collect that on the kind of client somewhere else else and then collect that on the kind of client somewhere else. And you know you could actually send data on ping packets out of the network without the company kind of knowing.
Tom Lawrence:Oh, there's all kinds of ways you could smuggle data, but that's yeah, they're not as likely of a scenario. Most of the time it's just about visibility. So ping sweeping is one of the quickest and easiest ways you know send the echoes out, see which ones come back. Hey look, ping sweeping is one of the quickest and easiest ways you know. Send the echoes out, see which ones come back. Hey look, there's something there and then start scanning it. The reality is our tools that do network mapping have become substantially more advanced.
Tom Lawrence:So ping being off is just a flag gate. Don't ignore if it pings off, I don't care. Scan these IPs anyways, because if it pings we know it's there. If it doesn't ping, it doesn't mean it's not there, but there's other ways to start determining that it's there so we can start scanning things. So it's an old mitigation that still just exists from forever ago. But if you turn on something like Snort or Sericata and you stick it on the WAN side so it's listening, even though ping is off, it'll listen to all of what's sent there and you'll find ping packets aren't the most. You'll find like it's just there's exploits flying all the time. The firewall doesn't do anything with them because it doesn't accept connections. But if you put something listening on that wan side, you realize they don't care if the connection. They didn't. They didn't ping you first, they're just blasting packets out and seeing if anything responds all the time. So the threat model has changed right.
Ed Rawlings:I was wondering you know how do you think PFSense stands up in terms of community support compared to kind of other solutions that people might be thinking of?
Tom Lawrence:This is what makes PFSense good in twofold. One, there's a ton of documentation much of it not just by the folks at NetGate, who have a really good write-up and a whole section for how to do things. But you start Googling around, you'll find tons of community write-ups, blog posts of how to solve problems, not to mention me and many other people have a lot of YouTube videos on it. So you have this large knowledge base out there for how to do things in PFSense, the community support forums. They're very active. They have a very massive user base because they have so many people in the enterprise user space that leads down to a lot of people also in the home user space and there's a lot of interaction that you'll see in their forums. Good, the developers themselves are very, very active. They're very, very responsive and, yeah, I would say they have a. They have a really good base community of users. Even myself, because I run forums.
Tom Lawrence:There's a lot of PFFSense questions in there, and not just me, but a lot of the people that are participating in my forums frequently answer those questions. A lot of times we do. We never say RTFM, we're more about, we will show you, because sometimes people don't realize because the documentation is so vast that they're like, hey, I don't know how to do this. And if they don't know the right words, we're like, oh, this is what you're, you want Actually this, and we'll send a link to the document. Like, oh, look, there's a step by step guide in their own documentation. Once they knew the right combination of words to use, solves it for them. So I'd say that's a really it's a big factor of what keeps PFSense so popular is that you know large amount of documentation and experience that people have with it.
Ed Rawlings:That's good, good. So someone wanting to start out they're going to have good support from the community who wants to kind of set up a pf sense machine? Um, I think it's quite interesting. I learned recently that I believe the us navy deployed pf sense to their aws and it was um a hospital ship.
Tom Lawrence:Yeah, yeah the usns mercy, I think yes, uh, it is used a lot more than people think. You. You will get those um arguments especially. It always seems like it's a redditor, uh, that says the government can't use it because it's not certified for, and they'll cite some government code. And I'm like there's a little thing called carve outs and it's kind of one of those. The government may have standards and really a lot of companies do this. They set like these are the guidelines, and then they realize their guidelines are not realistic or they have a bunch of existing stuff that doesn't work and we're like, well, that's grandfathered in and we'll put a carve out that, as long as it's by this, it will allow to live on.
Tom Lawrence:And the U S Navy has used it extensively for a long time. I was shocked that they got permission to do the write-up on it. It's one of those things like and I can't even talk about all the places I've run into it at large corporate companies because we do a ton of consulting banks use it extensively and it's amazing how many banks run on PFSense and people didn't know. I pointed out years ago. I thought it was kind of interesting Back before in the US here now we use a ton of hiring companies. A lot of companies don't direct hire like they used to, but years ago I did a video about open source use in the enterprise and I was on a hiring site showing you could search for things like TrueNAS, you could search for things like PFSense, and if Visa and MasterCard were looking for a data center technician with extensive PFSense experience, I don't think they just wanted them to know PFSense. I have a feeling that they wanted them to know it because it was what they were using.
Tom Lawrence:So I kind of commented on job listings where I would search for an open source, not just an open source project like a specific one like APFSense, not like, hey, I want someone who knows BSD or Linux Specifically. They want people with these skills and, matter of fact, at that time you can still do job searches. You just don't know. They're always by these generic hiring companies. But there's still companies hiring for people with that same skillset and, based on what they're paying, they're larger companies on these job offers.
Tom Lawrence:So, yeah, it's definitely US Navy being one that they were able to share an example. I think they have a NASA example on there. I think NASA still has some If you search. It's an older blog post and, as we know, most companies aren't looking to change all the time. So actually, kind of a side to this, I learned NASA uses when I was putting together a wiki for a knowledge base, along with some of the visual plugins. I learned NASA there's a guy from NASA who had a video and it's buried somewhere in my saves from years ago. I want here's great of how nasa uses, um, open source wikis to manage the knowledge, the massive corpus of knowledge that they have.
Ed Rawlings:Uh of cross, like you know, when they, when they have some really deep statistics on you know the science they're doing, um, they've documented all in a series of internal wikis, uh, which I thought was really cool wow, um, also, while I was kind of looking at you know um where kind of pf sense was used, I noticed that the army cyber school they were using not pf sense but some other software by um netgate called tnsr. Yes, um, what, what exactly is that? Is it just kind of like a more advanced kind of firewall software? It's actually built on Linux.
Tom Lawrence:TNSR uses vector packet protocol, vector packet routing. I don't particularly use the software much but it's a command line. I know at some point they're going to be working on some UI elements for it, but it's like a command line, first type of firewall. But it breaks the standard firewall by using some more advanced, newer features that are built into the Linux kernel. That's why they built it on Linux, not BSD like PFSenses and it allows, even with the same exact hardware, substantially higher throughput.
Tom Lawrence:It's a different way of handling the packets and processing them. That allows for some limitations that you run into. There are some streaming limitations you run into inside of PSNs where it can only route a single TCP stream so fast and I've done a couple of demos on this where people go it's 10 gig but I don't get 10 gig. Well, if you use iPerf and the default iPerf for doing speed testing is single stream yes, you're going to run into it hits the processor, it can only have one thread. But if you break the packets up into multiple threads it will route through. Some of this is done a little bit differently in the TNSR software so it handles them and allows more scalability. So this can be used at data center level. We're starting to see where we're bumping up against the limits. When you start putting PFSense, it used to be really popular in the data center, but some of these data centers are 100 plus gig. Well, now you're going to run into some limitations again.
Ed Rawlings:Wow, cool, so that kind of limitation, is that just basically down to BSD then?
Tom Lawrence:It's a little bit BSD Right now. Netgate is about 15% of the contributions to BSD come from NetGate, so they actually contribute heavily to it. This is one of the challenges. Everyone wants the free firewall. I get it. I love open source too, but at some point it takes a very high level skill to be a kernel developer. This is not an average writing a little bit of Python code. Kernel development is hard. They employ numerous kernel developers. Their job is not like a day job and then they contribute code at night like a hobby. They are paid to contribute back to the BSD and you know these are people make $200,000 a year or so, I'm sure, and having a handful of those people on there to write the code that keeps BSD going forward is what comes downstream inside of PFSense and everyone benefits from it, so anyone who uses BSD. But unfortunately what we're seeing right now, bsd is kind of shrinking. It's a tough gig right now.
Tom Lawrence:This is one of the reasons why things are on Linux, because there's going to be no one, I think, will refactor the code enough in BSD or do the heavy lift. But Linux being the fact that it runs Google, amazon and everybody else, there's tons of code contribution, going back for massive hyperscale features. So the Linux kernel has just a bigger. You know enough big companies donating back to it that I think they know. The people at NetGator Smart are like that's where this is going to go. I don't think there's any way for them to port, like the vector packet, routing features into the BC. I mean technically there's a way. It's like whether or not you want to pay for that way is the question Like we could do it. Someone got a grant and that's what it. That's what it comes down to. Or we just start developing on the Linux kernel where it already exists.
Ed Rawlings:I didn't know that netgate do 15 of yeah you um stuff for bsd. I guess our x systems must contribute a lot as well. Yes, um, but then they I didn't um know till recently, tom, that they actually had a desktop os called true. Was it true os? They had once that was um based off um. I can't remember what it was called beforehand, but it goes back years, doesn't it? To the early 2000?.
Tom Lawrence:Well, specifically, Chris Moore was the head of that project. Chris Moore is the head of development. He's a longtime open source developer, a great person, but he, yeah, what was it called? I forgot what it was called. It was a BSD-based one. It was called PCBSD, wasn't it PCBSD?
Ed Rawlings:that's it, yeah, yep.
Tom Lawrence:PCVSD, that's it.
Ed Rawlings:Yeah.
Tom Lawrence:Yep, so it's not directly supported by IAC Systems, but the same people Because they've discontinued it now, haven't they?
Tom Lawrence:Yeah, and even the folks at IAC Systems. They're not abandoning it, but they realized the future is with TrueNAS Scale, which is Debian-based, versus TrueNAS Core, which is VSD. They still plan to support it for a number of years. But they're not focusing on features because they're running into problems. There's only when a new thing comes out, like a new network card or whatever that might be. The companies aren't necessarily writing the drivers for BSD, so someone has to contribute to it, versus the Linux drivers ship with it. And so they kind of realize there comes a future when someone wants some of this cutting edge hardware and there may not be support for newer hardware in the free BSD.
Tom Lawrence:This is NetGate's going to face the same problem at some point where there's a little bit lesser and lesser driver support on there. Now NetGate's actually contributing some of the drivers to an extent, but they're contributing the drivers that make sense to NetGate. So if a new network comes out, netgate will probably write the drivers or contribute coding them or converting them from Linux to BSD. But when a new RAID controller comes out and NetGate goes, why would I take the time to write the drivers for this? And iXsystem goes, we don't have the resources to do it, so it doesn't happen. And then suddenly that RAID controller may not be, or that backend or that chipset isn't supported in BSD, so you kind of have to go to Linux if you want to use that box.
Tom Lawrence:And that is what the long-term future will look like. We're so far away from that today. It's still a few years out. But you have to be planning these projects years in advance because you don't want your technical debt you know all of your coding contribution to go to a product that's then going to be pulled out from under you or not support your current base. It's going to be tough.
Ed Rawlings:With BSD? Does companies like NVIDIA make graphics drivers for BSD?
Tom Lawrence:Yeah, but I think those lag behind as well. I'm not even sure. Yeah, I think they're not the same level of support that you get in Linux and that comes back to like a community thing. If you try to Google a problem and you're having it in BSD, you may not find that the Linux solution works and you may find so few people using it in the BSD world that you're going. I guess I need to run this in a Linux environment because I can't find the equivalent answer, but I know it works out of the box in Linux. And then one of the recent updates to a few things have been some more NVIDIA driver compatibility updates with the Linux kernel. I just noticed that when I was reading some notes. I'm like I don't think I see those notes if I were to go to the BSD side of the world.
Ed Rawlings:Right, yeah, okay, so we've been speaking for quite a long time now, so I think we're going to split this podcast up into a part A and a part B Now. Thank you very much, tom, for taking the time to speak to us in the first part of the podcast, and I'm looking forward to continuing the conversation in a few moments. And thank you very much to the audience for taking the time to listen. Please come back and join us for part b, where tom and I are going to be speaking about topics such as cfs and the future of open source in 2024 and beyond.