Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - sheptard

Pages: [1]
1
Feedback / Mtecknology be power tripping in your IRC room
« on: December 09, 2017, 02:37:57 am »
01:17:28 < Haris> hello all
01:17:28 < Haris> guys!
01:17:37 < mybalzitch> what about the women
01:17:40 < Haris> pfsense pages don't open correctly on mobile set
01:17:46 < mybalzitch> mobile set?
01:17:51 < mybalzitch> pfsense pages? what are those
01:18:01 < Haris> Google/Motorolla Nexus 6
01:18:18 < mybalzitch> alright, thats the mobile device you are using
01:18:29 < Haris> I can't reach or scroll to status -> Traffic graph when page is opened on mobile set
01:18:39 < mybalzitch> okay I see what you mean now
01:18:43 < Haris> there's no option to scroll in menu on the mobile set, even on a 6" screen
01:18:51 < mybalzitch> I have a different phone, but I use the chrome browser as well
01:18:57 < mybalzitch> let me check
01:20:31 < mybalzitch> okay, by scroll in menu, you mean being able to look through the other choices in the menu button, while on the status -> traffic graph ?
01:21:52 < Haris> no
01:21:53 < Haris> status menu in lengthy
01:22:03 < Haris> in mobile set, page doesn't scroll till the Traffic Graph option
01:22:12 < Haris> it stops mid way in the menu
01:23:36 < mybalzitch> https://www.dropbox.com/s/f909v3x8kl3nqro/2017-12-09%2001.23.03.png?raw=1 that's what I see on that page
01:23:55 < Haris> for e.g., I can't see past the IPSec or Load Balancer or Monitoring option(s) from the menu
01:23:57 < mybalzitch> I was able to scroll down to get to the traffic graph choice as well
01:24:03 < Haris> hmm
01:25:06 < Haris> how were you able to scroll down till that option ?
01:25:13 < Haris> that's iOS platform ?
01:25:20 < Haris> I'm on android
01:25:25 < Haris> in chrome
01:27:19 < mybalzitch> not iOS
01:27:26 < mybalzitch> its a galaxy s8+ with the chrome browser
01:28:03 < Haris> can you show the status menu in open state ? or can you tell how you were able to see the later option(s) in the menu ? I can't see or reach them in
                  chrome
01:28:19 < mybalzitch> https://play.google.com/store/apps/details?id=com.chrome.beta&hl=en
01:28:21 < mybalzitch> thats what I use
01:28:26 <@MTecknology> None of this has anything to do with pfsense.
01:28:45 < mybalzitch> MTecknology: ....
01:28:58 < mybalzitch> MTecknology: SORRY TO TAKE AWAY FROM ALL THE 1:20AM MDT REGULAR CONVO THATS GOIN ON
01:29:19 < Haris> reaching or not being able to reach an option on pfsense is an app related stuff
01:29:21 -!- mhoungbo [~mhoungbo@41.79.219.204] has quit [Ping timeout: 248 seconds]
01:29:27 -!- mybalzitch was kicked from #pfsense by MTecknology [no worries.. bye now]

We were nicely discussing what could be a problem with rendering parts of the pfsense website on mobile devices.

M'teck'nology felt the need to butti n and police the productive conversation for whatever reason.

This is blatant abuse of mod powers.

2
Firewalling / Re: Bridging problem
« on: August 30, 2017, 03:08:38 pm »
I've tried turning PF off, and seeing if the traffic passes, but it doesn't seem to.

3
Firewalling / Bridging problem
« on: August 30, 2017, 01:21:28 pm »
Hi

I have a set top box, it talks HTTP and multicast. When it powers up, it grabs its firmware via a bootp request to the ISP.

I have created a gif tunnel from my house, to my friends house down the street.

Basically I take the ethernet from the stb, get it to my switch on its own cable, switch assigns it to vlan 420, 420 then ends up going to my pfsense router, via a trunk port (other vlans on it, for lan, wan1, wan2, wan3) where it is supposed to travel over the gif interface to my friends gif interface (also on pfsense) where it goes through the same process, to end up spitting out on his dedicated vlan where magic happens.

The issue is that when I activate the gif tunnel, I can see my traffic going to him. My traffic ends up on his network, equipment on his network replies to the traffic (bootp request for example) it travels out his gif interface, back over the wire to my house, where I can see it if I tcpdump the vlan of the wire for that connection, but I do not see that traffic come in my gif interface, or on vlan420 to be sent to the set top box.

As far as my set top box is concerned, there's nobody out there to talk to it.

I have a pass all rule for both source friends IP, and destination friends IP, on the wan2 vlan. I had it floating before, but I changed it to that.

if I watch pflog0 with host my.friends.source.ip I do not see any entries. If I watch the whole log, I see some traffic, but none of it applies to the gif interface, in or out.

If I watch gif0, I can see my stb send out BOOTP requests.

If I watch the wan2 vlan, I can see encapsulated traffic going from me, to him, then from him back to me, where my box does nothing about it and it never shows up on the wire.

I have changed the two settings for bridge/interface filtering in the sysctls. They are set to net.link.bridge.pfil_member=0 and net.link.bridge.pfil_bridge=1

I know I can't ping the tunnel end points, that's a bug. but clients should still be able to talk, right?

I do not understand what is wrong. Please help.

4
IPv6 / Re: Can't get PD /56 to work
« on: July 09, 2016, 03:30:03 am »
I just updated to 2.3.2-DEVELOPMENT which included a update to dhcp6 and seems things are working better. my internal clients have valid ipv6 addresses and ipv6 dns works just fine.

However I can't get any ipv6 traffic to leave my lan, but ipv6 connectivity works just fine on the router.


5
IPv6 / Re: Complete noob and ia-pd configuration.
« on: October 31, 2015, 04:03:55 pm »
So with this config file

Code: [Select]
interface em0_vlan3 {
#       information-only;
        send ia-pd 1;
        request domain-name-servers;
        request domain-name;
        script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};

id-assoc pd 1 {
        prefix-interface em0_vlan5 {
        sla-id 1;
        sla-len 0;
        };

};

It works. I get functional IPV6 on my router, however pfsense doesn't seem to want to let me advertise this to clients on my lan.

Also, there seems to be no choices/combination of options to do PD on a normal WAN interface. in the 2.2.5 changelog, it said IA-PD changes were made for PPPoE users.

6
IPv6 / Re: Complete noob and ia-pd configuration.
« on: October 30, 2015, 10:09:55 pm »
So,

I modified my config slightly

Code: [Select]
interface em0_vlan3 {
        send ia-pd 1;
        request domain-name-servers;
        request domain-name;
        script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};

id-assoc pd 1 {
        prefix-interface em0_vlan5 {
#        sla-id 1;
#       sla-len 56;
        };
};

now this happens

Code: [Select]
Oct/30/2015 21:07:26: reset a timer on em0_vlan3, state=INIT, timeo=0, retrans=383
Oct/30/2015 21:07:27: a new XID (9026a) is generated
Oct/30/2015 21:07:27: set client ID (len 14)
Oct/30/2015 21:07:27: set elapsed time (len 2)
Oct/30/2015 21:07:27: set option request (len 4)
Oct/30/2015 21:07:27: set IA_PD
Oct/30/2015 21:07:27: send solicit to ff02::1:2%em0_vlan3
Oct/30/2015 21:07:27: reset a timer on em0_vlan3, state=SOLICIT, timeo=0, retrans=1088
Oct/30/2015 21:07:27: receive advertise from fe80::ea4:2ff:fe23:f401%em0_vlan3 on em0_vlan3
Oct/30/2015 21:07:27: get DHCP option server ID, len 10
Oct/30/2015 21:07:27:   DUID: 00:03:00:01:0c:a4:02:23:f4:01
Oct/30/2015 21:07:27: get DHCP option client ID, len 14
Oct/30/2015 21:07:27:   DUID: 00:01:00:01:1b:d5:91:94:74:d0:2b:9d:84:9c
Oct/30/2015 21:07:27: get DHCP option IA_PD, len 41
Oct/30/2015 21:07:27:   IA_PD: ID=1, T1=86400, T2=144000
Oct/30/2015 21:07:27: get DHCP option IA_PD prefix, len 25
Oct/30/2015 21:07:27:   IA_PD prefix: 2001:56a:f3a8:a700::/56 pltime=172800 vltime=345600
Oct/30/2015 21:07:27: get DHCP option DNS, len 32
Oct/30/2015 21:07:27: server ID: 00:03:00:01:0c:a4:02:23:f4:01, pref=-1
Oct/30/2015 21:07:27: reset timer for em0_vlan3 to 0.982435
Oct/30/2015 21:07:28: picked a server (ID: 00:03:00:01:0c:a4:02:23:f4:01)
Oct/30/2015 21:07:28: a new XID (68310) is generated
Oct/30/2015 21:07:28: set client ID (len 14)
Oct/30/2015 21:07:28: set server ID (len 10)
Oct/30/2015 21:07:28: set elapsed time (len 2)
Oct/30/2015 21:07:28: set option request (len 4)
Oct/30/2015 21:07:28: set IA_PD prefix
Oct/30/2015 21:07:28: set IA_PD
Oct/30/2015 21:07:28: send request to ff02::1:2%em0_vlan3
Oct/30/2015 21:07:28: reset a timer on em0_vlan3, state=REQUEST, timeo=0, retrans=977
Oct/30/2015 21:07:28: receive reply from fe80::ea4:2ff:fe23:f401%em0_vlan3 on em0_vlan3
Oct/30/2015 21:07:28: get DHCP option server ID, len 10
Oct/30/2015 21:07:28:   DUID: 00:03:00:01:0c:a4:02:23:f4:01
Oct/30/2015 21:07:28: get DHCP option client ID, len 14
Oct/30/2015 21:07:28:   DUID: 00:01:00:01:1b:d5:91:94:74:d0:2b:9d:84:9c
Oct/30/2015 21:07:28: get DHCP option IA_PD, len 41
Oct/30/2015 21:07:28:   IA_PD: ID=1, T1=86400, T2=144000
Oct/30/2015 21:07:28: get DHCP option IA_PD prefix, len 25
Oct/30/2015 21:07:28:   IA_PD prefix: 2001:56a:f3a8:a700::/56 pltime=172800 vltime=345600
Oct/30/2015 21:07:28: get DHCP option DNS, len 32
Oct/30/2015 21:07:28: nameserver[0] 2001:568:ff09:10c::53
Oct/30/2015 21:07:28: nameserver[1] 2001:568:ff09:10d::53
Oct/30/2015 21:07:28: make an IA: PD-1
Oct/30/2015 21:07:28: create a prefix 2001:56a:f3a8:a700::/56 pltime=140733193560832, vltime=140733193733632
Oct/30/2015 21:07:28: invalid prefix length 56 + 16 + 64
Oct/30/2015 21:07:28: executes /var/etc/dhcp6c_wan_script.sh
Oct/30/2015 21:07:28: script "/var/etc/dhcp6c_wan_script.sh" terminated
Oct/30/2015 21:07:28: removing an event on em0_vlan3, state=REQUEST
Oct/30/2015 21:07:28: removing server (ID: 00:03:00:01:0c:a4:02:23:f4:01)
Oct/30/2015 21:07:28: got an expected reply, sleeping.


so em0_vlan5 now gets assigned         
inet6 2001:56a:f3a8:a700:20c:29ff:fe20:fd1c prefixlen 56

however, if I try to ping

Code: [Select]
ping6 google.ca
PING6(56=40+8+8 bytes) 2001:56a:f3a8:a700:20c:29ff:fe20:fd1c --> 2607:f8b0:400a:805::100f
ping6: sendmsg: Operation not permitted
ping6: wrote google.ca 16 chars, ret=-1

but the routing table looks good

Code: [Select]
[2.2.4-RELEASE][root@pfsense.wtf.local]/root: route -6 get google.ca
   route to: sea15s01-in-x03.1e100.net
destination: default
       mask: default
    gateway: node-1w7jra22wzwwdjzfq1cmmcqo0.ipv6.telus.net
        fib: 0
  interface: em0_vlan3
      flags: <UP,GATEWAY,DONE,STATIC>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

=\

7
IPv6 / Complete noob and ia-pd configuration.
« on: October 30, 2015, 05:23:03 pm »
So, near as I can understand it, my one ISP hands out a /56 prefix, then its up to the router (pfsense box in my case) to delegate the addresses to other devices inside the LAN.

I've had to custom create a dhcp6c_wan.conf which mostly works, except it keeps looping.

This is my config

Code: [Select]
interface em0_vlan3 {
        send ia-pd 0;
       request domain-name-servers;
       request domain-name;
       script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};

id-assoc pd 0 {
        prefix-interface em0_vlan5 {
        sla-id 0;
        sla-len 0;
        };
};

When I run /usr/local/sbin/dhcp6c -dDf -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c.pid em0_vlan3

It seems to get a prefix, but it keeps looping

Code: [Select]
Oct/30/2015 16:17:39: reset a timer on em0_vlan3, state=INIT, timeo=0, retrans=386
Oct/30/2015 16:17:39: executes /var/etc/dhcp6c_wan_script.sh
Oct/30/2015 16:17:39: script "/var/etc/dhcp6c_wan_script.sh" terminated
Oct/30/2015 16:17:39: removing an event on em0_vlan3, state=REQUEST
Oct/30/2015 16:17:39: removing server (ID: 00:03:00:01:0c:a4:02:23:f4:01)
Oct/30/2015 16:17:39: got an expected reply, sleeping.
Oct/30/2015 16:17:40: a new XID (4448c7) is generated
Oct/30/2015 16:17:40: set client ID (len 14)
Oct/30/2015 16:17:40: set elapsed time (len 2)
Oct/30/2015 16:17:40: set option request (len 4)
Oct/30/2015 16:17:40: set IA_PD
Oct/30/2015 16:17:40: send solicit to ff02::1:2%em0_vlan3
Oct/30/2015 16:17:40: reset a timer on em0_vlan3, state=SOLICIT, timeo=0, retrans=1049
Oct/30/2015 16:17:40: receive advertise from fe80::ea4:2ff:fe23:f401%em0_vlan3 on em0_vlan3
Oct/30/2015 16:17:40: get DHCP option server ID, len 10
Oct/30/2015 16:17:40:   DUID: 00:03:00:01:0c:a4:02:23:f4:01
Oct/30/2015 16:17:40: get DHCP option client ID, len 14
Oct/30/2015 16:17:40:   DUID: 00:01:00:01:1b:d5:91:94:74:d0:2b:9d:84:9c
Oct/30/2015 16:17:40: get DHCP option IA_PD, len 41
Oct/30/2015 16:17:40:   IA_PD: ID=0, T1=86400, T2=144000
Oct/30/2015 16:17:40: get DHCP option IA_PD prefix, len 25
Oct/30/2015 16:17:40:   IA_PD prefix: 2001:56a:f3b1:2e00::/56 pltime=172800 vltime=345600
Oct/30/2015 16:17:40: get DHCP option DNS, len 32
Oct/30/2015 16:17:40: server ID: 00:03:00:01:0c:a4:02:23:f4:01, pref=-1
Oct/30/2015 16:17:40: reset timer for em0_vlan3 to 0.994837
Oct/30/2015 16:17:41: picked a server (ID: 00:03:00:01:0c:a4:02:23:f4:01)
Oct/30/2015 16:17:41: a new XID (562947) is generated
Oct/30/2015 16:17:41: set client ID (len 14)
Oct/30/2015 16:17:41: set server ID (len 10)
Oct/30/2015 16:17:41: set elapsed time (len 2)
Oct/30/2015 16:17:41: set option request (len 4)
Oct/30/2015 16:17:41: set IA_PD prefix
Oct/30/2015 16:17:41: set IA_PD
Oct/30/2015 16:17:41: send request to ff02::1:2%em0_vlan3
Oct/30/2015 16:17:41: reset a timer on em0_vlan3, state=REQUEST, timeo=0, retrans=964
Oct/30/2015 16:17:41: receive reply from fe80::ea4:2ff:fe23:f401%em0_vlan3 on em0_vlan3
Oct/30/2015 16:17:41: get DHCP option server ID, len 10
Oct/30/2015 16:17:41:   DUID: 00:03:00:01:0c:a4:02:23:f4:01
Oct/30/2015 16:17:41: get DHCP option client ID, len 14
Oct/30/2015 16:17:41:   DUID: 00:01:00:01:1b:d5:91:94:74:d0:2b:9d:84:9c
Oct/30/2015 16:17:41: get DHCP option IA_PD, len 48
Oct/30/2015 16:17:41:   IA_PD: ID=0, T1=86400, T2=144000
Oct/30/2015 16:17:41: get DHCP option status code, len 32
Oct/30/2015 16:17:41:   status code: no prefixes
Oct/30/2015 16:17:41: get DHCP option DNS, len 32
Oct/30/2015 16:17:41: nameserver[0] 2001:568:ff09:10c::53
Oct/30/2015 16:17:41: nameserver[1] 2001:568:ff09:10d::53
Oct/30/2015 16:17:41: make an IA: PD-0
Oct/30/2015 16:17:41: status code for PD-0: no prefixes
Oct/30/2015 16:17:41: IA PD-0 is invalidated
Oct/30/2015 16:17:41: remove an IA: PD-0
Oct/30/2015 16:17:41: reset a timer on em0_vlan3, state=INIT, timeo=0, retrans=421
Oct/30/2015 16:17:41: executes /var/etc/dhcp6c_wan_script.sh
Oct/30/2015 16:17:41: script "/var/etc/dhcp6c_wan_script.sh" terminated
Oct/30/2015 16:17:41: removing an event on em0_vlan3, state=REQUEST
Oct/30/2015 16:17:41: removing server (ID: 00:03:00:01:0c:a4:02:23:f4:01)
Oct/30/2015 16:17:41: got an expected reply, sleeping.
Oct/30/2015 16:17:41: a new XID (7688d) is generated
Oct/30/2015 16:17:41: set client ID (len 14)
Oct/30/2015 16:17:41: set elapsed time (len 2)
Oct/30/2015 16:17:41: set option request (len 4)
Oct/30/2015 16:17:41: set IA_PD
Oct/30/2015 16:17:41: send solicit to ff02::1:2%em0_vlan3
Oct/30/2015 16:17:41: reset a timer on em0_vlan3, state=SOLICIT, timeo=0, retrans=1036
Oct/30/2015 16:17:41: receive advertise from fe80::ea4:2ff:fe23:f401%em0_vlan3 on em0_vlan3
Oct/30/2015 16:17:41: get DHCP option server ID, len 10
Oct/30/2015 16:17:41:   DUID: 00:03:00:01:0c:a4:02:23:f4:01
Oct/30/2015 16:17:41: get DHCP option client ID, len 14
Oct/30/2015 16:17:41:   DUID: 00:01:00:01:1b:d5:91:94:74:d0:2b:9d:84:9c
Oct/30/2015 16:17:41: get DHCP option IA_PD, len 41
Oct/30/2015 16:17:41:   IA_PD: ID=0, T1=86400, T2=144000
Oct/30/2015 16:17:41: get DHCP option IA_PD prefix, len 25
Oct/30/2015 16:17:41:   IA_PD prefix: 2001:56a:f3b1:2e00::/56 pltime=172800 vltime=345600
Oct/30/2015 16:17:41: get DHCP option DNS, len 32
Oct/30/2015 16:17:41: server ID: 00:03:00:01:0c:a4:02:23:f4:01, pref=-1
Oct/30/2015 16:17:41: reset timer for em0_vlan3 to 0.995560
^C

So it grabs the prefix of 2001:56a:f3b1:2e00::/56 but then just keeps looping. I tried manually assigning an address of 2001:56a:f3b1:2e00::1 to the appropriate WAN interface, but was unable to ping6/traceroute6 from the PFSense box itself.

Any tips/advice would be greatly appreciated.

8
Also works for me. Thank you

9
Hooray I'm not the only one.

10
General Questions / Clustering multiple pfsync 2.0.1 installs
« on: March 22, 2012, 01:51:03 am »
I've got 3 boxes running pfsync. Going to carp them for redundancy on in/out traffic.

Is there any way to make each install aware of the other? So all packages are installed on all machines, firewall rules are sync'd, and all usage graphs are accurate?

Pages: [1]