Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - hege

Pages: [1] 2 3 4 5 ... 8
IPsec / Re: site-to-site wan traffic through site B BUT with exceptions
« on: December 18, 2017, 12:30:27 pm »
I think I solved it by myself.

My solution:

IPsec Transport mode between Site A and Site B
GRE Tunnel over the ipsec secured connection
Custom Gateway with custom static routes.

IPsec / Re: site-to-site wan traffic through site B BUT with exceptions
« on: December 07, 2017, 10:12:07 am »
Hi jimp,

thanks for your answer, so if I'm understanding you correctly, this does also mean that I cannot use a additional gateway sided on site B? (the "Use non-local gateway" option)

Unfortunately OpenVPN is not a Option because of the missing support on site-B

Post a bounty / [SOLVED] 50$ Fix my routing issue
« on: December 07, 2017, 03:57:41 am »
I need some (urgent) help with my routing issue.

I would prefer paypal.

I solved it by myself. (more in the link above)

IPsec / site-to-site wan traffic through site B BUT with exceptions
« on: November 20, 2017, 12:03:42 pm »

I want to route all my internet traffic through site B, but I have to make some exceptions.

To do this I made a simple S2S Setup - LAN<-> with Traffic Rules to allow the traffic.

At this point I'm able to connect to internet sites with my public IP on site B, but now I need to make an exception for IP

I though I can do this by simple add a firewall rule on site A and specify the gateway, but this doesn't work - the whole traffic from site A (LAN 2 WAN) get to site B.


   WAN - A                                     WAN - B
      |                                               |
      |                     S2S ipsec            |
     FW - Site A         --------       FW - Site B
      |                                               |
    LAN (                  LAN (

I also tried to use the usual P2 setting LAN-A <-> LAN-B but add an additional gateway (with property - allow outside interface range on) but this also does not work.

All help is gratefully accepted.

Traffic Shaping / Borrow and Guarantee Bandwidth per Interface
« on: February 21, 2017, 12:09:15 pm »

my setup:

WAN (100/100Mb)
|          |           |
Top1   Top2     Top3

Top1 pays for 30Mb
Top2 pays for 50Mb
Top3 pays for 20Mb

Currently I have a simple CBQ shaping setup with the borrow option enabled, but that only allows me to upload with 100Mb (if available) and download with the paid bandwidth.
As far as I know, I simple need to create a bridge with Top1-3 as member and apply the shaper to the bridge, but my problem is, that top1-3 are defined as Vlan and I have no other option except vlan.
So I tried enabling the bridge and also set the pf filter option for the bridge in tunables but it does not seem that the bridge get the traffic.

Any idea what I made wrong?

Deutsch / Re: alle subdomains einer Domain sperren
« on: January 13, 2016, 12:24:14 pm »
Sollte quick&dirty mit dem Domain Override gehen, gib dort einfach eine bestimme IP die keinen NS betreibt und im Idealfall aber durch die FW geroutet werden müsste, dann gibt es einen Timeout und mit einer passenden FW Regel kannst du dir dann auch anzeigen lassen, wer das denn gerne genutzt hätte.

General Questions / Re: 10Gbps - pfSense 3,4Gbps / ubuntu 9,4Gbps ??
« on: December 16, 2015, 05:47:24 am »
As far as I know - "pctl -d" is exactly what the GUI checkbox does and I only got 4.4Gbps - still much lower than with Ubuntu
It seems that I have to use two more PCs for a correct Test.

My initial goal was to check how much throughput I can get with two C2558 as FW CPUs,
 but I only got 1.6Gbps single tcp connection with the Setup PC1 -> FW1 <-> FW2 -> PC2, so I changed to PC1 <-> PC2

Thank you, I will check that.

General Questions / Re: 10Gbps - pfSense 3,4Gbps / ubuntu 9,4Gbps ??
« on: December 15, 2015, 08:58:17 am »
You've connected two systems directly together via Intel 520 10Gb NICs, and when you use Ubuntu, you get about 9Gb, and when you use PFSense, you get about 3Gb/s?


What version of IPerf are you using on Linux? PFSense is only 2.x while 3.x now exists.
I also noticed your Ubuntu boxes are defaulting with larger TCP windows.

Ubuntu 14.04 has iperf 2.0.5 (same as pfSense)
I just tried it with same TCP Window but it makes no difference :(

General Questions / 10Gbps - pfSense 3,4Gbps / ubuntu 9,4Gbps ??
« on: December 14, 2015, 01:20:17 pm »

I only get arround 3,4Gbps with my setup, (only 4,4Gbps with pctl -d / pfSense 2.2.5)
With Ubuntu 14.04 I get 9,4Gbps

Setup: (both systems are 1:1)
CPU: Intel i5-4590 @3.3Ghz
Ram: 2x 8Gb
HDD: 120 Gb SSD
NIC: Intel  X520-DA2

PC1 <- X520-DA2 -> PC2

used commands:
Server: iperf -s
Client: iperf -c SERVER -t 10

Changed settings:

sysctl hw.intr_storm_threshold=10000

What did I do wrong, what have I forgotten?

Packages / Re: 2.3.3 -> 2.2.4 nrpe2 service can't start
« on: July 31, 2015, 02:54:44 pm »
No, if I do so, I get

Code: [Select]
/usr/local/etc/rc.d/ load_rc_config: not found
/usr/local/etc/rc.d/ run_rc_command: not found

Packages / Re: 2.3.3 -> 2.2.4 Unable to mount devfs on
« on: July 31, 2015, 02:29:44 pm »
Does it break something?

I think so, service can't start, I only can find this two lines in the logfiles

Code: [Select]
Jul 31 21:23:35 root: /usr/local/etc/rc.d/ WARNING: failed precmd routine for nrpe2
Jul 31 21:23:35 root: /usr/local/etc/rc.d/ WARNING: : Unable to mount devfs on

Manual start does work

Code: [Select]
/usr/local/sbin/nrpe2 -d -c /usr/pbi/nrpe-amd64/etc/nrpe.cfg

Packages / 2.3.3 -> 2.2.4 nrpe2 service can't start
« on: July 31, 2015, 11:02:08 am »

after upgrading I now have an issue with a packages (NRPE v2)

The script /usr/local/etc/rc.d/ has the line ". /etc/rc.subr" but this command exit with an error.
Code: [Select]
mount: : No such file or directory
/etc/rc.subr: WARNING: : Unable to mount devfs on


IPsec / [Solved] IPSec 2.2.2 -> 2.2.3 Connected but no traffic
« on: June 25, 2015, 12:50:27 pm »
I upgraded 3 of my boxes to 2.2.3 and now my S2S tunnels doesn't allow traffic (in any direction)

B -> A <-C

Mobile VPN still working. (Edit: - that was because on box C, where I tested Mobile VPN aes-ni is disabled)

RSA / AES256 / SHA256 / DH5
3 P2 entries (tried it with only 1 - same issue)

Anyone else with same issue?, I currently don't have time for further testing.


As a workaround I deactivated AESNI as suggested in

...But after upgrade to 2.2.2...

pfSense 2.2 has the required driver already integrated, no need to add anything, make a fresh install from 2.2 and import your config!
By now, I'm using 7 boxes with Hyper-V and pfSense 2.2.2 without any bigger issues.

IPsec / Re: MSCHAPv2 VPN Working ... mostly
« on: February 28, 2015, 05:51:08 pm »
Which DNS server you have set in the mobile clients section?

Open a CMD and type nslookup, what is the Output with / without the VPN connection?

Pages: [1] 2 3 4 5 ... 8