Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - rowebil

Pages: [1] 2
No. If you need to use Windows for DHCP and DNS on IPv4 it makes sense that you let Windows do DHCPv6 and DNS for IPv6 too.

Setting the RA on pfSense to Managed says "I am the router you should use to route traffic. Get the rest of your configuration from DHCPv6." The DHCPv6 server does not have to be on pfSense.

I totally agree, and this is why I've been trying to do this for the last few hours.
Under DHCPv6 Server & RA, it says "You do not need to enable DHCPv6 Server on this firewall. You can use a different DHCP server."

I went to DHCP Relay, put in my IPv6 address on my DHCP machine, and it still is not forwarding requests.
Even without DHCP relay, it does not register IPv6.

So you're right - instead of looking up "IPv6 set-up pfsense", I need to look up "IPv6 Windows DHCP" which I've done but something was not set properly somewhere.

Anyhow, I'll try it later on.
I appreciate your help. Thank you

So are you saying making my Windows machine the tunnel?

The purpose with using pfSense was so that all of my clients can use it.

It works with Router Advertisement PERFECTLY.
I can see the IPv6 addresses and MAC addresses, but I can't see the hostname so I would have no clue on how to configure something for a particular host on the firewall part.

I just got to play around with IPv6 and what a nightmare.
I've been using IPv4 for so long, passed ALL college classes with 100%'s, students shocked when I was done first and the professor smiled after grading a test with 100%, etc.
I've been doing this my entire life.

Now I am using IPV6 and the learning curve is like coming from Dreamweaver to Drupal.

I learned that IPv6 does not need NAT, it's typically automatically assigned in most cases, and it's complicated for me lol.
I am going to keep this short and hopefully you guys can surprise me with some answers.

My home network consists of pfSense - Windows Active Directory, Windows DHCP, and Windows DNS.
Works flawlessly.
To be honest, there are more settings on pfSense DHCP and DNS than Windows, but people told me to stick with Windows because it's more seamless.

I followed a tutorial to setting up IPv6.

I have pfSense 2.3.4.
1 IPv6 Tunnel since my ISP is slow with rolling out IPv6.

Code: [Select]
LAN has IPv6 Static IP set - /64

System > Advanced > Allow IPv6 - Allow IPv6 Tunnel.

Firewall > WAN > PASS IPv4 ICMP- source being my Server IPv4 Address.

The IPv6 firewall tab I have PASS IPv6 ANY (testing).

There are SO many IPv6 addresses around here that I don't know which is which.

I learned that the one is link-local and the other is the routed IPv6.

With Router Advertisement, my phone and other devices gets an IPv6 within half a second. If I turn RA off, it disappears as quickly.
It just WORKS.

However, when I go to the list of DHCPv6 Leases, nothing is there. How am I supposed to control the flow of information through IPv6 when I don't know which client is which...?

If I go back to DHCPv6 Server and enable the DHCPv6 server, RA does it's thing and forwards it to the DHCPv6 server in pfSense.
Again, just MAC addresses. No host names. No IPv4 addresses.

I'd REALLY like to have my DHCP v6 clients go to my Windows DHCP server so that I can see who is who -- OR BETTER YET, SOMEHOW HAVE MY WINDOWS DNS AND DHCP UPDATE TO PFSENSE. So then I have hostnames in pfSense logs, I'd have hostnames in DHCPv6 releases, and plenty more.

I have been a Windows guru my whole life, but I really enjoy the look, the feel, and the settings that pfSense DHCP and DNS has to offer... but I'm a Systems Administrator who hosts his own email and using Windows is kind of critical for me.

So is there any way to redirect DHCPv6 requests to my Windows DHCP? Also maybe use DNS and DHCP relays to 'sync' information between the two?

IPv6 / IPv6 Tunnel and Netflix - Windows DNS - How Do I solve this?
« on: July 05, 2017, 08:15:56 pm »
At home, I have a Windows Active Directory network for myself because I host my own email.
It runs DHCP and DNS.

DHCP is set to set each client with the DNS server running on the same VM.

It works.

It's been slow because Windows uses IPv6 first to communicate and I don't have IPv6. This happened after a recent update.
I enabled IPv6 tunnel and it worked amazingly.
The Internet is super fast... very strange.

The only problem is that my Sister watches Netflix and I heard it gives an error message.

Someone solved this issue by using BIND on pfSense.
This is what I need assistance with...

With Windows DNS, could I set my forwarder to pfSense?
Then on pfSense, can I set it so that ' uses IPv4' only?

Someone told me he has done it and followed a guide doing it, but the guide does not show steps.

It would actually be more beneficial for me to have Windows DNS use my pfSense box as a DNS resolver because I hear you can control more.
Windows DNS Forwarders are supposed to be DNS servers like BIND, so you can have more granular control.

So does anyone have any steps/guides/instructions on how I need to set this up?

Windows DNS > to pfSense - but what does pfSense run? Resolver? Forwarder?

I'm just playing with IPv6 - nothing major. I'm enjoy it so far. I don't know if it's because my Windows PC finally feels relieved that it has an IPv6 address, OR if IPv6 is really that fast...

It is time to admit that I need help with ACME, Let's Encrypt, and HAProxy.
Usually I try my hardest to research and do it myself and rarely admit that I need help -- doing so just prevents me from learning from others.

So here I am asking for assistance with my set-up.

I have ACME working with their development server and am able to generate certificates properly.

Now I need help with HAProxy.
I have multiple hosts that run HTTPS 443 - Outlook Web App and now PRTG and a webserver I rarely use.

I am so confused about frontend/backend with HAProxy and I need screenshots/video tutorial on how to set it up, OR just an explanation on how it works and then I can go from there.

I do not learn by reading -- but if someone shows me how theirs is set-up, or an example, then I can learn.

I can gladly set-up a GoToMeeting, Skype, Teamviewer, etc.

HA proxy ought to be able to do that but only for clients that support SNI, which is a requirement for multiple SSL certificates on a single address:port no matter what the technology.

Is there another way in pfSense to do this without dealing with SSL issues?
OR even a different technology completely?

As for another machine separate from pfSense that handles this traffic without SNI requirements?

For example I have ONE server completely that directs traffic to different hosts based on the domain they're going to?

I am running pfSense 2.3.2_1.

Here is my scenario -

I have (1) Exchange Server using HTTPS and (1) Apache/Nginx Web Server running HTTP/S as well.
Both are using the same port, including the web server using port 80 as well.
Exchange Server does require a SSL cert, but I'm not sure if that's necessary to include on pfSense.
It is binded on IIS so I assume from what I read that I may need to store the cert on pfSense?
Honestly I'm not sure...

How do I direct traffic coming to '' to a certain server IP on my LAN and '' to a different server IP on my LAN?
People mention squid reverse proxy and others mention HAProxy being better, but I have not seen any documentation on setting this up the way I intend.

Now pfSense has changed and new features have been added - so I'm wondering what is currently the best way to set this up?

Mind you, I am the only person using this Exchange Server and probably the only person that will be using the web server.
The web server is for a project I'm developing and I'd rather host the site locally because I have better hardware than most web hosts.
I'd like to access the website from the Internet (WAN) on it's normal ports.
So changing ports isn't really an option.

The residential ISP I have allows all ports. I have a static IP.
Another IP is out of the question. I do have another WAN link with an IP, but port 80 is blocked on that specific port.
They only allow ports open on the static IP.

All help is appreciated - you guys are very helpful!

Thank you

Here is my situation -- I have two WANs.
It is the same ISP... but I just got another modem and it works.
I have two modems -- one is going into WAN on the pfSense box.
This has worked for a year.

I asked for another 'link' with a new IP Address and they advised me what to do.
It works.
This other link is going into OPT1 on the pfSense box.
I enabled the interface and it got an IP Address.
I can ping this IP Address from a PC in Pakistan.

NOW -- I do not want to set-up a MultiWAN for the purpose of failover.

I want to experiment with this.

How do I take my desktop PC and route ALL traffic through this other WAN/OPT1 link through pfSense?
It can be done with Virtual IP's because I've done it a year ago... but I have not done it with another WAN interface.

For instance -- if I go to IPChicken, it displays my IP Address I've always had.
I want to enable this routing to go through WAN2(OPT1) and then it would display the other IP Address.
I've had this working for Virtual IPs a while ago, but not a different interface.

How would I achieve this?
I want to take and route ALL of that Internet traffic through WAN2 (OPT1).

Hmm - how to describe it.

I want pfSense to somehow direct ALL Internet traffic to the OpenVPN.

It is essentially SITE-TO-SITE, but the OpenVPN Access Server is not pfSense. It is literally a OpenVPN Access Server.

The LAN host will already be connected to OpenVPN Access Server (my dedicated server at a datacenter) through pfSense.

ALL 'LAN' hosts will use VPN Server 1 (dedicated server at a datacenter).

ALL hosts on the LAN will use the VPN. So then I don't need to go to each individual host and install the OpenVPN client.

I want to utilize my VPN without installing a client on each host.

How do I take my VPN Server IP and credentials, connect it to pfSense, and serve it to my LAN machine(s)?

Is that even possible?

I know you can tunnel pfSense to another pfSense.

I want a host on my pfSense LAN to be connected to the OpenVPN Access Server. Only one host. I understand I may need to create another Interface just for that machine, because I have a feeling I cannot just tunnel it to one host on the LAN -- it might be the entire LAN.

I have a OpenVPN Access Server off-site. I can connect perfectly with the OpenVPN client software installed on the host. The host can only connect to the OpenVPN access server, cannot access anything on the WAN side (which is my home network), and can access the gateway. It works perfectly. When the host disconnects from the VPN, firewall rules take over and blocks access to the gateway. The host is forced to connect to the VPN. Therefore, no VPN, no Internet. VPN, access to the Internet. Perfect.

BUT, can I do this easier without installing OpenVPN client?

I don't want to have to install OpenVPN on all of the hosts -- so I was wondering if it were possible to connect the pfSense LAN Interface (or host) to the OpenVPN Access Server only utilizing pfSense, and not the OpenVPN client. Of course pfSense will act as the client.

Basically, I guess I want the host's gateway to be the 'VPN'. So the WAN would essentially be the VPN. Everything that happens in that host to the gateway, would go to OpenVPN Access Server.

I hope I explained it well. I think I explained it a little too much and repetitive.

Also, another explanation -- if I need to change the VPN server (and will need to based on my project we are doing), it will be easier by changing the IP address in pfSense, rather than uninstalling the OpenVPN client and reinstalling the new one.


I appreciate your help!
I am learning.

VCP5-DCV here --

SSH into it -- turn off VM -- zip /datastore/VM directory and download via SSH to a remote PC.

It is what I do, and another 'auto' task.

Now what do I do to allow my home LAN IP (my laptop static IP) access to pfSense Configuration AND access to a VM through RDP? I don't mind home LAN to pfSense LAN, but I want pfSense LAN to Home LAN blocked.

I also blocked the HTTP port to my gateway :)
Now I just need to figure out how to allow my home LAN TO the VM, but not VM TO home LAN.

It comes through the WAN interface, so is it there? I just allow RDP in WAN? So coming into WAN, allowed. Into LAN - destination out denied.
OR would it still be LAN related, but just source and destination switched?


Hmm -- all this time, it worked.

I stopped the ping and created the rules. I did what I wanted to block first, instead of the exception of allowing to the gateway.

I have from LAN Net to WAN net 'block'.

I tried to ping to my home LAN PC, and it failed... which is good. I then allowed it, and started a new ping which was successful.

I now blocked it on the firewall, and it continued to ping... for the whole 100. "Sent 100, received 98." I tried again, and now request is timed out.

I was pining up to 1,000,000 requests to see if my firewall rule stops the connection but it never did. That is why I told you the rules never worked.

I found the answer to my own question. pfSense was only analyzing 'new' connections with SYN flags. So my continuous ping was 'ACK' which the firewall didn't anaylze. So when I stopped the ping and initiated the ping [connection], it saw the 'SYN' flag and blocked the connection.

I feel confident about this and finally got it working.
I am able to ping gateway, ping Internet address, and NOT be able to ping my laptop.


Thanks so much for the learning experience. :)
I would not have known the order of the rules, and to allow 'any' which gets to an IP such as Google.
So this thread isn't a waste like I thought.

I did what you said lol.

I understand my home LAN is pfSense WAN - I get that.

I just asked what 'any' meant - and what you were using as a placeholder. After the destination, there is no 'any'. So I was wondering if the first any meant the protocol, or 'any source'.
What you said compares to ordering at Starbucks. Quad Iced Venti 6 pump Vanilla Extra Hot Latte. Now I need to know the order -- espresso, hot or cold, size, how many pumps of syrup, flavor of syrup, custom, type of drink.

I'm sure I'd be able to understand the lingo, but there is too many 'anys' in pfSense in the order you mentioned.
I understand what you said -- I want to allow gateway access, but disallow home LAN access. I tried it on my own, but it isn't working at all. So I thought I'd ask.

On LAN tab, I have

Pass source=LAN net - destination = gateway IP address
reject source=lan net - destination = (home LAN network)
pass - source=lan net - destination=any

Now, should destination 'your_home_network be the IP address (network IP, no host IP) OR use 'WAN Net?'

So what do you mean for dest your_Getway_Address any?

I have pass through WAN - any protocol - source is LAN net -- and now destination? Single host being my gateway address, OR 'any' destination. Also, is this a LAN rule or WAN? WAN right?

Pass any source LAN Net dest any any
Pass - protocol - source [LAN Net] - Destination [Any] - what is the second 'any'?

I have
pass - lan net source - destination gateway_IP_address
reject lan net source - destination WAN net [or should it be something else?]
pass - lan net source - destination any

I tried it and it is still passing pfSense LAN VM to my home LAN laptop.
I even tried to allow all WAN traffic and I can't ping pfSense LAN VM.
Last time I installed, it worked - I could block my IP from it, and allow it. Now it doesn't seem like firewall rules are even working. I blocked everything, any any any any any on LAN and WAN and still pings and everything.

Also, thanks for the reply. :)

I guess the only way to figure this out is by doing what I've always done -- just do it and learn what happens.

I have a good understand on this WAN/LAN set up -- but I still do not understand Firewalls and VLANs.

Here is what I have --  a cable modem going into a Tomato router. Router into a switch, then a long cable to the basement into a 24 port switch.

From the Gigabit switch, I have it going to NIC#2 with vSphere.

pfSense side --

For WAN, I have a vSphere 'virtual' switch connecting to the physical NIC #2.
For LAN, I have it going to another Virtual switch (separate from other) which hosts my VM.
I need that VM completely isolated from my home LAN x.x.254.x  - network.

pfSense is using a WAN static IP address in the home LAN network.
LAN is on the same subnet, but at a different network IP.

It works -- everything is perfect.
I can ping anyone, both networks, and in LAN.

I do not want to be able to do that. I want the VM (in pfSense LAN) to have access to the WAN gateway ONLY, which is on the home LAN network. I want everything else -- such as VM to home LAN PCs -- blocked. From the 1.1 network to 254 network should be restricted, unless it is to the source of 254.x (gateway).

I do not want him to be able to ping my laptop from the pfSense LAN to WAN.

So, really, behind the pfSense LAN -- I want those devices to NOT be able to ping anything outside of it's WAN (which is my home LAN) except gateway (which is in my home LAN).

So I know it would be a 'not' rule. So block everything -- but 'NOT' ''.

Is this correct?

Funny thing is - I can never ping a machine from my home LAN to the pfSense LAN VM -- but from the pfSense LAN VM I can ping to my laptop which is on my home LAN.
I have no rules set, and Windows firewall is off.

That is exactly what I want to be able to do but opposite. I don't want to be able to ping my home LAN laptop from the pfSense LAN VM.

Pages: [1] 2