Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - yellowbrick

Pages: [1] 2
DHCP and DNS / Re: DNS server in pfSense 2.4
« on: May 01, 2018, 03:48:22 pm »
You can also serve DNS requests from any of several free DNS providers (e.g. Cloudflare) rather than host BIND on your firewall. A few sub-domains, unbound host/domain overrides, means you can have the best of both worlds. With Cloudflare you can also set up your dynamic DNS.

I tried the unbound TLS option as well. The current implementation does not appear to re-use TLS connections (you can check in the firewall states with each query). It adds a perceptible delay to fresh queries.

However, I have since moved to using a raspberry pi with pihole on the network. The pihole is configured to forward to a local clouflared / argo-tunnel dns proxy. The cloudflared in turn uses DNS over HTTPS (DoH), as opposed to DNS over TLS, to forward requests to Also it definitely keeps the https/TCP connection around for a while, and the additional latency is much less perceptible.

Would be worth trying the unbound TLS option again at some point when it can be configured to re-use connections/set a keep-alive.

Thanks @jimp.

(FYI, the drive is listed in Diagnostics->SMART Status, but none of the options produce any output.)

Routing and Multi WAN / Re: Multi Wan DNS issue
« on: February 17, 2018, 02:19:08 am »
What you are trying to do has nothing to do with the firewall as such. You will want to implement split dns for your clients. Probably the easiest way to do this would be via the clients' resolv.conf files, or equivalent.

Routing and Multi WAN / Re: WAN being recodnised as internal I.P Address.
« on: February 16, 2018, 12:38:24 pm »
Disable NAT
Turn off WiFi
reboot the dlink, cross fingers  :)

Routing and Multi WAN / Re: Multi Wan DNS issue
« on: February 16, 2018, 12:26:58 pm »
You are probably using the pfSense box's unbound as your one and only resolver. So naturally per your rules since it is the .1 address it goes out over WAN. Your clients are simply querying the pfSense box.

For the clients in the .200-.254 range, set the DNS to be either that provided by your OpenVPN provider or simply google dns. That will force the clients to query something other than the .1, and make it go out your vpn connection.

Routing and Multi WAN / Re: WAN being recodnised as internal I.P Address.
« on: February 16, 2018, 08:49:11 am »
This and at least some of your previous posts stem from the fact that you are using the ISP provided router in router mode, as opposed to bridge mode.

1. In router mode, your ISPís router does the NAT. So of course your pfSense gets an RFC1918 address.
2. It appears from your previous posts you did try to disable router mode and out your ISP router in Bridge mode...almost there.
3. Just remember these points about router mode on most ups routers:
            -Your ISP only allows a single computer. So you cannot plug the lan side of isp router into a switch. Only a single computer, or in your case, pfSense WAN must be plugged in to the isp routers Ethernet switch (if built in).
            -any time you change the computer / pfSense connected to your isp router, you need to make it forget the single computer that was connected to it before. You do this by turning off the router, leave it off for a few minutes, plug in the new computer, turn the router back on. Simply connection another computer will likely not work.

Try this: set things up as you want them to be with your pfSense box, etc. Then turn off your isp router for a few minutes and turn it back on.

Should do it.

...and the drive tools in Diagnostics don't work either. Of course, smartctl does not work in the command line either.

Is there another command to try or is SMART status in the SG-3100?

(the ssd I manually installed does support smart and it is enabled as shown in camcontrol)

Code: [Select]
camcontrol identify ada0

pass0: <TS32GMTS800 P1225CE> ACS-2 ATA SATA 3.x device
pass0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 1024bytes)

protocol              ATA/ATAPI-9 SATA 3.x
device model          TS32GMTS800
firmware revision     P1225CE
serial number         E0XXXXXXXX
cylinders             16383
heads                 16
sectors/track         63
sector size           logical 512, physical 512, offset 0
LBA supported         62533296 sectors
LBA48 supported       62533296 sectors
PIO supported         PIO4
DMA supported         WDMA2 UDMA6
media RPM             non-rotating

Feature                      Support  Enabled   Value           Vendor
read ahead                     yes yes
write cache                    yes yes
flush cache                    yes yes
overlap                        no
Tagged Command Queuing (TCQ)   no no
Native Command Queuing (NCQ)   yes 32 tags
NCQ Queue Management           no
NCQ Streaming                  no
Receive & Send FPDMA Queued    no
SMART                          yes yes
microcode download             yes yes
security                       yes no
power management               yes yes
advanced power management      no no
automatic acoustic management  yes no 0/0x00 0/0x00
media status notification      no no
power-up in Standby            no no
write-read-verify              no no
unload                         no no
general purpose logging        yes yes
free-fall                      no no
Data Set Management (DSM/TRIM) yes
DSM - max 512byte blocks       yes              8
DSM - deterministic read       yes              zeroed
Host Protected Area (HPA)      yes      no      62533296/62533296
HPA - Security                 no

General Questions / Re: Openvpn gateway monitor always reads 100% loss
« on: February 07, 2018, 02:05:03 am »
The openvpn client (at least with PIA) typically does not show the real gateway automatically. If your client / interface got assigned a (e.g.), it may show as the "gateway", which will typically not be pingable. You can manually change the monitor IP to something like or something else on the internet that you know will respond to pings. Global DNS providers (google, openDNS are an example).


2.4 Development Snapshots / Re: WiFi accesspoint bridged to a vlan
« on: February 06, 2018, 10:47:13 am »
What I wish you could do was set the native vlan for the wpa-psk ssid other than native untagged vlan - once they allow for management vlan this will be someone moot.  Which I also hear is coming..   But currently can not setup say vlan 100 for your wpa-psk ssid your going to dynamic assign via mac, and then if mac 123 get vlan 200 and if mac 456 get vlan 300, etc.

Sounds like you are trying to get to 1 SSID :-) with everything being assigned dynamically.  I do get your point about the Unifi gear not being able to dynamically assign a VLAN that is also a static for another SSID on the same AP, but for iOT gear I don't see that as an issue. For gear that you don't have RADIUS MAC auth, being sinkholed into a VLAN to nowhere is not such a bad thing. I do see the need for it in other use cases though.

2.4 Development Snapshots / Re: WiFi accesspoint bridged to a vlan
« on: February 06, 2018, 08:46:54 am »
Thanks johnpoz...this is pretty cool to try it now as it fixes my silly SONOS auth issues...

2.4 Development Snapshots / Re: WiFi accesspoint bridged to a vlan
« on: February 06, 2018, 03:53:28 am »
What i'm doing is separating some devices from the regular network. Devices like fire alarms .. I don't want things like that in the same network as laptops or mobile phones for me should also be in a different network.

Not sure if you are using Unifi gear already, but you can create multiple SSIDs (don't remember the max per AP off the top of my head) and have each SSID on a separate VLAN, that can then be handled by separate VLAN/Interface on your main pfSense box. This will give you the desired effect. (assumes you have a VLAN capable switch, etc.)

If you need more than the allowed SSIDs for VLANs, you can go the dynamic VLAN route with the UNIFIs using the freeRadius package in pfSense for authentication, or some other.


Wireless / Re: How to connect pfsense WAN to a wireless access point
« on: January 31, 2018, 12:46:12 am »
You could use two Apple airport express APs (heresy, I know), one to connect as wifi client and then ethernet to pfSense WAN,  and one to provide in room WiFi connected to the pfSense LAN port. I have had generally good experience with Apple Airport Express as Wifi Client. Travel with your choice of pfSense...SG-1000, SG-3100, or roll your own.
Not sure this will work with hotel captive portal, though.

Official pfSense Hardware / SG-2440 random shutdown
« on: January 18, 2018, 03:54:47 pm »

Over the last 2-3 months my SG-2440 has been shutting down randomly with increasing frequency to where it now happens approx once a week. Here are the symptoms:

-no lights on the SG2440 whatsoever
-power cables still plugged in
-no power loss
-no other equipment on the UPS having any issues (have moved to another port on the UPS already)
-need to remove power cable and re-insert to reboot the unit
- **the time on the unit is > months old at startup, syncs after the device boots each time **
-i have also replaced the power brick with another unit and still see the same symptoms

What else can I check? Any ideas to proceed?


Official pfSense Hardware / ZFS on SG-3100 (internal M.2 SSD)
« on: January 14, 2018, 11:15:33 am »

I bought my SG-3100 when Netgate did not offer an SSD option, but I was able to add a M.2 2280 32GB SSD and re-install pfSense 2.4.2_p1 to it.

However, I never got an option to choose the filesystem, like the amd64 installer offers. Once I enter
Code: [Select]
run recovery
the only option I can recall is whether to install to mmcsd0 (the inbuilt eMMC) or the ada0 drive I added.

Is it possible and advisable to install pfSense using ZFS? How do I go about doing it?

Many Thanks!

Pages: [1] 2