Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Schnyde

Pages: [1] 2
NAT / Re: Outbound Natting Through DMZ Address
« on: September 17, 2017, 05:26:37 pm »
So a couple things:

1.  Let's say we remove the IPSEC tunnel component of the issue, and I set an outbound NAT on my WAN interface (egress port is what I understand how it works) to translate the address to a DMZ address on any port with the source address of the host on the LAN (dest any).  On the host, when I do a traceroute to, it does not seem to translate to the DMZ address, or at least not one of the hops in the output of the command.  It goes to the LAN gateway, WAN gateway, and out the Internet.  Am I missing something?

2.  I am dealing with a large customer that only allows for communication over this IPSEC tunnel, and asking for either opening the ports to the WAN (even with my source address) or adding my private LAN network (or even the host/32) to the tunnel is out of the question.

I figure once I get a hop in traceroute on the host that is a DMZ address, I can move forward with the IPSEC portion of the problem.


Awesome, maybe you can help, although I posted this issue in the NAT section:

Labeled solved as the pfSense documentation states that any interface without an upstream gateway will not be considered for NAT.  Opened a ticket with pfSense support, and they stated that they could not find a solution.

Basically, set an outbound NAT on the WAN interface to translate to a DMZ address that has no upstream gateway.  Reason being is that I have an IPSEC customer that requires that the network be a DMZ address, as it is currently on the LAN.  I was hoping that I could NAT it out, tried a bunch of different configs, even tried using the FW itself as the defined upstream gateway.  No matter what I did, the traceroutes from the host to that IPSEC client would go out the WAN and not translate to a DMZ address, then out the tunnel.


Just not a big fan, albiet, I understand that this is how non-switches do it.  No technical reasons, just seems to add complexity to Cisco config.

The one thing that Cisco does that pfSense does not is NATing, or more specifically, outbound NATing to a network without an upstream gateway.  We use that feature often at a few locations, and until pfSense (or BSD even) can do this, we cannot use it to replace the Cisco ASAs at these sites.  This is very unfortunate, and leaves me stuck with Cisco until this is sorted out.


As usual, the Internet is always right!  Good find, not a fan of sub-interfacing though...


I was surprised to find that out also, almost the hard way.  There are no options in ASDM or the CLI to even make vlans, let alone trunk them, I guess Cisco wants you to buy their routers to do that...  I had mostly 5525Xs and 5512Xs.


OpenBGPD off of the package manager, although my BGP needs have diminished recently, I did find it to be stable.  I was not doing anything fancy, just pushing routes to my provider.

As the Docs say, conflicts with the OSPF package, so probably best not to run those together.


OpenVPN / Re: VPN Routing issue
« on: September 14, 2017, 06:45:11 am »
I'd add:

push "route";

to the OVPN RAS server you have on under Advanced Options / Custom Options in the OVPN settings.  You'd "push" that route to the client, thus forcing that network down the tunnel.


NAT / Re: Outbound Natting Through DMZ Address
« on: September 13, 2017, 02:32:08 pm »
...and here's the answer:

For static IP configurations, an interface is considered a WAN by the presence of a gateway on the interface's settings, e.g. Interfaces > OPT1. Having a gateway defined under System > Routing is not enough, it must also be selected on the interface configuration or it will not be considered a WAN for NAT or other purposes.

So yeah, I don't have a gateway defined for that network, and that is not a consideration for NATting, bypasses the rule and uses the defacto LAN rule out the WAN interface.

Question is:  Can I make the FW it's own GW on that network to get the results I want?


NAT / Outbound Natting Through DMZ Address
« on: September 12, 2017, 11:05:55 pm »

Due to some complexity on my network, I need to have a LAN host mapped to a DMZ address then out the WAN.  Is this possible?  I have been playing with the Outbound NAT rules and have set my outbound to manual, setup a mapping that is:

Interface: WAN (or LAN, I tried either way)
Proto: any
Source: (created host alias)
Dest: any
Translation Address:

I cleared my states to after applying config.  Host still traceroutes out the LAN gateway then the WAN gateway, does not seem to translate to the DMZ address at all.  I realize that I am attempting to NAT to a DMZ address, and not a WAN address, but the DMZ address is public and accessible via the WAN.

Pic attached of what I am trying to do:

Please let me know if I can supply more information.



I wanted to give a quick shout out to the pfSense team, you've saved me so much time, money, and confusion over the years.

I have now replaced over 20 Cisco ASAs with pfSense firewalls, and the benefits are abundant.  Not only can I use newer technologies than what Cisco provides (like OpenVPN for instance), I can use licensed Cisco features for free (like BGP, which the ASA can't even do), create more advanced networks (using VLANs and trunking, which again, the ASA does not do), better reliability, scalability, and performance than the ASA also.

Over the last two years alone, I have saved my company countless time and money by deploying pfSense, and from a management perspective, it makes perfect sense for the enterprise.  My uptime and performance has increased significantly, and my operating cost of maintaining these firewalls is incredibly low. 

If your thinking about switching over to pfSense in your enterprise, do it, you will be very happy you did.

Thanks again!

OpenVPN / Re: Route Metrics in Multiple Site to Site OVPN
« on: September 12, 2017, 07:36:41 am »
Tried with no remote networks in remote site field, tunnel came up but nothing being pushed.  Changed mode from TUN to TAP on both ends, that did not work either.  Tried multiple entries with the help of the OpenVPN documentation, which causes pfSense to generate an error if metric is entered in remote networks field.  Also tried setting metric in Custom Options based on the same documentation.

Apparently, from the OVPN docs, you can do what I am trying to achieve, it just seems that pfSense is preventing me from making those settings:

--route network/IP [netmask] [gateway] [metric]
Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close.
This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space.

netmask default --

gateway default -- taken from --route-gateway or the second parameter to --ifconfig when --dev tun is specified.

metric default -- taken from --route-metric otherwise 0.

OpenVPN / Route Metrics in Multiple Site to Site OVPN
« on: September 12, 2017, 06:28:34 am »

I am on the cusp of figuring this out, but am stuck on one thing.  I want to provide 2 site to site OVPN tunnels to each of my offices between two data centers, and push routes via OVPN to each office to every other office, and both DCs.  I want to push the same routes to offices in the tunnel configuration, with a different metric.  See diagram below:

I got the VPN configuration figured out and working, however, I am having difficulties in providing metrics to the routes.  I know I can use the Advanced Options to push "route 10" for instance, to give that route a metric of 10.  However, I cannot get the other end of the OVPN tunnel to accept "pushed" routes.  Do I add "pull" to the remote site?

Is there a way I can either push my routes to a remote site in a site 2 site OVPN configuration, or add the metric to the remote networks field in-line?


OpenVPN / Re: OpenVPN Hairpin pf->pf->CiscoASA
« on: June 30, 2017, 03:41:49 pm »
Welp, I fixed it.  Not a pfSense issue, a Cisco issue, of course.  Turned out that the ASA was reporting traffic passing the FW, then not reporting that same traffic dropping because of a NAT issue.  Found this out by using packet capture on pfSense, realized that ICMP requests were going out the middle pfSense, but no replies coming back in.  Slick!

Added a NAT rule to the ASA that allowed traffic to return to my pfSense router at location 2.  Noticed through packet capture that pinging from "OpenVPN client"  interface was NATing itself to the LAN interface IP, where-as coming from the LAN did not translate that to the LAN IP, but preserved the workstations original IP address.  Makes sense.

Anyway, Issue resolved.

OpenVPN / OpenVPN Hairpin pf->pf->CiscoASA
« on: June 30, 2017, 12:16:09 pm »

I have setup a pfSense server to do some hairpin VPN off of my ASA.  Basically, I have a VPN tunnel on the ASA that needs to be available at other locations than where this tunnel is physically located, and the client will not allow us to make any changes to the VPN topology, AKA, make new tunnels where needed.  To do this, I installed a pfSense VM at the location where the ASA is at, statically route traffic destined for the client's VPN from pfSense and back from the ASA.

Everything is working as expected, so far, as I can ping the host on the clients VPN from the pfSense router at that location.  Now, I have an OpenVPN S2S tunnel between the before mentioned pfSense VM and a physical pfSense router at another location, and this is working fine, as I can ping hosts from either network.

What I can't do is ping the client's VPN host from the remote location.  The local pfSense VM can ping it.  The remote pfSense box can ping it only if I use the "OpenVPN Client" interface, so I know I am soooo close in resolving this.  Ping on the remote pfSense box from the LAN interface, or a client on that LAN network is a no go.  I have my rules set to allow any / any on LAN and OpenVPN Interfaces on both pfSense routers.

Is there a setting hidden somewhere that I might be missing?

Client Host (VPN) -> ASA (location 1)-> pfSense VM (location 1) -> pfSense Router (location 2)

I can see traffic going up though the ASA and returning back, but nothing in the logs on any of the FWs is telling me what I want to know.  Like I said, I can ping the Client Host (VPN) from the "OpenVPN client" Interface on the pfSense FW in location 2, but cannot do the same on the LAN interface on the same FW (location 2).

OpenVPN / Re: OpenVPN just stopped working
« on: April 06, 2015, 06:49:56 pm »
...And so I fixed the issue, kind of.  Reading through the forum, I realized that I did not "Run as Administrator".  Curious though, why would it work for a while and just stop, unless now, running the program as Administrator, where as before, my users did not have to "Run as Administrator", until today.  Puzzling indeed.

Pages: [1] 2