Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Chti

Pages: [1] 2
Official pfSense Hardware / Did my SG-4860 just die?
« on: January 28, 2018, 10:29:59 am »
Hi there

I am rather desperate right now:

I have been happily using my SG-4860 for a while and this morning, in the middle of a browsing session, all contact to the unit broke off.
Initially I rebooted all switches, and the PfSense box, but still no access.

After a while I started having a closer look at the SG-4860 and realised the status led on the back was not green.
After many more back and forth I realised that whenever I turn the unit on, the led stayed red for about 4.5 minutes then turns off and not more leds are on.

I tried booting with my computer plugged into the console, but nothing appeared on the console screen.
I tried the same with a community image written on an USB stick (since my original firmware is on my NAS and currently not accessible), then booting up the unit and still nothing shows up on the console.

My unit is of course no longer under warranty (or at least my gold membership expired).
Now my whole network needs hours of reconfiguring since all my devices are VLAN allocated, my Pas use the PfSense Radius package etc.

Is there anything I can try? What other options do I have?

Many thanks in advance for any pointer

PS: I was not doing any upgrades on the unit and it was still running under the 2.4.1 firmware

Actually I solved some other issues I had, which slightly changes the info I gave further up: so even though I block LAN I DO get Internet access

So below is an example of what my rules for one VLAN look like. In this case the VLAN has the ID 99 and I don't want this VLAN to be able to access in any way any other VLAN or LAN:

My current rules are (see screenshot):
  • blocking Interface 99 from reaching all the other Interfaces (LAN+VLANs)
  • Any DNS query is redirected to the DNS_OpenDNS alias (list of Its for Open DNS servers), so that all queries on this interface use some filtered DNS

However when using Diagnostic/Ping, I can still ping a device on another VLAN, which I assume is because it travels up to the PfSense box then down to that other VLAN again?
Wouldn't that mean the other VLANs are still accessible in some way as well?

Sorry, I am still a networking beginner, but any insight would be appreciated

Hi there

On my PfSense box I have my LAN and several VLANs.

- My LAN has currently only all switches and access points on it (so it's my management LAN). I moved all my other devices to different VLANs.
- Some VLANs have rules not be to able to access the other VLANs, but all can currently access my LAN

If I want to prevent some VLANs (e.g. Guest VLAN) from being able to access all the management devices on my LAN while keeping Internet access, what rules would be required to achieve that?
Currently, if I block LAN access, I have no Internet access.

Many thanks for any help!  :D

Bumping up the question...
Would really appreciate any pointers as I feel quite stuck at the moment
Thanks :)


I was wondering if someone could take a look at my settings below as I must have done something wrong somewhere...

My problem:
When signing in with a specific device and FreeRadius account (which I assigned to VLAN 10) into my wireless network, the device still gets an IP address from my default PfSense LAN. It should receive a 192.168.10.X address (VLAN10) but still gets a 192.168.100.X address (LAN).

My hardware setup:
- PfSense appliance (2.4.1)
- Unifi controller
- Unifi switches
- Unifi access points

PfSense parts I configured (showing configuration for ONE user on a VLAN named INT-HOME-10 (VLAN 10)):
1/ On PfSense: FreeRadius, Interfaces, VLANs, DHCP
2/ On Unifi Controller: SSID, VLAN

Details and screenshots of all settings below:

1/ In PfSense, I installed FreeRadius to serve credentials to my wifi access points.
a/ [In FreeRadius/Users] I created a user/password. I want to assign this user to VLAN 10, so I added VLAN 10 in the 'Network Configuration' section
b/ [In FreeRadius/NAS-Clients] I added all my UNIFI devices (controller, switches, access points) with a shared secret
c/ [In FreeRadius/Interfaces] I set up both a 1812 (authentication) and 1813 (accounting) port. They listen to all interfaces.

2/ In my UNIFI controller, I made the following setup:
a/ [In Settings/Wireless Networks] I created a Wireless Network called 'Test-AP'. I chose WPA Enterprise and selected my Radius profile
b/ [In Settings/Networks] I created a VLAN only network with the ID 10
c/ [In Settings/Profiles] I entered the parameters to access the Radius Authentication/Accounting server on my PfSense box

The signing part (username/password) works fine and I can connect to the network (expect for getting the wrong IP address)

3/ In PfSense again, I also have the following configuration:

a/ [In Interface/...] I create the Interface INT10HOME with a static IPv4 of
b/ [In Interface/VLANs] My INT10HOME interface is a child of my LAN interface
c/ [In Interface/Assignments] My INT10HOME interface is a child of my LAN interface
d/ [In Services/DHCP Server/INT10HOME] I enabled the DHCP server for my INT10HOME interface. I also added the static IPv4 as the Gateway.

I also configured Firewall rules, but not sure I need to detail those here, since these are already a step further in the process.

Can anyone point me to the reason why my device does not get an IP from the VLAN but still the LAN?

Any help greatly appreciated  :)

Many thanks for all this additional information!
And apologies for not responding earlier. Had some account issues and my access has just been restored.

I think I will try a hybrid model:
Use some VLANs on the LAN port
Setup the guest network on an OPT port. This will also allow me to play a bit with Squid and SquidGuard.
If all goes well then I'll move some VLANs on their own OPT port.

Again thanks for all the feedback

First of all many thanks for taking the time to respond. Much appreciated! :)

I do have the devices listed on the diagram (Pfsense SG-4860, Ubiquiti and Cisco switches and Unifi access points).
I am already experimenting a lot but cannot afford the take the whole network down for too long if I get something wrong.
I updated the link between switches to TRUNK as per your indication. Thanks

Ok, I removed the TRUNK ports between the Ubiquiti and PfSense and added the missing one between the switches.

In terms of traffic, the LAN averages about 20GB/day for most days, but a couple of days a month I would be in the 100-150GB/day range.

  • Is there any advantage/disadvantage for me to use the physical OPT ports here as opposed to just using the LAN port and tagging the VLANs there ?
  • I guess if I install SQUID it will then apply to all VLANs as opposed to the setup I am envisioning where I can restrict is usage to one subnet?
  • For the LAN management subnet I assume I would have to tag it something else than VLAN1 for better security?

Many thanks again for your input and help


I need some assistance with my first ever VLAN implementation on a SG-4860 PfSense box.

My AS-IS setup, pictured on graph 1, has all devices on the same network.
I want to move away from that setup and implement VLANs to properly separate devices on my network.

Below is the TO-BE state I'd like to reach (pending any wiring errors I might have made):
I drew up graph 2 here-under, assuming this will be a functional setup.
Could someone please have a look and see if it makes sense?

A few notes of importance:
  • All devices on my network, regardless of the VLAN, will have fixed IPs assigned
  • Access points need to be useable by ALL devices regardless of VLAN
  • I am planning on using different configs (SQUID, captive portal, etc) on each VLAN, hence my use of the physical OPT ports on the SG-4860.

  • Did I make any mistakes in the design or would that be a functional setup?
  • In principle I want all VLANs fully isolated BUT with some ability to "reach accross" VLANs to administer devices, etc (Eg if my phone is on VLAN 10 and an IOT device on VLAN 30, I'd like the ability to "reach in" with my phone to administer the IOT device. The IOT device should not be able to reach-out on its own. Is that possible? If so, how would I go about configuring that? Would that be done purely with firewall rules?
  • Do I need to configure the ports linking my Access Points X and Y as trunk or access ports on my switch? I am assuming trunků
  • Bonus question: I have configured specific DNS servers on my PfSense box. But since my ISP box (NOT in bridge mode) uses my ISPs DNS servers as well, how can I make sure that all devices on my PfSense networks use my PfSense defined DNS and not the ones from my ISP?


Last night I decided to upgrade my SG-4860 from to 2.3.4.

The update seemingly went fine and went until a screen popped up indicating the update was done and the device about to reboot.
From then on however, my device has no longer been accessible.

So I hooked up the console, and the device boots up for a few seconds but then remains indefinitely at a "Boot: F1" line.

I checked the forum, and some other seemed to have experienced the same thing.

I also checked the terminal baud settings and other than on 115000 I just get gibberish.

So I am trying to figure out what my options are now:

1/ Do I really need to re-flash/re-install my device?
Is there anything else I can try other than re-installing from an image?

2/ My support expired and apparently if I want to download the firmware image for my device I need to pay $400 as it qualifies as a support request.
While I am happy to support pfSense, I have to say that this has me somewhat upset!
Paying $900 for an appliance that bricks my device with the built-in update command and then wants to charge $400 for a download is...sad really!
I'm totally OK with paid support tickets when using a support person's time & effort, but I should at least have free access to the original image file of my device, so that I can try to make my device usable again.

3/I'm told I can also install the community edition (pfSense-CE-memstick-ADI-2.3.4-RELEASE-amd64.img.gz) but then I will be loosing some functionalities as well as the fine-tuning for my specific device.
Can someone tell me what exactly I will be loosing if I go that route?

If anyone has any pointers, these would be greatly appreciated.
Thank you in advance for your time.

With the help of the PFSense team I was able to get it working again by reflashing the software onto the device.  In case anyone else has this problem.

Where did you download the firmware image file from? I have the exact same issue and can't find the image file anywhere...
SG-4860 as well and boots up to
Boot: F1
... and then nothing

Ok apparently my USB stick had an issue. I tried with a different one and now it's booting.
Will try to restore now...

Thanks for the quick reply.
Yes I made sure OSX had it unmounted first before writing the image.
I have tried twice but with no succes.

So just to be sure:
1/ am I using the right image file?
2/ once I plug the USB stick in the unit, will it try to boot from it first automatically or do I need to select it manually?

I will try with a different drive to see if the USB stick is to blame...


Today I tried updating my SG-4860 unit from 2.2.5 to 2.2.6 using the GUI build-in update, but this time things went wrong (as opposed to all my previous updates). Now the unit no longer boots.

I followed a couple of troubleshooting posts, installed a SiLabs driver on my Mac and managed to access the console:
The SG seems to boot up fine, initially, but then stops with the following message:

Code: [Select]
can't find kernel
Error while including /boot/menu.rc, in the line:
can't load 'kernel'

From what I read in various posts it seems I need to reflash my unit from an image file (please correct me if I am wrong here).

I located the download area for the image files, but here already I am not sure which file to download for my SG-4860:

Code: [Select]

I selected this one:
Code: [Select]

and in the OSX Terminal entered the following command:

Code: [Select]
gzcat netgate-memstick-ADI-2.2.6-RELEASE-amd64.img.gz | sudo dd of=/dev/rdisk2 bs=16k
(considering disk2 is my USB stick)

The command does write for a while to the stick but the disk still appears as uninitialized to OSX.
I presume this is due to the file format.

I plugged the USB stick into the SG-4860, power cycled and expected it to boot the from the USB stick, but the USB stick seems simply ignored (the drive's light doesn't blink a single time), and I end up with the same error message.
Pressed F12 (FN+CMD+F12) during the bootup sequence show this:

But selecting Option 1 doesn't do anything either (same as above).

Would anyone be able to tell me what I am doing wrong and/or what I am supposed to do?

Many thanks in advance

Hi again :)
Thanks for the quick response.
Unticking the forwarding mode actually seems to have fixed it. Not sure where I picked up that I had to tick this setting, but it seems to do the trick.
Many thanks for that!!!!

While we're at it, would you know if I should tick the "Block Private Network" box in "Interfaces: WAN"?
My understanding from the contextual help is that because I'm behind another router that I need to un-tick this? Is that corrector should I leave it ticked?

Many thanks again for your help!

Hi Derelict

Ping works OK
But NOT (cannot resolve Unknown host)

Pages: [1] 2