Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - AndroBourne

Pages: [1] 2 3 4
1
Traffic Shaping / Re: What is the difference between DMZ and LAN?
« on: July 20, 2017, 08:14:43 am »
A DMZ is simply a fully open zone that allows all inbound traffic to a said subnet.
Just not correct.

But that was discussed two years ago so it's probably not really useful to revive this old thread.

I'm a network engineer. I do this type of stuff for a living.

Every firewall vendor defines a DMZ differently. Watchguard for example, is simply another isolated subnet, however, still secured by firewall and not completely open to the internet. A Sonicwall is a totally different story. It is as I described. An isolated open subnet that allows all inbound traffic to said host.

In either way its defined. A DMZ is a lazy mans method. You are better off creating a secondary secure subnet\interface and controlling the traffic properly with port triggering\forwarding.

Also there is nothing wrong with reviving an old thread if it is still relevant. There is actually no reason in restarting a thread on the same topic if it has already been covered... it is also on top of searches within pfsense forums and still an open thread.

Just for your knowledge...

https://www.draytek.com/en/faq/faq-connectivity/connectivity.lan/whats-the-difference-between-dmz-host-and-dmz-subnet/

"Setting up a DMZ host will open a single host completely to the WAN, and all packets will be forwarded to this single host"

and then follows exceptions. Such as set port forwarding rules or policies etc...

2
Firewalling / Re: Plex server issue
« on: July 20, 2017, 08:04:45 am »
You could run a TCPView on the station that has plex it see what ports its trying to use.

Or check here.

https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-

Also make sure if you are running this on a windows OS that you allow those ports through the local windows firewall as well.

3
General Questions / Re: VOIP Issues
« on: July 19, 2017, 10:08:44 am »
I wonder if it has to do with the packet rules once it changed over to static.

Could you put a phone on a static IP as well then make a rule to allow all inbound and outbound traffic to that phone, then reboot the phone and see if it can register?

4
Feedback / Logging Features
« on: July 19, 2017, 08:35:06 am »
I first wanted to say thank you for your hard work in working on PFSense and having a completely free version of a true firewall!

I'd like to make a suggestion, and that is to rework the logging system. As of now it is decent, but I from experience with other firewalls such as Watchguard, its logging manager is really nice. It gives a little more details about the packet and even color coordinates packet types (drops, allowances, losses) etc... it makes it WAY easier to work out the logs for quicker issue resolutions!

I would love to see this become a feature in PFSense logging. It's really the only department I feel is lacking in features.

Here is just an example.


5
General Discussion / Intel X5670 Questions...
« on: July 18, 2017, 05:50:58 pm »
So this is a werid one.

I have a Supermico X8DA3 server. I just upgraded from E5580 2x cpus to the fastest CPUs I could get for the server that was still at 95wts power usge. That is the X5670 @ 2.93GHz.

I had to update the firmware on the BIOs to get it to post but it works. Updated from ver1.0 to R2.1A.

When I check in computer properties, I get the following "Intel Xeon CPU X5670 @ 2.93GHz 2.26GHz (2 processors)

When I check in task manager. I see the same thing expect "Maximum speed: 2.26GHz".

Any idea what gives? The board is compatible with the CPU, BIOS was recently updated etc... it even shows the CPU @ 2.93Ghz... so why is maximum speed stuck at 2.26Ghz???

I looked online and can't find anything on this... its weird.

Any ideas?

The bios was flashed so it was reset to defaults during the upgrade. I only changed IDE mode to SATA to get array functional again... no other changes have been made.


6
General Questions / Re: VOIP Issues
« on: July 18, 2017, 02:15:57 pm »
Ha yeah not a good idea. Good luck!

7
General Questions / Re: VOIP Issues
« on: July 18, 2017, 02:09:08 pm »
Yeah I agree, its not very detailed. Had same issues myself when I first went through it. However, it sounds like you did it properly.

Did you make sure to filter and kill existing connections under states?

Did you try to reboot other phones and/or the switch after the change? It could be possible some packets from the previous state where in the mix? Reboots should clear them out etc..

On the phone that actually did connect. Were you able to do any testing on it while it was up?

8
Packages / Re: ACME Pkg Questions
« on: July 18, 2017, 01:42:35 pm »
Awesome, thanks! i'll give that a shot and see how that goes.

9
General Questions / Re: VOIP Issues
« on: July 18, 2017, 01:31:23 pm »
Yeah I feel ya. I do this kind of troubleshooting all day. (maily with Cisco switchs and Watchguard firewalls) Doesn't help when users wait hours to report the issue... or not accurate in the time the issue occurred.

It sounds like you are using a cloud PBX solution. It's pretty standard nowadays.

You mentioned about the switch QOS "It also has QoS setup as per their documentation" Netgears documentation or the VOIP vendors documentation? Different vendors have different QOS requirements or recommendations. Make sure you are using QOS recommendations from your SIP provider. How big is this network? How many phones? Would it be possible to disable QOS on PFSense and the switch to test? If the network is small enough, QOS should have a minimal impact.

I have a feeling your issue is related to NAT. You said you changed it to static NAT and phones broke? Are you sure you configured static Nat properly? You can't simply just enable it, you also have a clone and edit a rule to allow static NAT traffic to be used properly. (you can define just the VOIP subnet for the static NAT only if you want, you don't have to do it globally).

If I had to guess it is NAT or QOS that is causing your issues. But that's just a guess. It's a pretty well known issue that port rewrite causes a lot of issue with VOIP on PFSense. That's why its the first thing most people recommend to change.

10
Firewalling / Re: 4COM Hosted SIP: Audio drops out.
« on: July 18, 2017, 01:14:10 pm »
I'm assuming you have been through these steps already? https://doc.pfsense.org/index.php/VoIP_Configuration

How is the PFSense box configured for the phones? Do you use QOS?

I don't know 4com to well as a vendor. I normally go with RingCentral or BluIP but some vendors have ports required for the PBX connection. It could be possible they are dropping packets and causing phones to re-register?

Can 4Com see any of these types of things going on from the their back end?

Can you enable logging and watch the PFSense for a phone behind it and see whats being blocked?

How is the ISP line? Any drops? Did you check network for jitter rates? Any traffic shaping going on that might be causing these issues? Have you tried turning traffic shaping off?

11
Firewalling / Re: Can't connect to VMWare
« on: July 18, 2017, 01:01:50 pm »
From a device on the LAN interface, are you able to ping the vhost or vcenter on the DMZ? are you able to access http connection them? (it should display a page for downloading the client if it is working properly). If not, then there must be a rule related issue between the subnets.

How is your DMZ configured? Did you create an offical DMZ with PFSense or simply a secondary subnet\interface? Have you tried moving everything off the DMZ onto a secondary interface as a test?

I would start looking at it on a more global level first then work your way down to vmware specific afterwards.

12
Firewalling / Re: Plex server issue
« on: July 18, 2017, 12:56:13 pm »
I run a Plex server on my desktop PC and behind a PFSense box. No issues accessing it here on another subnet.

Are you sure you port forwarded the correct ports to the NAS for Plex? Are you using an ALL policy or port forwarding?

13
General Questions / Re: 2-5% constant packet loss WAN
« on: July 18, 2017, 12:45:51 pm »
Or just use unbound and let it resolve vs forward.  Now you have dnssec for sure and doesn't matter how shitty your isp dns is ;)  200% faster vs what.. 30ms 60ms -- lets say you go from 60ms to 10ms - what does it matter since once you get it once its cached anyway.  Your talking .6 of a sec vs .1 of second - doesn't make much a difference either way.  I would much rather resolve and have full dnssec vs shave a couple of ms off looking up something.

It does matter, especially if his ISP DNS is having issues....

Other DNS providers also provide features that standard ISP DNS's do not, such as content filtering, more redundancy etc... and shorter load times.

This is why I said run the tool. it will give you those results and even a log you can review to see how stable your ISP DNS really is. If it warrants a change. Its worth trying.

It worked just fine for me and I've noticed an decrease in my loading times overall on my network by simply doing this.

As for caching, again it kinda does matter since there is a TTL for cached sites and they will have to rehit the website to pull new changes. This helps with that and also assists in pages not cached.

There is quite a few reasons to move from the default ISP DNS...

Normally for my clients, leave them on the default DNS unless there is a reason to warrant a change (such as unstable or very slow lookups). However, that doesn't mean that is everyone's preference.

14
General Questions / Re: VOIP Issues
« on: July 18, 2017, 12:41:09 pm »
There is a lot to go over here for troubleshooting.

Do you use QOS? You said they are on their own vlan, but is QOS enabled and configured?

What type of phone service do you use? Is it a cloud PBX (RingCentral or Blue IP etc...) or a self hosted solution?

What type of switch are these phones connecting to? Did you ensure Green Ethernet are disabled on the switch?

How is the ISP line? At ths time of this happening did you do any ISP related testing on the line? is there any packet drops?

Have you tried running jitter tests on your network?

Is it possible that the modem has SIP enable and its conflicting with the router?

Does PFSense or Switch logs indicate any thing at the time of this happening?

Have you tried to followed this guide?

https://doc.pfsense.org/index.php/VoIP_Configuration

I could go on and on but we need more specific details.

15
Packages / ACME Pkg Questions
« on: July 18, 2017, 11:05:22 am »
Hi guys,

I have a few questions about the ACME package usage. I'd like to create a Let's Encrypt cert for the Web UI because it is open for WAN management. (on a non standard port and forced https connection)

1. I already have a Let's Encrypt certificate running on a web server behind the firewall. If I apply the cert to the pfsense box, will it in any way clash with my existing cert on the webhost? (both will be using the same domain name).

2. What authorization method should I use? I was following this post. https://blog.artooro.com/2017/02/16/quick-easy-lets-encrypt-setup-on-pfsense-using-acme/ and leaning toward "standard" however. It stated 80 and 443 need to be forwarded to the PFSense box during the time of authorization to properly take place. If I have a webhost running on those ports, couldn't that create an issue with my websites? Should I try doing the DNS-Manual instead? Will DNS-Manual work for auto renewals?

3. If I already have the webhost with the certificate, is there anyway I can just simply import the cert for the PFSense? (I'm guessing issue here is that it would be a manual process to have to renew it on the PFSense box once it auto renews on the webhost?)

Any ideas here on a good method to deploy this? I really just need to to help secure my https traffic to PFSense Web UI.

Pages: [1] 2 3 4