Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - S_Erickson

Pages: [1]
Official pfSense Hardware / Re: XG-1541 Boot Error.
« on: March 01, 2018, 11:18:18 am »

I'll do that one night this week and let you know.


Official pfSense Hardware / XG-1541 Boot Error.
« on: February 28, 2018, 12:49:52 pm »

Running an XG-1541 on 2.4.2-Release and love it. Have set cron to reboot it once a month, which it was scheduled to do last night. It worked, shut down fine, and then failed to start. Now unfortunately I was not here when this was discovered and the person who did discover it manually cut power and restarted it without documenting the error, something about failure to boot. It must have been a pre bootloader error because there is nothing in the dmesg.boot log except normal startup messages.

The system is only a little over a year old and I haven't seen any other errors. With nothing to really go on I ran extended S.M.A.R.T. tests on the SSD and it passed fine. Anyone seen anything similar or have reccomendations for testing the device?

IDS/IPS / Re: Snort Blocking /w Rule Force Disabled
« on: February 23, 2018, 10:21:34 am »

Sorry for the (very) late reply, stopped checking the thread. I have not resolved the issue, it still works in this counter intuitive manner. As of right now I am just letting it work with the rules suppressed and disabled. We have been working on moving to Suricata inline as a replacement, but haven't moved it from the testing stage yet. I've actually been away from the office for some time now and have to catch up on suricata dev. They were having issues with the inline mode and vlan tags. Hopefully that has been resolved.

Official pfSense Hardware / Netgate or PfSense? XG-1541
« on: January 18, 2018, 12:32:27 pm »
Running a PfSense branded XG-1541, I see that now they come branded as Netgate. I didn't think there was any difference but found that the Netgate coreboot update does not work on my XG-1541, it specifically says its only for Netgate devices. Meanwhile the system states it has a Netgate ID on the main system page. So what is the difference then? I don't see anything different in the hardware. Is it just a matter of a system id in the BIOS?

IDS/IPS / Re: Snort Blocking /w Rule Force Disabled
« on: January 28, 2017, 03:47:00 pm »
Some additional testing results:

With the whitelist rule disabled and suppressed the functionality seems to work for other rules. For example there was an alert for an imap error but because the mail server was added to the whitelist it did not block it. To test it I added the IP for my home system to the whitelist and ran a portscan on the firewall, again an alert was generated but the address was not blocked. Meanwhile if I removed the 136:2 rule from the suppress list, leaving it disabled and restarting snort to refresh the list in memory, any attempt to connect to, or scan the firewall immediately results in my home system being blocked because it is in the whitelist. 

One night this week I am going to remove snort entirely even and reinstall it to see if it makes any difference. If anyone has any other suggestions please feel free to let me know.

IDS/IPS / Snort Blocking /w Rule Force Disabled
« on: January 27, 2017, 06:06:07 pm »
Running PFSense 2.3.2-RELEASE-p1 (amd64)

I have snort working in IDS mode, and have set up the IP Rep preproc, using the emerging threats blacklist and an empty whitelist.
I have added several IP's to the whitelist that I have created but when any of them attempt to communicate it blocks them, saying they are whitelisted.  I have tried setting the whitelist to unblack as well as trust, and both times it does the same thing, blocking the packet saying that it is whitelisted.  The specific rule, 136:2,  has been disabled in the in the interface configuration, and even shows up in the alerts as force disabled but it blocks the IP anyways. If the ip is not in the whitelist it lets it through fine, which seems a little absurd to me. So I have suppressed that rule in addition to disabling it and that seems to work.  But this should not be operating like this unless I am (probably) missing something. I have stopped and restarted the service after every setting change, after adding the IP to the whitelist, and after disabling the rule. Every time snort starts up fine with no errors. Anyone have any ideas about what exactly I'm doing wrong here?

IDS/IPS / Snort Suppress List Syntax.
« on: January 25, 2017, 10:59:49 am »
On the suppress list tab it says that you can use count and seconds as options for the list but I tried to do do just this and snort wouldn't start saying that it was an invalid option. So either the format described below the box is incorrect or this is no longer possible on the suppress list and only by going into the snort interface and adding a custom filter rule. Can someone verify that this isn't just me? If it isn't then we should update the comments on that page to avoid confusion.
Code: [Select]
FATAL ERROR: /usr/local/etc/snort/snort_45782_igb4/suppwansuppress_585cb3283a4ca(63) suppress has incorrect argument count.

DHCP and DNS / Re: Help Setting Up DNS Resolver
« on: December 28, 2016, 09:26:43 am »
The loopback address regarding the Radius server is probably fine, as long as you are running free Radius as a server on the firewall it should be pointing to as the location to go for authentication. 
The one to do with squidguard though may not be. if you half configured it then left it, then it is possible it could be blocking things.
When we did the setup here, we had a few problems setting up squidguard the way we wanted it. Would have deployed a few days earlier probably. It was causing some unusual behaviour, like randomly deciding to block certain websites such as google or microsoft. I have it up and running now over 5 interfaces at the moment and don't have a loopback address anywhere in my config. if you're not using it remove the package just to see if anything changes.

DHCP and DNS / Re: Help Setting Up DNS Resolver
« on: December 27, 2016, 07:12:04 pm »
It is possible that the config file has been changed to override the settings. Go to the diag/edit file page and open /conf/config.xml then search for the loopback address, and see if it shows up. 

DHCP and DNS / Re: pfSense 2.3.1 - Remove stale static mapping
« on: December 27, 2016, 01:46:45 pm »

I'm running 2.3.2 p1 on a xg-1541

Had the same problem that you did, a blank entry at the top of the static mappings list on one of the interfaces.  Normally if you delete a static mapping it will bring you back to the top and say you have to apply the changes. With this entry after clicking OK to delete it it would simply bring me back to the top with no option to apply. I spent a couple hours trying to get rid of it before I found the solution and thought I would share it. I don't know if you still have this problem, but I couldn't find any advice online that didn't involve reinstalling or resetting to factory default configuration. So here is what I found:

In my case the blank and undeletable static mapping was being created by an entry in the dhcpd.conf file.

Code: [Select]
host s_opt2_0 {

Editing the file and removing these lines was not the solution though. The PfSense system pretty much ignores the dhcpd.conf file after initialization. It auto-generates a new version of the file every time the system starts based on the config.xml file. So I went in and opened up that and found a similar issue. In the static mappings section for that interface there was a line with an open/close <staticmap/>tag at the start of the list. Removed that, saved the file, then got rid of /tmp/config.cache to get the system to reload the config again.  Didn't even need to restart the system.

Anyways I still don't know what it was that created the blank entry but at least it's gone.  Hope this helps anyone else who runs into this.


Pages: [1]