Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - repomanz

Pages: [1] 2
pfBlockerNG / Re: DNSBL Certificate errors
« on: November 12, 2017, 12:21:48 pm »
I still have the issue. Currently i have dnsbl turned off and using pihole until it get's figured out. 

General Questions / Re: xboxone / strict nat and VPN
« on: November 11, 2017, 03:41:58 pm »
Hi everyone. I've solved this on my own and so i figured I'd inform others of the solution.

Under the vpn client configuration details for each openvpn client , check the box "don't pull routes".  This resolved the issue I was having.

** edit - i now have a dns leak so i'll have to figure that out.

General Questions / xboxone / strict nat and VPN
« on: November 10, 2017, 04:02:03 pm »
Hey everyone.

I'm beating my head against the wall here as I don't understand why xboxone NAT is not working when i try to VPN some clients (not the xbox). 

Key point here:  I have a fully functional xbox one with open NAT based on the guide linked in this forum.  XboxOne is working, works well.   However the moment I attempt to VPN any traffic to my internal clients I complete break the NAT for xbox one.

Outbound rules (in order):

1) xbox static outbound rule is #1 in the list and is bound to WAN
2) LAN 1 subnet
3) LAN 2 subnet
4) openvpn interface #1
5) openvpn interface #2
6) openvpn interface #3
7) openvpn interface #4
8) openvpn interface #5

LAN 1 network is routed out through vpn client gateway group (openvpn interface #1 - #5)
LAN 2 network (where xbox lives) is routed out through WAN

All clients perform as they should.  I get a VPN address for clients in LAN 1.  Clients in LAN 2 get my WAN IP.   However with this configuration the NAT type is now broken. 

What can i check for here to see if additional configurations are required?  It's clear i'm missing a configuration with the VPN, interfaces or not fully understand how VPN and NAT work together.


OpenVPN / Correct outbound NAT configuration
« on: November 09, 2017, 07:37:42 pm »
Hi everyone.  I need some clarification on openvpn clients and outbound NAT.

I have 5 openvpn clients running and each client has it's own interface.  I have each of the 5 openvpn interfaces grouped into 1 single vpn gateway group. 

vpn group = vpn1, , vpn2, vpn3, vpn4, vpn5

1) When I'm dealing with outbound NAT do i need to create a unique entry for each interface (vpn1, vpn2, ....) or can I just select the OPENVPN option?
2) below table is what i have currently, would i need to create a outbound NAT rule for each interface for the ISAKMP and the WAN rule specific to the vpn or openvpn interface choice?

Interface   Source   Source Port   Destination   Destination Port   NAT Address   NAT Port   Static Port   Description   Actions
WAN   *   *   500   WAN address   *      Auto created rule for ISAKMP - localhost to WAN    
WAN   *   *   *   WAN address   *      Auto created rule - localhost to WAN    
WAN   *   *   500   WAN address   *      Auto created rule for ISAKMP - LAN to WAN    
WAN   *   *   *   WAN address   *      Auto created rule - LAN to WAN    

General Questions / Re: networking between interfaces
« on: November 09, 2017, 05:03:32 pm »
Thanks for the responses.  Is there ever a short answer though? :)

On to my next question.

I have LAN1 rule routing out traffic via the WAN_DCHP gateway as the final rule.  When i try to do this with LAN2 I break the LAN2 clients.  Can you not configure 2 lan interfaces to route out the same WAN_DHCP gateway even though they are separate interfaces / nics?  Only way I can fix this is an * as the rule for LAN2 instead of specifically assigning wan_dhcp gateway.

General Questions / networking between interfaces
« on: November 08, 2017, 08:18:18 pm »
Hi everyone.  Quick question about pfsense / networking.

I have:

WAN (dhcp ip)
LAN1 (gateway
LAN2 (gateway

DHCP server on each LAN interface.

I have assets in LAN1 that my LAN2 clients need to get to.  Do i need to create an allow rule in LAN1 and LAN2 so the LAN2 clients are routed LAN1 network?

DHCP and DNS / DNS server on different interface subnet
« on: November 06, 2017, 04:57:37 pm »
Hi everyone.

Quick layout of my setup

1) i'm using dnsresolver within pfsense
2) general settings i have google dns servers entered
3) I have 3 interfaces (WAN, LAN, LAN2)
4) I have 2 dhcp scopes (LAN, LAN2).  Each scope has the local DNS server assigned which resides on LAN one network

When entering the dns server IP residing on LAN for LAN2 dhcp server scope, the clients residing on LAN2 network stop functioning.   What is the best practice and appropriate LAN rules that I require for LAN2?  I attempted to create LAN2 rule > IP address of dns server on LAN (port 53) but that didn't work.


Installation and Upgrades / Re: 2.4.1: local DNS not working
« on: November 05, 2017, 03:10:56 pm »
Nonsense... Resolver works just fine in 2.4.. If it broke then the boards would be under ddos attack with people complaining..

Putting it into forwarder mode is NOT the correct solution.. So now your clients are asking pfsense, just to ask your local dns to go and do what exactly, then resolve?  Have you clients ask your local dns directly - then have it forward to pfsense to resolve.

John - need some clarification:

If under general settings, I have 1 DNS entry (my dns server).  If i don't check the forwarder option under resolver then my internal clients do not hit my DNS (only pfsense out to google i suppose).  It's only when I enable to forward option in the resolver that it works correctly. 

So - this sounds similar to the other person talking above about pfsense using google and ignoring dns settings. 

Installation and Upgrades / Re: 2.4.1: local DNS not working
« on: November 05, 2017, 11:45:31 am »
Hey John - thanks for the quick response.   Thanks for the additional information about unbound / resolver and the behavior.    Right before you responded i think i figured out the problem.

I checked DNS forwarding mode in the resolver and now i'm seeing my local dns server get hit.  Outside of my local dns server being poisoned after an exploit, do you see any other issues with that configuration in context of dns security or other pfsense specific issues?


Installation and Upgrades / 2.4.1: local DNS not working
« on: November 05, 2017, 11:33:47 am »
Hi everyone.

i'm sure i have something misconfigured somewhere.

1) under general settings, i have the local DNS server set (10.180.x.x)
2) in dnsresolver, i have static mappings for a couple linux servers.  I also have dhcp and static ips being registered in dnsresolver.  dnssec is checked
3) in dhcp server, the dns value is blank (should default to #1 right)
4) in dhcp server i have a few static leases defined

However, my clients don't appear to be routing their DNS requests to the 10.180.x.x address above.   I've renewed their leases, flushed dns, bounced etc.  I also noticed that unbound restarts every few minutes (is that normal?)

Hoping i have something misconfigured here.  Thoughts?


pfBlockerNG / Re: pfblockerNG dnsbl issue
« on: November 03, 2017, 12:16:17 pm »
My problem resolved itself after a reboot. 

General Questions / vpn gateway group / health
« on: November 01, 2017, 06:19:18 pm »
Hi Everyone.

Been enjoying pfsense quite a bit.  Have a new question now.

I have a 5 openvpn client sessions connected to my VPN provider. These connections are individual interfaces that are bound into a gateway group for lan rules. I have the health checks enabled in the gateway group as well.   What I am finding is that a client within the network get's bound to an underperforming openvpn client session. I manually start that connection and the issue goes away. I'd enjoy getting out of the manual side of that process.

Are there any cron job scripts or other utilities that can measure the health of the connection and if bad restart that specific openvpn client interface? Something like a speed test through the interface and if it falls under x performance restart the interface.


pfBlockerNG / Re: DNSBL Certificate errors
« on: October 31, 2017, 08:36:49 pm »
Can you share your dnsbl configuration and any lan / float rules you may have on this?  I'm hoping it's some minor configuration change i need to make instead of a full re-install.

pfBlockerNG / Re: DNSBL Certificate errors
« on: October 29, 2017, 07:12:38 pm »
Hi folks - I was wondering if others that have upgraded to pfsense 2.4.1 are having the certificate errors again?  Previously in 2.3.4 the solution described above was working fine with the lan rule blocking any traffic to the dnsbl vip.   Post upgrade to 2.4.1 I'm getting certificate errors again from my AV solution.  This began happening immediately after upgrade of pfsense to 2.4.1.

Anyone else having this trouble?

OpenVPN / PIA / OpenVPN warnings
« on: October 23, 2017, 02:23:39 pm »
Hey folks,

I have PIA configured using the strong encryption (4096) but i get these warnings in the logs:

Oct 23 13:51:45   openvpn   71654   WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Oct 23 13:51:45   openvpn   71654   WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Oct 23 13:51:45   openvpn   71654   WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Oct 23 13:51:45   openvpn   71654   WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

Am i mis-configured here? Traffic is going through VPN however.


Pages: [1] 2