Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - parsalog

Pages: [1] 2
2
Routing and Multi WAN / BGP and LAN routable IP
« on: March 15, 2018, 01:30:54 pm »
I have a failover internet connection , configured via BGP, effectively multi-homing to the same location.   So, I have two fiber internet connections with normal IP's assigned  , then I have a IP subnet configured via BGP that can exist on either of those two connections .

I now want to run SIP , but, to do so I need a WAN IP on the Phone system that has to sit behind the pfSense as it coordinates the BGP.  I got a /30 assigned, and I announce it , but I am missing something as it doesn't route thru yet.


So 65.151.37.224/30 is configured on my LAN as a proxy ARP (not sure this was the right choice) 65.151.37.225 will be the phone system , on the LAN interface.

65.151.24.26 is my primary connection its gateway is *.*.*.25   , 65.151.24.30 is my failover with *.*.*.29 for its gateway .

BGP is 65.151.28.1 /24 , which can be on the primary or failover.

When I tracert or ping it seems to get confused at my primary gateway.

tracert 65.151.37.224

Tracing route to 65.151.37.224 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.1.1.254
  2     1 ms     1 ms     1 ms  tuk-edge-14.inet.qwest.net [63.228.222.121]
  3     1 ms     1 ms     1 ms  tuk-cntr-11.inet.qwest.net [205.171.11.70]
  4     1 ms     1 ms     1 ms  69.8.221.42
  5     1 ms     1 ms     1 ms  65.151.24.26
  6     1 ms     2 ms     2 ms  65.151.24.25
  7     1 ms     1 ms     1 ms  65.151.24.26
  8     1 ms     1 ms     1 ms  65.151.24.25
  9     1 ms     1 ms     1 ms  65.151.24.26
 10   148 ms     1 ms    25 ms  65.151.24.25
 11     1 ms     1 ms     2 ms  65.151.24.26
 12     2 ms     2 ms     2 ms  65.151.24.25
 13     1 ms     1 ms     1 ms  65.151.24.26
 14     1 ms     1 ms     1 ms  65.151.24.25
 15     1 ms     1 ms     1 ms  65.151.24.26
 16     2 ms     2 ms     2 ms  65.151.24.25
 17     1 ms     1 ms     1 ms  65.151.24.26
 18     1 ms     1 ms     1 ms  65.151.24.25
 19     1 ms     1 ms     1 ms  65.151.24.26
 20     1 ms     1 ms     1 ms  65.151.24.25
 21     1 ms     1 ms     1 ms  65.151.24.26
 22     1 ms     1 ms     1 ms  65.151.24.25
 23     1 ms     1 ms     1 ms  65.151.24.26
 24    16 ms     7 ms     2 ms  65.151.24.25
 25     1 ms     1 ms     1 ms  65.151.24.26
 26     2 ms     2 ms     1 ms  65.151.24.25
 27     1 ms     1 ms     1 ms  65.151.24.26
 28     1 ms     1 ms     1 ms  65.151.24.25
 29     1 ms     1 ms     1 ms  65.151.24.26
 30     1 ms     1 ms     1 ms  65.151.24.25

Trace complete.

ping 65.151.37.224

Pinging 65.151.37.224 with 32 bytes of data:
Reply from 65.151.24.25: TTL expired in transit.
Reply from 65.151.24.25: TTL expired in transit.
Reply from 65.151.24.25: TTL expired in transit.
Reply from 65.151.24.25: TTL expired in transit.

Ping statistics for 65.151.37.224:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

ping 65.151.37.224

Pinging 65.151.37.224 with 32 bytes of data:
Reply from 65.151.24.25: TTL expired in transit.
Reply from 65.151.24.25: TTL expired in transit.
Reply from 65.151.24.25: TTL expired in transit.
Reply from 65.151.24.25: TTL expired in transit.

Ping statistics for 65.151.37.224:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


Any help would be appreciated
 

3
Hardware / Re: PfSense Goes down every hour
« on: January 31, 2018, 06:06:05 pm »
Are you using hardware AES-NI for your IPsec tunnels ?

4
Hardware / Re: Intel XL710-BM1 Compatibility
« on: January 24, 2018, 12:36:48 pm »
I am running the X710-DA2 without issue, (very happy with it , switched from Chelsio) I think it uses the same driver ?

5
Interesting, on the known issue. Initially I did not get errors either, whish I would have seen that post earlier..... but after playing with the bios I was eventually able to get the crash dump (unlike the poor fellow in that other post), which is where I focused my search. fatal trap 12.

6
yes, I did submit them (a bunch),  it should be from the same IP as this post.

4 days now, no crash, so I am going to say turning off crypto is a genuine workaround.


7
Not sure where to post this, but I think I found the source issue and a work around.   

Symptom : random reboot / reset of firewall , sometimes with error, sometimes not. time between reboot anywhere from 10 minutes to 2 day. When I did get a crash report, always the same error.

Fatal trap 12: page fault while in kernel mode .......

Tried everything, better cooling, different chipset NIC, disabling on board SATA , (bios :turning off hyper threading, turing off vt-d , turning off above 4g decoding ) , I did system tunables too, mbuf , some storm threshold, and I forget what else......

My firewall was a custom made one (supermicro) , so I eventually gave up and ordered a brand new firewall from pfSense . Got the same exact problem , but I noticed it didn't pop up till after I noticed AES-NI was disabled and turned it on.   I put my old firewall back in, and turned off crypto acceleration , and I am now on day three without a reset !

Can any one else confirm this experience with 2.4.x  ?    Incidentally all 8 of my other pfSense firewalls , had no issues on 2.3.x , and the new one is too new to install the 2.3.x .

not sure if it is part of it, but I have VLANs and virtual IPs, and a lot of IPsec tunnels all configured for AES128-GCM and AES-XCBC

Hardware is a Supermicro 5019S-ML  , Intel Xeon E3-1275  , 64GB ECC ram

8
I am fighting this same issue, any updates on this issue.  I am running a super micro server as well. it seems a lot of people are seeing the trap 12 when using the intel igb driver specifically?

9
IPsec / Re: IPsec dropping VLAN traffic to only one site
« on: November 17, 2017, 04:14:31 pm »
Solved  , I had a typo on the phase two on one side, for the VLAN subnet......

10
IPsec / IPsec dropping VLAN traffic to only one site
« on: November 17, 2017, 01:40:06 pm »
This problem has me baffled . I just upgraded my firewall , I am on the newest version of pfsense, clean install. I recreated all my IPsec tunnels, to 8 different sites. For only one site, my VLAN traffic fails in one direction. The VLAN is a Voice VLAN , so the symptom with only 1 of 8 locations is I can hear them on the phone, but they cannot hear me, voice traffic is UDP. If I try pinging from that VLAN interface , the pings fail. Pinging does fail in the opposite direction as well. 

the other three non VLAN subnets all can connect thru the same tunnel without issue.

11
Routing and Multi WAN / BGP local-AS missing from Neighbor Parameters
« on: December 02, 2016, 10:33:54 am »
I have found myself in a scenario where I need more than one AS assigned to the same box. One is a public AS the other is a private AS. Doing a little research it appears the command that I am looking for is "local-AS" , but it is not in the pull down options for "Neighbor Parameters" . Does any one know if openBGPD supports it, is there an easy way to edit the list?

12
In doing more testing, I have discovered that it only appears to be android devices failing, I have only tested Samsung devices so far. I tested a apple iPad on the 10.1.3.0/24 and a laptop as well, both were able to access everything on the 10.1.1.0/24 . so this appears to be an android issue ????

13
Originally my network had just one subnet the 10.1.1.0 /24 , but I ran out of IPs

As such I added the 10.1.2.0/24 to accommodate more device.

I guess I could have done a /22 , but I was under the impression the router could connect the two subnets, and giving me the option to apply firewall rules to the traffic between each.

just recently I have run out of IPs again, so I have added the 10.1.3.0/24

also what I find interesting is I am only having issues with mobile devices. this IP scheme has been working with out issues on my PC's and printers.

14
which part has you confused?

under interfaces the LAN is set with a static IP of 10.1.1.1 and the subnet is a /16

under firewall  and Virtual IPs , I have added two virtual IPs 10.1.2.1 and 10.1.3.1  but have a subnet of /24

the idea is that any device on the 10.1.2.0/24 will have 10.1.2.1 for its gateway,  and any device on the 10.1.3.0/24 will have 10.1.3.1 for its gateway

15
I have three LAN subnets 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24  , well more actually, but they fall outside the scope of this issue.

all wireless devices(tablets, phones...) get assigned to the 10.1.3.0/24 via reservations from a DHCP superscope

all server equipment (web, email...)fall in the 10.1.1.0 /24

any phone or tablet using the 10.1.3.0/24 can access the outside internet without issue.

my problem is they cannot reach the internal 10.1.1.0/24 .

That said they do "appear" to have the ability to ping, but tcp traffic fails, port 80, 443  . Cant send email, or pull up internal websites .

I have pfsense configured with a LAN of 10.1.1.1 /16 and I have an Virtual IP type "IF Alias" of 10.1.2.1/24 and 10.1.3.1/24 on the same interface .

Pages: [1] 2