Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - kcallis

Pages: [1] 2 3 4 5
Wireless / Re: [SOLVED] Setting up Tomato Wifi Router behind PFSense
« on: February 22, 2018, 10:15:32 am »
Hi Everyone!

I can't seem to get my wireless router to cooperate and I'd be forever grateful for some help. Here's the setup I'm trying to accomplish:

Gateway ---> PFSense box ----> Wifi-Router

I have referenced these two places, but neither has helped me through to the finish:
(Main PFSense help doc for this)
(Post by someone from 2008 who was trying to do the same thing)

Unfortunatley the second post petered out due to the original poster's misunderstanding of subnets.

My Tomato Wifi-Router Setup:

WAN: Disabled

Gateway: (pfsense address)
DNS: (pfsense address)
Disabled DCHP.

As far as I know things should be working from these settings, so I'm pretty sure the error is coming from my PFSense config.

I have the Wifi-Router plugged into my OPT1 port, which I"m pretty sure is the problem. What settings do I need to supply in my OPT1 interface to successfully get things running?

Current OPT1 interface settings:

(Interface Enabled)
IPv4 configuration type: DHCP
IPv6 configuration type: none

The rest of the fields are empty except for the hostname that is currently "testwifi"

I have also gone into the firewall rules for OPT1 and added a rule to let all IPv4 traffic pass.

It would probably be best if I could just bridge my OPT1 port to the LAN port that is currently configured, but barring that what do I need to do to adjust my OPT1 settings? I can't just copy/paste my current LAN port settings can I? (I assume that copy/pasting would cause a conflict when both LAN and OPT1 try and use as their static IPv4.)

Thanks for taking a look!  :)

RickJ's post almost got me to success.  I have an R7000 wireless router running Shibby Tomato v1.28 and plugged into the LAN port on my wired only PFSENSE appliance.  In addition to RickJ's advice, I realized I needed to go into Advanced/Routing.  Under the Miscellaneous tab, I had to switch the Mode from 'Gateway' to 'Router'.  Once I did that, everything magically started working. In my case, my appliance is set to, the R7000 is set to

I am migrating from my TL-Link WA901ND to my Netgear Nighthawk R7000. The one thing that worked nicely for me on the TL-Link was the ability to seamlessly broadcast 4 SSID's, use the same VLAN Ids and then connect it to my switch which connected to my 3 port pfSense APU. After many attempts to factory reset my R7000, I have had nothing but issues. First off, after I create new bridge interfaces (br1, br2, br3), after I create the VLAN, I found that the VLAN 1 is required for br0 (the default LAN interface on the R7000. Unfortunately, I need the br0 interface to have a VLAN 05 which is in-line with the configuration on my pfSense box.

With the TL-Link WA901ND, since there is only one interface, once I create the 4 SSID's, it comes to my edge switch as a trunk with all of the VLANs that I defined passed to the switch. So where with the R7000, this has been a rocky road! Has anyone successfully change the VLAN ID for the default interface to anything besides VLAN 1?

Any pointers would be greatly appreciated!

Traffic Shaping / Re: playing with fq_codel in 2.4
« on: February 17, 2018, 04:33:25 am »
I am getting ready to make the plunge on 2.4.2_p1. I am been using the wizard with Multiple LAN/WAN (I currently have 10 VLANs, 1 WAN and three VPN_WAN connections. I do so enjoy and envy those people that have 100/50 and 50/25 connections, but I have been curse with using AT&T and my DSL is 18/2, so I need to squeeze to most optimal setup.

I have been reading, but was wondering if some has possibly started a new thread so that I can be up to date on all the tricks to make this work smoothly?

Traffic Shaping / Multi-WAN and traffic shaping
« on: February 16, 2018, 01:34:32 pm »
Currently, I have a DSL connection providing my WAN connection. I also created  three WAN interfaces for my VPN connections (VPN1_WAN, VPN2_WAN, and VPN3_WAN). On the other side of the equation, I have my LAN and 9 VLANs (although at this time I am only utilizing 5 VLANs). Using the Traffic Shaper Wizard I set up using 4 WAN interfaces and 10 LAN interfaces, when I get to the first part when asked what the upload/download speeds are for the WAN devices, I am at a loss.

My speed in theory is 20Mbps/5Mbps, and after many speed tests, I come up with my numbers (minus 10%) for the first WAN interface. Now should I use the same numbers for the other WAN interfaces or should I just use a single WAN interface when I use the wizard. Because my thinking is that if I use the 4 WAN devices and plug in the up/down speeds, I would assume (assume can be dangerous at times) that pfsense will believe that I have 20Mbps/5Mbps * 4 (or 80Mbps/20Mbps, and just using the advertised speed as opposed to the real speed) rather than just the 20Mbps/5Mbps shared among 4 WAN interfaces.

Since I am on this issues with the Multi-WAN/Multi_LAN, if I make use of (for instance) VOIP, and want to make use of UDP ports 19302-19309, I am assuming that everything ends up as a floating rule and will be handles across the board on all interfaces? I have yet to tackle the traffic issue because of the numerous interfaces, but I am now having issues with things like VOIP, etc, so would like to resolve this.

Any pointer would be greatly appreciated! 

Captive Portal / Re: APs, VLANs and no access, oh my!!!
« on: January 21, 2018, 07:20:16 am »

Your clients are using DCHP and received an IP, gateway, DNS, etc ?
As per - even before authenticating, clients can resolve ?

Using multiple SSID's, VLAN and NOT using the pfSEnse as a DNS for your Captive portal network means : adding 3 systems together and then test.
I wouldn't proceed like that.
Implement one step at a time, test, then add another step, combine, and test, then you know what goes wrong, and probably why.

Btw : your Captive Portal GUI firewall rules seem fine to me, but I advice you to use the commands shown here so you can see also the ipfw rules (apply top to down) - the ipfw rules are not the GUI rules. ipfw rules are used first, and then the GUI rules.

As long as the CP is not enable (actually even when the CP is enabled), the client get DHCP correct:

   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : local.lan
   Link-local IPv6 Address . . . . . : fe80::c887:397d:60d7:4e9e%14
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

I have followed the troubleshooting and this is what I ended up with:

[2.4.2-RELEASE][root@router-01.local.lan]/root: ipfw table all list             --- table(cp_ifaces), set(0) ---
re0.15 2100 20 1066 1516539876
--- table(vl15_guest_auth_up), set(0) ---
--- table(vl15_guest_host_ips), set(0) --- 0 0 0 0
--- table(vl15_guest_pipe_mac), set(0) ---
--- table(vl15_guest_auth_down), set(0) ---
--- table(vl15_guest_allowed_up), set(0) ---
--- table(vl15_guest_allowed_down), set(0) ---

[2.4.2-RELEASE][root@router-01.local.lan]/root: ipfw table vl15_guest_auth_up list
--- table(vl15_guest_auth_up), set(0) ---

[2.4.2-RELEASE][root@router-01.local.lan]/root: ipfw table vl15_guest_auth_down list
--- table(vl15_guest_auth_down), set(0) ---

Again, this is when I have the CP enabled, since there would not be anything if it wasn't enabled? Again, if I disable the CP, then clients access the internet with no problems. If I enable the CP, if I attempt to connect to say, it hangs for about 3 or 4 minutes and then timeout.


Captive Portal / APs, VLANs and no access, oh my!!!
« on: January 21, 2018, 04:21:52 am »
I have setup my AP (TL WA901ND) with multiple SSIDs in which my GUEST is tagged and accessible on my GUEST VLAN interface. If I do not enable to CP zone, my guests are able to access the internet just fine. The moment that I enable the CP, although my guest clients are able to associate with the Access Point, there is no connection with the portal page.

I currently have my GUEST interface with no access to my other interfaces expect the WAN interface, and uses public DNS servers only (so no use of the Resolver or Forwarder). I have attached my rules down below. I am assuming that I will need to use the DNS Forwarding or Resolver, but currently I use the forwarder for my interface (basically my LAN) and the rest (excluding the guest interface) uses the resolver.

General Questions / Re: No access through interfaces
« on: January 19, 2018, 04:18:35 pm »
This morning, in a moment of inspiration, I thought I would get tor working. So I configured polipo as well as tor and decided that it wasn't working for me. I removed the packages and find that I could no longer access the internet.

Those aren't official packages, so whatever you did there probably messed with the pfSense install itself. Do a fresh install.

I was hoping for a snazzy way to solve this problem, but the tried and true solution always win! I was just burning my USB thumb drive when I saw your response!


General Questions / Re: No access through interfaces
« on: January 19, 2018, 03:44:47 pm »
No responses what so ever? There was no change to rules, interfaces, etc. How would look through the logs to see what is causing a blockage? I would really not have to re-install 2.4. There has to be some explanation on my two interfaces just stopped passing traffic.

General Questions / No access through interfaces
« on: January 18, 2018, 08:43:44 am »
This morning, in a moment of inspiration, I thought I would get tor working. So I configured polipo as well as tor and decided that it wasn't working for me. I removed the packages and find that I could no longer access the internet. I checked to make sure all of the packages were gone. From the dashboard, I am able to resolve and ping via the WAN interface, but am not able to do so from myLAN and OPT interfaces.

I did not make any changes on rules or any other changes, since I more interested in configuration with the proxy at the command line and playing with my browser. So what am I missing?

Routing and Multi WAN / Re: Routing issue with AT&T?
« on: January 09, 2018, 10:13:18 am »
I noticed that my WAN interface was still showing the network as opposed the public address.

I would look at the rules. Personally not a big fan of double nat

Thank for suggesting to look at my rules. Of course, the issue wasn't my rules, but the search mode of looking for everything caused me to look for other things that were out of whack. I was looking at the Dashboard and noticed that I was seeing on top of the normal DNS servers, I was also seeing (localhost). I took at look at System/General Setup and realized that I had not checked the Disable DNS Forwarder. One check of a box, and lo and behold packets were resolving and running out into the wild frontier of the internet.

Another nice thing was that finally I was able to get the IP Passthrough working and now my WAN interface now shows the public IP address. Life is groovy!

Routing and Multi WAN / Re: Routing issue with AT&T?
« on: January 07, 2018, 08:31:35 pm »
So I switch from Spectrum to A&T.  I was fine with my SB6121->pfsense->LAN, but now that I have the BGW210-700->pfsense->LAN, I can't seem to get to the internet from anything behind pfsense.  I have IP Passthrough enabled on the BGW210, but still no internet.  I can ping from pfsense, but no internet from the LAN.  I can update packages on pfsense as well.  I have changed the pfsense LAN to 192.168.2.x since the BGW210 is 192.168.1.x, but other than that, nothing else has changed.

If you have an ip passthrough, is your Wan interface on pfsense getting a public ip?

There is something more to it thatís missing. Could be something with routing/gateway or rules but cannot say anything without looking at it

I noticed that my WAN interface was still showing the network as opposed the public address. It is interesting to me that initially, one VLAN stopped connecting to the internet, but the other VLAN was working fine. After my reboot, both VLAN failed to connect to the internet. I truly wished that I didn't have to use AT&T as a provider!

Routing and Multi WAN / Re: Routing issue with AT&T?
« on: January 06, 2018, 11:38:37 pm »


       Just reboot pfsense it should start working. This happens if your lan ip series becomes wan ip series.... i mean I did the same ... rebooting resolved the issue.


I have already done that.  I have also verified both IPv4 and IPv6 is enabled on the WAN of pfsense.

I am running into the same issue. Granted, I have multiple VLANs in play, a couple of days ago, one of my VLANs (The one that I use for management) stopped connecting to the internet. For awhile, the VLAN that I use for clear traffic (pretend this is my LAN) worked, but while trying to see what this issue is, I rebooted my APU and suddenly, the VLAN no longer connected to the internet. Like you, I also am trying to use IP Passthru, but my WAN interface is still showing at the network that I have the DSL modem set to, and the only way that I can access the internet is through using the wifi interface on the BGW-210 modem.

Any other suggestions?

General Questions / Re: Proper setup of switches
« on: January 04, 2018, 02:24:25 am »
The re drivers and the APU work fine even with dot1q. They are workhorses.

Being miserly is fine but that switch is broken. Get a D-Link DGS-1100-08. They're about $30 and they actually work.

I will go replace with the DGS-1100. I am somewhat confused, since the result of what I was trying to achieve seems to be working. On the SG108, I have the LAN interface on port 1; I have the OPT interface in port 2, which has VLAN[5, 10, 15, 20] trunked; I have my TL-Link WA901ND AP with multiple SSID using VLAN[5, 10, 15, 20] tagged on port 3 on the switch.

When I connect to a particular SSID using DHCP, I am assigned the appropriate IP address from the correct VLAN. I don't normally hard connect to the untagged ports, but if I create a static address in any of the VLANs or the LAN, I have proper connection on the subnet, I am unclear on the purpose of a untagged port as well as the PVID, but everything seems to work as I think is should be doing. So what does it mean that the TP-Link has issues?

General Questions / Re: Proper setup of switches
« on: January 03, 2018, 01:49:03 am »
Yeah sorry but between the re0 (realtek) and TP-Link, your gonna have a bad day.  :P

Assuming you can pop in a PCIe card, you can ebay some new gear for less than 50 USD and have intel NICs and a Cisco gigabit 24 port switch  ;) A bit more to learn but its not that bad. Cisco has amazing documentation.

Well, it is what I have to work with... I could switch to equipment at the home location. But the reality is that I am trying to be a miserly as possibly on power since I am using the my travel trailer that I use when I am working. So the need for the APU, a decent low powered switch and probably the Nanostation.

General Questions / Re: Proper setup of switches
« on: January 01, 2018, 11:47:09 pm »
(although, I am actually using a Tl-Link SG108E)

Bad choice.  TP-Link switches don't handle VLANs properly.  There's another thread about problems with the similar SG105E.

Well, I have Netgear GS108E v2 (which is why I was using the TL-Link because of being able to access via the web interface as opposed to the configuration program for the v2) or a Mikrotik Routerboard RB951Ui (which I really didn't want to mess with because of the learning curve). Would any of these work better?

General Questions / Re: Proper setup of switches
« on: January 01, 2018, 08:06:44 pm »
Well you would really have something like this:

WAN (re1) -- DHCP
LAN (re2) --
OPT1 (re0.5)   VLAN05 -->
OPT2 (re0.10)  VLAN10 -->
OPT3 (re0.15)  VLAN15 -->
OPT4 (re0.20)  VLAN20 -->

The switch port connected to re0 would have to have VLANs 5, 10, 15, and 20 TAGGED on that switch port.

I cleaned up my original posting. I have the trunk on port 2 with all of the VLANS as well as with port 3.

Pages: [1] 2 3 4 5