Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - securedspace

Pages: [1]
How is the Linksys connected?  Via WAN port or LAN?  If you're using it as just an AP, you'd connect via the LAN ports.

Cable Modem -> WAN Port on PFSense Box

PFSense Box LAN port to Linksys box.

I configured DDWRT on the Linksys Box to ignore WAN/LAN designations on the ports, so it doesn't matter which port on the Linksys Box gets connected to the PFSense Box.

I installed my PFSense box about a month ago, and the set up is:

Cable Modem (bridge mode) > PFSense (running DHCP server > Linksys Router running DD WRT as an Access Point > every device in my home, both wired and wireless.

The problem I'm having is that the internet connection on my Linksys DD WRT box will die for about 30 seconds, a few times a day randomly. I think the router is rebooting, since the WiFi signal stops. And on my laptop, I can't find the router for about 30 seconds, and then it reappears and everything is fine.

I'm not sure where to start looking for the cause of this, but I've owned the router for over a year and it's been solid until I disabled DHCP, converted it to be an AP only, and added the PFSense box between it and the cable modem. So I assume something about the PFSense box, or the configuration changes I made to the router are to blame.

It could also be the PFsense box itself is rebooting or dropping internet connection although I doubt it, because it seems like the router itself has the WiFi die during this time. If the PFsense box was to blame for the dropped connection, I'd expect WiFi to still be on, but lose access to internet.

Any thoughts?

General Questions / Re: What is my PFSense FQDN and How to Change it?
« on: December 11, 2017, 10:15:07 pm »
The FQDN is the combination of host name and domain name.  So, if both are properly set up, then you won't have the problem.  Also, make sure the host name is configured in your DNS server.

How do I access it from my webbrowser via that combination?

Do I concatenate them with a period and append http:// before it? The reason I need to know is that I read I shouldn't use the 192.168.x.x to access it, and instead I should use the FQDN, at least once I set up the certificate to avoid the annoying error message that requires 3 clicks to bypass on Safari.


Pro tip for the firewall rule: If you have multiple Sonos devices, group them together within the address range of a smaller subnet size. For example, I have my Sonos devices between x.x.x.177 and x.x.x.190. By doing this, I can create one firewall rule for network x.x.x.176/28 on my LAN to block all of my Sonos devices easily.

Interesting, I do have multiple Sonos devices, but haven't dug into the config for it yet. I assumed the one Sonos device that is acting as a bridge is receiving an IP via DCHP from my PFSense box currently. And then that Sonos Bridge (a playbar) is running it's own form of DHCP across it's proprietary wireless network it creates with the other devices.  I haven't gotten around to checking to see if each Sonos device is getting an IP from the PFsense box, nor have I assigned Sonos a static IP yet, which I think is prudent to help with rules.

Do you think it's worthwhile to keep a spreadsheet handy with every static IP assigned on my device and perhaps the MAC addresses of all of my devices, so that if things get wonky, I at least know the MAC address of each Sonos device and can try to backtrace issues based on that? If so, is there any format that works? I'm just thinking simply:

Name of Device (Sonos Playbar, Xbox One, Apple TV, etc)
Physical Location of Device (bathroom, bedroom, etc)
MAC Address of Device
Static IP of Device
Connection Type (Wireless to AP, Hardwired to PFSense Box, Hardwired to Sonos Playbar, etc)

If something breaks once I have it set up, it would be nice to have a tool like this built in advance.

General Questions / What is my PFSense FQDN and How to Change it?
« on: December 11, 2017, 09:26:35 pm »
To be honest, I never heard the term FQDN before an hour ago, but I'm learning as I go. My goal is to accomplish setting up my PFsense box slowly over the next few months and learn the underlying networking concepts for each configuration as I go.

Currently, I decided I didn't like that my Safari web browser makes me click through several warnings to access my PFSense box. Thus, I learned the basics of CAs and Certificates. I even found several incomplete guides on how to either create or self-sign a certificate and install it in my PFsense box, and I hit what must be the easiest question, because I can't find any documentation on it.

What is the FQDN of my PFsense box and how do I change it?

The closest my searching has found is that the FQDN is a combination of the Host name and Domain that I see on the System -> General Set up screen.

However, that's the most I found. I assume it's a concatenation with a period, but when I try that into Safari, it doesn't work. It just searches Google for that. So I added Http:// before the hostname.domain and still not working.

Also, while I'm changing it, what are best practices? I assume there's no benefit in obscuring it. Anyone attempting to hack me who is already on the network can use an arp -a command to find the PFsense box and access it via local IP.

I'm just getting into PFsense for the first time and am very excited for the possibilities. I'm still learning about networking principles and am having fun so far. What I'd like to do next is learn how to best isolate Sonos from phoning home, stop it from being a attack surface, or doing anything else dangerous.

My setup is: [Cable Modem in Bridge Mode] --> [Protectli PFSense Box running DCHP server] -->[DD WRT Wireless Router in AP mode, DCHP server off]

I can either plug the Sonos "base station" into the Protectli box directly, or into the DD WRT Wireless Router, and I think directly into the Protectli box is safer, but please correct me if I'm wrong. I also think giving the Sonos base station a static IP on my internal network is better than DHCP since I can likely make rules easier for a static IP device. But I'm not sure.

My concern is that Sonos might be phoning home, possibly with microphone data, since I think the pre-Echo Sonos units have some form of microphone in them to help calibrate sound in rooms. Sonos recently updated their TOS to make it less private, and I've avoided installing the new software because of it. The new TOS lets them send even more information back to their mothership.

I'm not using Sonos to connect to any 3rd party audio servers (such as Spotify), so as far as I'm concerned, Sonos does not need to talk to the outside world at all, unless I manually decide to allow a software update. However, I am concerned I can't segregate it from everything else, because I still want my iOS and OS X devices to be able to control the Sonos unit, which requires it be on the same WiFi network. So I think the best course here, using my non-technical understanding, is to keep Sonos on my primary network, but tell PFSense to disallow any outgoing connections through the Gateway (my cable modem).

Any thoughts on where to start?

Interfaces > WAN

Interfaces > LAN

IPv6 Configuration Type: None

That seems to have worked! At least with respect to making that one IPV6 website display my PIA VPN. I assume that the website preferentially loads with IPV6 but if that's not available, it will force IPV4. I only have a basic understanding of networking though.

I did have to disable the IPV6 DHCP service that was running before it let me disable the LAN IPV6 but that only took me a second to figure out where it was.

Anything else I should try to ensure IPV6 isn't leaking my real IP?

Why not just disable IPv6 on your WAN and LAN interface?

That sounds like a great idea! Can you walk me through where that option exists?


First post - I bought a new Protectli box to install PFsense on for the first time. I installed the newest version, 2.4.2 and am setting it up. I wasn't able to get PIA's instructions to work properly since it seems that their screenshots were from an older version of PFsense.

Specifically of concern is their version of PFSense has an option to disable IPV6 from the OpenVPN configuration. That doesn't appear in v2.4.2, or if it does, the wording has changed and I don't see it.

I was able to connect to the VPN over PFsense, however when I went to an IPV6 site, whatismyip dot com, it was able to see my true home IP address. However IPV4-based sites did show my PIA VPN IP.

PIA discusses IPV6 leakage as a problem and claims that IPV6 is too expensive and too new to bother supporting. PIA is my first and only VPN I have used for the last few years and don't know if any other VPN providers are offering IPV6 or if PIA is being cheap. PIA does offer IPV6 leak protection if using their proprietary application however my goal with buying the Protectli box was to set up PFsense to be my VPN for all outbound traffic.

Please advise if there is a setting to block IPV6 - my search results of the forum here just showed several very old posts that were not helpful. Or is the recommendation that I either change VPN providers, downgrade PFsense software, or to return the Protecli box if it's just not possible to protect against IPV6 leaks.

Thanks so much in advance for any help.

Pages: [1]