Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Maxburn

Pages: [1] 2
Following up; I started over with following this guide;

That guide is so simple and leaves out anything client specific overrides, no iroute CCD entires etc. Far as the firewall rules go there was already something in there from a wizard I tried before which still looked suitable.

Loaded the client export to the ERX and it failed, logs show --pull is inappropriate for UDP. Without much hope I commented that out in the config file and retried, tunnel came up. But I couldn't ping back and forth. Then found this in the system logs for openvpn in pfSense:

ERROR: FreeBSD route add command failed: external program exited with error status: 1

Googling that it's a routing issue. So I checked over that guide again, couldn't find anything wrong and said heck with it, rebooted pfSense. When it came back up that error was gone, tunnel was up. Local LAN devices could reach remote LAN and vice versa.

So yay?

ping and traceroute maybe do well. ICMP is a stateless protocol. The problems with that come if you establish a stateful connection.

So I'd try one of the suggestions.

OK, thanks for bearing with me! That one got through, I can just about picture how that makes a difference with how things are flying around.

Maybe I'm not expressing the problem right, at the moment everything can reach everything else. See these traceroutes below. BUT when I reach out from my local LAN to those remote devices I can only stay connected for a minute or two. I haven't done anything in the pfSense firewall yet either, maybe that's the issue??

This is my remote raspberry Pi reaching back to some random local LAN device
Code: [Select]
user@raspberrypi:~ $ traceroute
traceroute to (, 30 hops max, 60 byte packets
 1 (  0.598 ms  0.524 ms  0.478 ms
 2 (  80.190 ms  80.152 ms  80.372 ms
 3 (  3049.530 ms !H  3089.671 ms !H  3089.633 ms !H
pi@raspberrypi3:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast

This is my local chromebook reaching a remote LAN device.
Code: [Select]
crosh> ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=62 time=49.3 ms
64 bytes from icmp_seq=2 ttl=62 time=44.9 ms
64 bytes from icmp_seq=3 ttl=62 time=43.4 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 43.487/45.909/49.310/2.482 ms
crosh> tracepath
 1?: [LOCALHOST]                                         pmtu 1500
 1:  pfSense.localdomain                                   1.393ms
 1:  pfSense.localdomain                                   1.054ms
 2:  ubuntuserver.localdomain                              1.252ms asymm  1
 3:                                           50.313ms asymm  2
 4:                                             45.226ms reached
     Resume: pmtu 1500 hops 4 back 3

From the 2nd link you provided:
the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work.

This is exactly what I said, when I said to add specific routes to each device.

Yes, that's a work around. If you can't do the thing it mentions before that:

That means in our example: must know that for 10.10.1.x 10.10.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to This is true for any number of lans you want to connect, whether server or client.

I don't think you understood me. I put a static route in pfsense, which is the default gateway for everything on my local LAN. It should see that traffic and send it to the VPN.


So, if a device on the LAN wants to send a packet to the other end of the VPN, it sends it to pfSense, which is supposed to route it back out the interface it came in on, to get to the VPN elsewhere on the local LAN?  That's not the way routers work.  You'll need to add the specific route to all the devices that want to send traffic to the VPN.

Yes, exactly. Do you think I am interpreting this wrong?

Code: [Select]

Tracing route to over a maximum of 30 hops

  1     1 ms    <1 ms     2 ms  pfSense.localdomain []
  2     1 ms     1 ms    <1 ms  ubuntuserver.localdomain []
  3    47 ms    41 ms    45 ms

Trace complete.

   IPv4 Address. . . . . . . . . . . :

Correction; This entry

System / Routing / Static Routes

  • Destination Network: remote network entered as "" drop down /24
  • Gateway; Selected the above created gateway

Does allow local LAN devices to ping remote LAN devices all day long.

But once I SSH into a remote server and tell it to ping something on my local LAN this works great for a little while and then I get disconnected. The VPN tunnel is not dropping.

Edit, more info. This looks like what I want to see going on from the LAN.

Code: [Select]

Tracing route to over a maximum of 30 hops

  1     1 ms    <1 ms     2 ms  pfSense.localdomain []
  2     1 ms     1 ms    <1 ms  ubuntuserver.localdomain []
  3    45 ms    42 ms    40 ms
  4    44 ms    41 ms    41 ms

Code: [Select]
user@'s password:
Linux raspberrypi3 4.9.59-v7+ #1047 SMP Sun Oct 29 12:19:23 GMT 2017 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Mar 16 14:17:23 2018 from
user@raspberrypi3:~ $ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=62 time=76.1 ms
64 bytes from icmp_seq=2 ttl=62 time=40.0 ms
64 bytes from icmp_seq=3 ttl=62 time=44.1 ms
64 bytes from icmp_seq=4 ttl=62 time=42.9 ms
64 bytes from icmp_seq=5 ttl=62 time=41.4 ms
64 bytes from icmp_seq=6 ttl=62 time=39.8 ms
64 bytes from icmp_seq=7 ttl=62 time=39.0 ms
64 bytes from icmp_seq=8 ttl=62 time=42.7 ms
64 bytes from icmp_seq=9 ttl=62 time=40.8 ms
64 bytes from icmp_seq=10 ttl=62 time=39.8 ms
64 bytes from icmp_seq=11 ttl=62 time=42.8 ms
64 bytes from icmp_seq=12 ttl=62 time=40.3 ms
64 bytes from icmp_seq=13 ttl=62 time=44.2 ms
64 bytes from icmp_seq=14 ttl=62 time=42.8 ms
64 bytes from icmp_seq=15 ttl=62 time=40.8 ms
64 bytes from icmp_seq=16 ttl=62 time=43.6 ms
64 bytes from icmp_seq=17 ttl=62 time=42.9 ms
64 bytes from icmp_seq=18 ttl=62 time=42.6 ms
64 bytes from icmp_seq=19 ttl=62 time=44.1 ms
64 bytes from icmp_seq=20 ttl=62 time=42.7 ms

putty session disconnected...

If the VPN endpoint is within the LAN, a static route on the edge router cannot resolve the routing issue.
You rahter need static routes on each LAN device pointing to the Ubuntu server.

I don't think you understood me. I put a static route in pfsense, which is the default gateway for everything on my local LAN. It should see that traffic and send it to the VPN.

More findings, changing the static route entry:

System / Routing / Static Routes

  • Destination Network: remote network entered as "" drop down /24
  • Gateway; Selected the above created gateway

This allows anything on my local LAN to communicate to anything on my remote LAN, great

But, things on the remote LAN can't reach anything on my local LAN. This baffles me.

Why do you not run the OpenVPN server on pfSense?

I could not wrap my head around the GUI to make OpenVPN do what I wanted. I have decent experience with this at work doing site to site between endpoints that are the default gateway but we aren't routing to the server LAN.

OK, I have a Ubuntu server on my local LAN running OpenVPN. I also have a remote Ubiquiti Edgerouter connecting to my Ubuntu OpenVPN with no issue, port forwarding etc in local pfSense working fine tunnel up etc. Current Symptoms:
  • Local Ubuntu server can ping and SSH into multiple things on remote LAN
  • Remote Edgerouter and a linux server on remote LAN can ping the Ubuntu server local LAN IP, but can't reach anything else on local LAN
  • Nothing else on local LAN can reach remote LAN
So, sounds like I need to add a static route to pfSense to point to the local Ubunto VPN server to allow local LAN devices to reach out to the remote LAN. Right? This is what I did and it doesn't seem to be doing anything.

System / Routing / Gateways
  • Interface: LAN
  • Address Family IPv4
  • Gateway; the Ubuntu Server LAN IP
  • Default Gateway not checked; I don't think I want this to be the LAN default gateway...
  • Disable Monitoring not checked
  • Monitor IP, blank. Ubuntu server will ping
  • In pfSense dashboard the gateway shows UP

System / Routing / Static Routes
  • Destination Network: remote VPN virtual IP entered as "" drop down /24
  • Gateway; Selected the above created gateway
Using a computer on my local LAN I can't seem to get anything on tracert past pfSense, IMO pfSense should be sending this to my Ubuntu server at but it isn't. What am I missing?

Code: [Select]

Tracing route to over a maximum of 30 hops

  1     1 ms    <1 ms     2 ms  pfSense.localdomain []
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.

Edit: I'm using these guides

I'm in need of a reverse proxy that hits the criteria below, can this be done with Squid/Squidgard? Is squid easy to work with on pfSense or should I just look into putting it on it's own VM, ie; would pfSense just be an unnecessary complication here?

  • Three internal web servers serving up http unencrypted, reverse proxy needs to add encryption.
  • Reverse proxy needs to be able to detect namespace:,, and send that to the right internal server
  • Preferred to use Letsencrypt certs, but not required.
  • LDAP authentication before any access is granted.

I'm currently doing everything except LDAP in Nginx on an Ubuntu VM, thing is I looked at Nginx LDAP and it's just over my head so I'm looking around to see what else is available.


First off, needs to be in Remote Networks there. Yes, there and the CCD.

I think that's key. Thing is there was no entry on that page for remote networks. Likely because I selected remote access? I know how it needs to be both in the server config and CCD in plain config files. I changed it to Site-To-Site shared key and that field appeared. Redid everything for that new configuration and now having much less success, endpoints can't even ping the opposite VPN IP let alone anything on the LAN.

Time to back up and reassess this situation, I just spent a day getting something working and failing that I plainly know how to do, but already I'm thinking this would be easier if either I had pfSense on both ends so I could follow guides OR if I just skipped it in pfSense all together and ran OpenVPN on my ubuntu server with the same configuration we use at work in text files. I'm a little shocked at that last part, I am a big fan of GUI but in this one case I took the time to get things working in plain config files so I oddly prefer that now in this one case.

Is there no way to just upload an OpenVPN server config and CCD file in pfSense?

I set up an OpenVPN server at my house in pfSense and imported the VPN config to a remote Ubiquiti Edgerouter X. Tunnel is up but I'm having routing difficulty. Both pfSense and the ERX are the default gateway on their LANs. I want devices on either LAN to reach the opposite LAN, Site to Site. Worked with this guide

From what I understand those last two things should set up the route/iroute OpenVPN stuff that's necessary. Unfortunately I have no idea where to see the raw OpenVPN server config file or CCD files to see if this is true. I've done this stuff with Windows as the OpenVPN server and the ERX before, just can't figure out the pfSense GUI. I haven't messed with entering any static routes myself, IMO OpenVPN and these two devices already being the default gateways should be enough?!?

  • pfSense local LAN
  • OpenVPN virtual network
  • is ERX VPN IP, static assignment via client config
  • Remote ERX LAN

  • Nothing on 10.0.1.x including the pfSense ping utility can reach anything on 10.0.3.x
  • pfSense ping utility can reach, the remote ERX VPN IP
  • The remote ERX can ping anything it wants on 10.0.1.x entire LAN, and my phone using the same pfSense OpenVPN server can reach anything it wants
  • Other things on the 10.0.3.x LAN can not reach 10.0.1.x IPs
  • The remote ERX can ping, the OpenVPN server IP.
  • Other things on the 10.0.3.x LAN can not reach
  • In the ERX I can see an automatically created route to with next hop

pfSense OpenVPN server configuration
  • Remote access TUN / UDP
  • Tunnel network
  • Redirect gateway off
  • IPv4 local networks has in it
  • Provide DNS server is available with listed FWIW

Client specific Overrides, I'm thinking of this as the OpenVPN CCD file, right?
  • has my openvpn server selected
  • has an entry of the connecting ERX common name
  • Tunnel:
  • IPv4 local networks:
  • IPv4 remote networks

DHCP and DNS / Re: How do I get charts and graphs like PiHole?
« on: March 04, 2018, 03:30:33 pm »
I really like that! Pretty much exactly what I am looking for. I assume there is a way to sort by requester so I could, say focus in on what my TV is doing?

DHCP and DNS / How do I get charts and graphs like PiHole?
« on: March 04, 2018, 02:04:59 pm »
I found the charts and graphs that PiHole presents quite useful and fairly easy to understand. Really let me know what is reaching out to where on my network. So how can I get the same thing out of pfSense?

Using resolver and pfBlockerng.

DHCP and DNS / Re: Quad9
« on: March 04, 2018, 02:02:05 pm »
I'm using them, their secondary isn't mentioned much but it is It works but I haven't tested speed.

General Questions / Re: HOWTO: Notifications with GMAIL SMTP
« on: January 21, 2018, 01:21:26 pm »
It appears google app passwords are a part of the paid google services (as of Jan 2018). If you try to use the above URL's to get an app password you will see "The setting you are looking for is not available for your account. GO TO MY ACCOUNT".

What you must do is set up the page as shown in OP, with your regular gmail password. Click test a couple times and it will fail. Then go log into that account and look for the security messages saying account access was blocked. You must click "this was me" and allow the connection. Further test email in pfsense should work then.

Probably a good idea to not use your main gmail account to send from due to this, just register a secondary.

Pages: [1] 2