Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - elementalwindx

Pages: [1] 2 3 4 5 ... 16
General Questions / Re: User hogging internet. How to stop it?
« on: March 06, 2018, 12:09:41 pm »
So what if 2 users want to upload they get /2 x2 = full ;)

I would suggest you ask in the traffic shaping section for what your trying to do exactly.  Sure the experts there will help out.

Think of it in terms of %. Not 2+2=4. Divide the bandwidth up equally so that there is enough overhead to not choke out the connection causing packet loss and such.

General Questions / Re: User hogging internet. How to stop it?
« on: March 06, 2018, 11:05:01 am »
I want it to automate this. Whenever any user tries to upload something, instead of giving them our full pipe, give them say half. Rate limiting by a single IP doesn't sound right?

General Questions / User hogging internet. How to stop it?
« on: March 06, 2018, 10:12:52 am »
What is the proper way in PFSense to get a user to quit hogging 100% of the internet connection? I've tried using a traffic shaper, but it seems to have 0 effect on helping the rest of the users on the network.

I used the wizard for multi/lan/wan, using the CBQ interface & scheduler.

IPsec / Re: Trying to hook up Sophos XG to PFSense via ipsec, need help.
« on: August 24, 2017, 04:43:07 pm »
There is generally no "server" and "client" in IPsec. There is the initiator and the responder. In general, absent other circumstances, either side and initiate.

That is what confused me. I was wondering about that. The way they word it between Sophos and PFSense threw me off too. I'll try changing that later tonight and give it a go.

IPsec / Trying to hook up Sophos XG to PFSense via ipsec, need help.
« on: August 24, 2017, 02:24:30 pm »
Following this video: it doesn't explain what to do on the pfsense side. Say if I used the pfsense as the "server" and the sophos as the "remote client." What are the steps needed to take on the pfsense to set this up?

I've done many openvpn just fine, but sadly sopho's "openvpn" is proprietary and doesn't work with regular openvpn. So I'm stuck using IPSec which I never use.

Thanks everybody.

General Questions / Re: Flash new software onto my SG-4860?
« on: August 22, 2017, 08:20:39 pm »
ps. Just heard there is a beta version of pfsense with central management. Cannot find these beta releases so I'm guessing I have to have special access somewhere. Would love it if an admin could assist me with that :) Would much prefer if my money spent was going with PFSense rather than Sophos. Feeling mixed about it at the moment.

General Questions / Flash new software onto my SG-4860?
« on: August 22, 2017, 07:34:40 pm »
Does anybody here have a how-to on going about installing new software onto these netgate SG-4860's? Looking to give Sophos a try and they say it can be done but I can't find a how-to.

I know it's a pfsense forum, don't hate :) Just looking to experiment and really like their cloud and UTM features. Yes I'm sure it voids any warranty that 4860 has.

General Questions / Re: System util 50% CPU non stop
« on: July 31, 2017, 07:46:15 pm »
Looks like you enabled polling. Instead of an event based system that reacts when new packets come in, it spins at 100% CPU checking to see if any new packets came in.

You rock :) Thanks.

General Questions / System util 50% CPU non stop
« on: July 31, 2017, 04:33:46 pm »
How can I tell what is causing the router CPU to stay at 50% non stop all the time?

When I run top -aSH I get these results:

Code: [Select]
last pid: 50746;  load averages:  1.09,  1.05,  1.01  up 20+06:21:25    16:35:10
126 processes: 4 running, 96 sleeping, 26 waiting

Mem: 9392K Active, 99M Inact, 200M Wired, 34M Buf, 3592M Free
Swap: 8192M Total, 8192M Free

    9 root     -16 ki-1     0K    16K CPU1    1 486.3H 100.00% [idlepoll]
   11 root     155 ki31     0K    32K RUN     0 475.2H 100.00% [idle{idle: cpu0}]
75556 root      33    0   272M 39856K piperd  0   0:04   4.69% php-fpm: pool nginx (php-fpm)
   12 root     -60    -     0K   416K WAIT    0 158:36   0.00% [intr{swi4: clock}]
   11 root     155 ki31     0K    32K RUN     1  81:13   0.00% [idle{idle: cpu1}]
   15 root     -16    -     0K    16K -       0  77:23   0.00% [rand_harvestq]
38685 root      52   20 17000K  2424K wait    0   9:57   0.00% /bin/sh /var/db/rrd/
    5 root     -16    -     0K    16K pftm    0   7:33   0.00% [pf purge]
   16 root     -72    -     0K    80K -       0   3:03   0.00% [usb{usbus0}]
16720 root      20    0 19108K  2252K nanslp  0   2:53   0.00% [dpinger{dpinger}]
16134 root      20    0 19108K  2248K nanslp  0   2:32   0.00% [dpinger{dpinger}]
24897 root      20    0 30152K 17980K select  0   1:57   0.00% /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/{ntpd}
   12 root     -88    -     0K   416K WAIT    1   1:41   0.00% [intr{irq22: ehci0}]
13938 root      20    0 16676K  2216K bpf     0   1:39   0.00% /usr/local/sbin/filterlog -i pflog0 -p /var/run/
24309 root      20    0 39144K  6540K kqread  0   1:27   0.00% nginx: worker process (nginx)
23122 root      20    0 39144K  6540K kqread  0   1:26   0.00% nginx: worker process (nginx)
22837 root      20    0 39144K  7124K kqread  0   1:26   0.00% nginx: worker process (nginx)
24318 root      20    0 39144K  6540K kqread  0   1:26   0.00% nginx: worker process (nginx)

However the dashboard shows CPU at 50% all the time and status monitoring shows it as well.

I have 3 packages installed, autoconfigbackup, aws-wizard, and ipsec-profile-wizard

General Questions / Proper way to do fail over wan?
« on: June 19, 2017, 11:42:35 am »
I've got an office going with the newest pfsense released. Today their cable internet died out and some people were able to get online and some people could not. No idea why. When I changed the default gateway to the working DSL under system -> routing -> gateways, everyone was able to get online.

Here is how I have it setup:
system -> routing -> gateways
2 gateways, 1 cable, 1 dsl.
Both monitor, or
Primary is the cable because of the highest bandwidth so it's set as default (or was till it comes back up)

Under Gateway Groups:
I have 2 groups:
Failover1 (If CABLE fails go to DSL) Tier 2, Tier 1
Failover2 (If DSL fails go to CABLE) Tier 1, Tier 2

Under firewall -> rules -> lan
I have 2 rules created:

12 /7.50 MiB   IPv4 *    LAN net    *    *    *    Failover1    none         If CABLE fails go to DSL    
0 /0 B   IPv4 *    LAN net    *    *    *    Failover2    none         If DSL fails go to CABLE    

Any idea what I am doing wrong here?

Or maybe it's just that the DSL connection just doesn't have enough bandwidth to handle a server and 10 desktops. Ughhhh.

Routers are all heading towards these key components quickly. Companies like Watchguard, Fortigate, and Sonicwall have long had the jump on this.

Are there any plans fast approaching a near release on these topics?

PFSense with a bit defender AV engine and content filter with a cloud management similar to Ubiquiti Unifi's system would be ahmayzinggggg.

General Questions / Re: AV these days?
« on: January 24, 2017, 12:58:08 pm »
Squid/C-ICAP/ClamAV should work a whole lot better than a couple of years ago, tons of fixes/changes in the package. Would I rely on it as the only defense? Definitely not, given the ClamAV detection rate. Performance penalty? Absolutely.

P.S. Not a fan of the AV industry at all. They often cause more harm than they prevent. Some reading @ - incl. latest WTFs such as:


I agree. We've had issues where bit defender blocks a program from doing an action, and it doesn't even report it in their events section in any form. No log of any kind either. Very frustrating. I will admit I've had the fewest issues ever with bit defender vs kaspersky, mcafee, norton (barf), nod32, and others.

General Questions / Re: AV these days?
« on: January 24, 2017, 12:24:01 pm »
what is the proper way to do it?

To me, AV belongs on the client.  I tried ClamAV a year or two ago and wasn't happy with the performance hit.  Plus I don't have a lot of faith in open source AV systems.  It's a very hard space to compete in against commercial companies.  Maybe I'm wrong in that, but I haven't seen anything to convince me otherwise.

Yea we put bit defender on our end points. Was just wondering if the service was there and free, figured I'd use it as that extra layer.

General Questions / AV these days?
« on: January 24, 2017, 10:42:58 am »
How's the AV system in pfsense these days? I tried using it about 5 years ago. If I recall you have to install some kind of squid proxy thing, and then some kind of clamav thing, but I had all sorts of issues when it came to downloading installer files where the files would be corrupted, and wouldn't download right, so I lost all hope on it. Now I'm revisiting the topic and wondering what you guys think about it, and what is the proper way to do it?


pfBlockerNG / Re: How to make it stop auto-reordering my firewall rules?
« on: January 18, 2017, 09:42:51 am »
Still not quite figuring out what you're trying to say. Sounds like you're saying copy the country rules I'm using, and just remove the pfblocker package?

Pages: [1] 2 3 4 5 ... 16