Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - mastermindpro

Pages: [1] 2 3
Cache/Proxy / HAProxy not being transparent. ???
« on: August 14, 2017, 04:54:16 pm »
I setup a HAProxy enviroment for a couple of webservers using transparent ClientIP mode, and it works great.  I'm trying to setup a second environment, also as just a TCP proxy, but not to a web server.  I've configured the backend with Transparent ClientIP enabled.  The proxy passes traffic through as I'd expect, but not with the client IP.  The receiving server sees the "source" as being the IP of the proxy.

Now, this second environment is a bit different than the first in that the pfSense box is one-armed (only one network interface).  Hence, the client traffic is coming into HAProxy and being proxied to the servers on the same network interface.  I'm assuming this is the reason for the Transparent ClientIP function not working, but does anyone know a work-around?

Cache/Proxy / HAProxy + manual outbound NAT reflection problem
« on: July 29, 2017, 04:38:40 pm »
I have setup HAProxy to load balance to a couple systems in my LAN from an aliased public IP on my pfSense firewall.  I have HAProxy configured as purely a TCP pass-through, with "Transparent Client-IP" enabled.  Access to the service works just fine when outside my firewall, but I need hosts on the LAN of my firewall to access the service as well.  The web application being served up is ridiculously restricted by license to both a URL and an IP address, so I can't use any kind of split-DNS to solve this problem.  (the name would still match, but the IP's wouldn't)

I've been running in manual outbound NAT mode for a while, so I configured a new rule at the top of the stack for traffic exiting the LAN interface, sourced from the LAN subnet, and destined for the IP's of the servers in the HAProxy backend.  From what I understand, that *should* work...but it doesn't.  Looking at the HAProxy logs shows that the requests coming from LAN systems still have their private IP addresses as the source address.  As far as I can tell, HAProxy should see the LAN IP address of the firewall in the requests...but this isn't the case.  It's like HAProxy is doing something in advance of any of the outbound NAT rules...before traffic can get to them.

Does anyone have any work-around for this oddball problem?  I know NAT reflection on HAProxied hosts won't work automatically, but I'm hoping there's a way to coerce functionality.

Official pfSense Hardware / SG-4860 network interface optimization
« on: March 24, 2017, 11:47:57 am »
I've done some searching on the forum as well as elsewhere, but I haven't been able to find any docs on what the recommended network interface settings are for this platform.  Specifically, I'm considering enabling device polling, as I'm seeing up to 20% interrupt usage under load.  The other settings are relevant as well.  Is there a primer or doc somewhere that lays this out?

Firewalling / Floating rule not applying to selected interfaces
« on: February 26, 2017, 08:43:25 pm »
I have a 2 WAN setup that has port forwards on both interfaces to one host on my LAN.  I've previously had rules on each WAN interface to allow traffic into the port forwards, but I wanted to start limiting states per host collectively.  I figured the best way to do that would be to have a floating rule that is assigned to both WAN interfaces that has the appropriate settings, so that's what I implemented.

The floating rule only let traffic in to the first of the two WAN interfaces, however.  Traffic was outright blocked from hitting the port forward on the second WAN.  I had to disable or delete the floating rule and re-create independent rules on each WAN interface for traffic to work correctly.

Why did the floating rule only allow traffic on one of the WAN interfaces instead of the two that were selected?  Seems like a bug to me.  Running pfSense 2.3.3-Release.

Firewalling / Source connection rate logging
« on: February 24, 2017, 02:02:48 pm »
I've searched this forum and elsewhere for an answer to this, but found none.  I have a Pass firewall rule that allows traffic into a port forward.  On the firewall rule, I've defined "Max. src. conn. Rate" and "Max. src. conn. Rates" to be what I want.  The rule appears to work as I expect in testing.  My challenge is that I don't seem to be able to know when the connection rate is exceeded.

The firewall logs show nothing, as I'm only logging explicit blocks/rejects.  My first thought was that this would only get logged if there was a second firewall rule, defined as a Block, that had logging enabled.  I've configured that, but nothing ever seems to hit that no logging.

A Pass rule with other limits, like connection rate limiting, really kind of has two possible outcomes.  It would be nice to be able to log or otherwise know when the limit is being triggered, without having to know when the traffic is passing the rule.  Is that possible?

I searched, but found nothing regarding upgrading a 2.2 ADI-build to the 2.3 Alpha.  Anyone know if it's possible using the AMD64 Alpha upgrade image?

Routing and Multi WAN / Apinger stops feeding rrdtool
« on: October 04, 2015, 09:26:12 pm »
I've got a functioning multi-wan setup using 2.2.4 that exhibits some weird behavior from apinger over time.  To counteract that, I wrote a simple cron script that stops and starts it every 3 hours.  Unfortunately, that seems to cause this problem:

Oct 4 19:11:03    apinger: rrdtool respawning too fast, waiting 300s.
Oct 4 19:11:03    apinger: Error while feeding rrdtool: Broken pipe
Oct 4 19:06:03    apinger: rrdtool respawning too fast, waiting 300s.
Oct 4 19:06:03    apinger: Error while feeding rrdtool: Broken pipe

No information is fed into the RRD graphs about quality, and I'd really like to track that for my 3 connections.  Is there something else I should restart when apinger is restarted? 

FWIW, I have to restart apinger because it eventually drifts to stating impossibly low ping times that don't match reality.  Restarting it every few hours prevents that in the Gateways display, but disrupts feeding data to rrdtool.

I had a fully functioning multi-wan setup on 2.0.1 running on an Alix board.  I upgraded the system to 2.0.3, which appeared to go flawlessly.  After the upgrade, one of my two gateways is never detected as online, even though it is passing data on that circuit.  I've tried different known usable monitoring IP's, I've rebooted the box a couple times, but nothing I've done gets pfSense to detect the gateway as online like it is.  I know the circuit itself is functional because I have and use a number of port forwards on that circuit, which are all functioning just fine.

Any troubleshooting hints or tips?

Does pfSense have any ability to limit PPS, either on a per-host or per-connection basis?  I'm running 2.0 RC3, but I haven't seen this as a listed feature in the GUI.

Installed the Oct. 20th snap on one of my pfSense boxes that has two WAN's.  After the update, the OPT1 interface stopped responding to pings from the outside world.  Also, all traffic NAT'd in on that interface is not responding.  The interface is handling traffic, however, but only that which comes from the LAN.

I've got a Win2k8 FTP server behind a pfSense firewall running the August 25th build.  I can connect to the FTP server from the outside world using active mode, but passive mode fails.  Prior to having a pfSense firewall in place, we had a Linux-based solution through which active and passive FTP sessions worked.

I've been reluctant to upgrade to newer builds in the past few weeks due to all the problems that have cropped up.  Does anyone else have passive sessions working to a NAT'ed FTP server?

When I try to log into the web gui after installing today's snapshot, I get this error message:

Potential DNS Rebind attack detected, see

I tried yesterday's snap as well, and got the same thing.  The firewall appears functional, I just can't connect to it.  Any idea how far back I should go to get this working again?

Subject line pretty much says it all.  I can't enable the penalized IP queue in the shaper wizard.  The error is that I have to enter something in the bandwidth field.  I've tried percentages and kbit/s values but get the same error.

It kind of surprises me that this hasn't been brought up before, but isn't downstream traffic shaping (in it's current implementation) basically useless in multi-wan scenarios?  The downstream shaper is created as an upstream queue on your LAN interface, but you'll very rarely hit that shaping limit.  You can saturate one or more downstream queues on your WAN interfaces, but unless *all* WAN interfaces are fully saturated in the downstream direction, the shaping on the LAN's upstream channel never has the opportunity to kick in.

Surely the mighty BSD has a work-around for this?

I have a pfSense box that has three subnets attached to the LAN interface.  One contains the LAN IP, and the other two are routed with gateway entries.  When I view the traffic graph page and choose the LAN interface, I only see per-IP information for the IP's that are on the LAN subnet.  None of the IP's that are on either routed subnet display data, although they are definitely running through the LAN interface.

Is there a hack to the page that I can do to add the two additional subnets to the array?  Perhaps there's a better way to determine what IP's are transferring data through the interface that would allow pfSense to display more information?

Pages: [1] 2 3