Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - jahonix

Pages: [1] 2
Deutsch / Erfahrung mit DeutschlandLAN CloudPBX / SIP-Trunk?
« on: March 13, 2018, 07:15:50 am »
Wir müssen in absehbarer Zeit unseren ISDN Anlagenanschluss durch eine IP Variante ersetzen und überlegen, dabei evtl. die Anlage in die Telekom-Cloud zu verlegen (DeutschlandLAN CloudPBX). Alternativ wäre halt ein DeutschlandLAN SIP-Trunk mit lokaler PBX.

Hat jemand von Euch Erfahrungen mit der CloudPBX, die er mit mir/uns teilen würde?

Development / Roadmap with Cisco's VPP and DPDK
« on: December 26, 2017, 08:42:52 pm »
After reading the blog post about Application Detection on pfSense® Software I took some time to investigate on VPP and DPDK.
Turns out there's a video from jwt at DPDK summit available covering exactly this in a short presentation. It's already on YT so it can't be a secret anymore. Just don't know why it's not announced any louder here (or did I miss it?).

Some more infos on VPP here

All I read and heard sounds "interesting" to say the least. Looking forward to testing things out!

General Questions / Throttling YouTube after 2 or 3 hours use?
« on: March 05, 2017, 06:46:09 pm »
I'd like to restrict my kids (well, one of them) to view YouTube videos all day long.
It's quite amazing how lazy kids get and only watch others playing games and talking nonsense all day long. 8+ hours is no problem for them.
While the main task (my task) is getting them to do other things as well (and probably not only on the computer or console), I'd like to support this with throttling the YouTube bandwidth after some time, say 2 or 3 hours. This way they could still watch a video if they wait long enough to be buffered but it would give them time to think of other activities.

Limiting googlevideo bandwidth in general shouldn't be that hard, stepping on the break later on is somewhat different. Any ideas?

Just to be clear: educating kids is the first part, using technology to support this effort would be beneficial.
Looking forward to your replies!

Installation and Upgrades / strange console on ALIX after update
« on: January 23, 2017, 05:51:06 pm »
Tried an update from console and found this when I came back:
F─■■BSD/■386 (─°S■┼─■.┌─■░┌■─└░■┼) (├├≤┤0)

*** W■┌■─└■ ├─ ─°S■┼─■ 2.3-BETA-┼░┼─■─■ (■386) ─┼ ─°S■┼─■ ***

 WAN (┬░┼)       -> ┴─1        -> ┴4/DHCP4:
 LAN (┌░┼)       -> ┴─0        -> ┴4:

 0) L─±─┤├ (SSH ─┼┌≤)                  9) ─°T──
 1) A──■±┼ I┼├■─°░■■─                 10) F■┌├■─ L─±─
 2) S■├ ■┼├■─°░■■(─) IP ░■■─■──       11) R■─├░─├ ┬■■C─┼°■±┤─░├──
 3) R■─■├ ┬■■C─┼°■±┤─░├── ─░──┬──■    12) ─°S■┼─■ D■┴■┌──■─ S■┌┌
 4) R■─■├ ├─ °░■├──≤ ■■°░┤┌├─         13) U─■░├■ °──└ ■─┼──┌■
 5) R■■──├ ─≤─├■└                     14) D■─░■┌■ S■■┤─■ S■┌┌ (──■)
 6) H░┌├ ─≤─├■└                       15) R■─├──■ ─■■■┼├ ■─┼°■±┤─░├■─┼
 7) P■┼± ──├                         16) R■─├░─├ PHP-FPM
; S■┌┌

E┼├■─ ░┼ ──├■─┼:
Anybody? (it's not the cable) ... and the update didn't work either.

General Discussion / segmenting a public /25 into 12 rooms
« on: December 15, 2016, 09:31:18 pm »
We are about to install AV gear in 12 classrooms of our local university (network switch, projector, AV switcher, control system, touchpanel, etc). Each room has identical equipment.
Campus IT handed us one public /25 where we have to fit in all IP-enabled equipment and each host must have a public IP (probably monitoring later on).
We will have at least 8 hosts per classroom so subnetting is not an option.
Switches are SG300-10 with the projectors hanging on the HDBaseT link of the AV-switcher so we don't run out of network ports yet.

This is kind of what we got:  GW

I'll probably end up with
 Room 1: .130 - .139
 Room 2: .140 - .149
etc. and we can use .250 - .253 for our programming laptops.

But having 12 rooms in one broadcast domain doesn't seem sexy.

We will have a presentation gateway in each classroom which gets routed traffic from Eduroam WiFi. That's only 3-5Mbit per video stream and considered negligible but we cannot just pull our shields up.

One idea is to use 12x SG-1000 as filtering bridge (if Netgate can provide those pretty quickly, haven't checked with them yet) to block traffic between classrooms at least. That would have the benefit that we cannot accidentally program the classroom next door...

Your thoughts?

Installation and Upgrades / update to 2.3.2 on ALIX 2D?
« on: November 17, 2016, 06:41:20 pm »
I'm going to service a customer's installations tomorrow. While preparing I thought about updating the ALIX devices which currently run 2.1.dunno
Is it advised to upgrade PCengines ALIX 2D boards with 4GB Nano Installs to a current 2.3.2 or should I better leave them alone?

I have two other installs where I will need the IGMP Proxy on VLANs in the near future (ALIX as well)
Due to the known regression "IGMP Proxy does not work with VLAN interfaces, and possibly other edge cases. Bug 6099." can somebody tell me which was the latest version that did not have this "little-used component" limitation? Was it 2.2.5? The bug is reported from 2.2.6 onwards.

Appreciate your feedback.

Captive Portal / Voucher thermo printer?
« on: July 12, 2016, 09:17:02 am »
Is anyone aware of a thermo printer which can be used with pfSense's captive portal and voucher generation?
Like this one I'm currently facing at a client:

General Questions / 8+2 port managed Gb Switch powered from 24V DC
« on: April 27, 2016, 03:10:10 pm »
I'm currently bidding on a voice alarm system for a stadium and need 10 switches with at least 8 Gbit copper and 2 SFP ports which are powered from +24V DC (battery) only. No PSU or converters allowed. To make matters worse, at least two of them have to provide PoE for call-stations etc. as well.
My trusted Katron KGS-1060-HP needs +48V DC if providing PoE.
And redundancy ring topologies have to be supported (preferably with recovery times <500ms).

Edit: even N-tron (they are nuclear power plant certified) doesn't have that. Nor

Anyone knows such a beast? Moxa or AlliedTelesis maybe?

I have quite strange a phenomena and don't know exactly where to start troubleshooting.

Updated an APU1 yesterday afternoon from 2.2.6 to 2.3 with Nano install on an SD card.
Today the unit wasn't accessible via HTTPS (504 Gateway Time-out). Doesn't route also but still hands out DHCP leases to clients.

To get to production again I installed my config.xml to a different APU1 which I just updated to 2.3 from 2.3RC. This device has an mSATA disk.
Well, now, nearly 10h after working flawlessly the second device goes down as well. Cannot login via HTTPS or ssh from LAN. I can, however, ssh via an OPT interface - but HTTPS doesn't work there as well.

When I had console access via serial I tried to restart the webConfigurator and rebooted the device. No change.
Reverting back to HTTP didn't help either, I still get redirected to HTTPS, even after a reboot.

WAN is PPPoE on re0_vlan7, LAN and other OPT interfaces are re1_vlan10 / 20 / 30 / 40 / 50 / 60.
Installed package was Backup/Restore only.

Anyone got an idea? I'm a bit clueless.

Deutsch / Telekom VoIP mit Speedport ISDN Adapter an separatem IF
« on: April 01, 2016, 05:55:22 am »
Kann mir jemand bei der Konfiguration helfen, wie ich einen Speedport ISDN Adapter an einem dedizierten Interface der pfSense 2.2.6 zum Funktionieren bekommen kann?
Vorne hängt ein Zyxel VDSL Modem im Bridge-Mode, pfSense macht PPPoE (was auch funktioniert), nur der ISDN-Aadapter will sich einfach nicht mit dem Service der Telekom verbinden.

Konfiguriere ich das Zyxel Modem im Router Mode und hänge den Speedport ISDN Adapter sowie die pfSense an die Lan-Schnittstellen, dann funktioniert's.

In einem Wireshark Log vom ISDN Adapter habe ich Queries auf AAAA records gesehen.
Benötigt VoIP der Telekom zwingend IPv6?
DAS könnte ein Grund sein, denn IPv6 habe ich derzeit deaktiviert (weil ich es selbst noch nicht verstehe und mir die Zeit zur Einarbeitung fehlt...).

Ansonsten sind natürlich die Port-Forwards und Regeln auf den Interfaces entsprechend gesetzt und Hybrid Outbound NAT aktiviert.

Sind sonst irgend welche Stolperfallen etc. bekannt?

2.3-RC Snapshot Feedback and Issues - ARCHIVED / 2.3-beta on ALIX?
« on: February 22, 2016, 04:28:44 am »
I'm trying to setup a testbed on an older ALIX2D2 hardware that I have lying around.
I tested several nano installs on 4GB CF cards, none of them was half way responsive in a way I would call it usable.
Slow with 100% CPU load nearly constantly, at least after any kind of "save" operation for several minutes.

Is this expected behavior and obsoletes ALIX hardware for 2.3 or am I facing a hardware problem (board, CF, ...)

Deutsch / LTE Stick für Telekom-Netz
« on: July 17, 2015, 06:09:29 am »
Kann mir jemand einen LTE-Stick nennen, der in D im LTE-Netz der Telekom problemlos mit pfSense funktioniert? (Stand 2015-07)
Router wäre eine APU1D4 oder SG-2440, Betrieb direkt an deren USB-Port.

Hardware / Huawei E220 USB HSDPA/EDGE/UMTS 3G Modem
« on: April 20, 2009, 07:11:21 pm »
Any news on support for Huawei E220 USB HSDPA/EDGE/UMTS Modems?
They are officially supported in FreeBSD 7.0 (3.12 USB Devices:

Would be great to use it with an ALIX board. Kind of a 3G to WLAN bridge.
(Need it for a friend who has to stay in hospital for some weeks. So I need a solution quite fast to give him access to the INet... Other ideas welcome!)

Is it only me or do others experience problems when trying to download a 1.3 snapshot from the snapshots server as well?
Tried various build versions, the max. I got was some 900kB when the connecion timed out.

I can however download 1.2.1 builds or other bigger files of other sides.

Deutsch / Outbound Traffic an ???
« on: August 20, 2008, 11:01:11 am »
Habe folgendes in den States gefunden, was mich einigermaßen irritiert:
Dabei ist mein LAN, meine public IP.
Ferner habe ich noch definiert und, aber kein

udp 2367 -> ->     SINGLE:NO_TRAFFIC 
udp -> ->    SINGLE:NO_TRAFFIC
udp -> ->    SINGLE:NO_TRAFFIC

Warum sollte meine Server (; win2k server, Exchange und SQL server) an mit einem DNS request connecten wollen???
Die IPs dürften doch nicht einmal geroutet werden, für inbound habe ich das auch so in der pfSense definieren können.
Hat jemand eine Idee?

Pages: [1] 2