Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Phonebuff

Pages: [1] 2
General Questions / ipSec getting no love --
« on: February 09, 2018, 09:55:13 am »

I noticed that my post and many others are sitting with no replies / help in the ipSec forum. 

Is the team working on some issue , or is just that ipSec is not getting an love these days ?

TIA --

IPsec / SG-3100 IPSec ---
« on: February 07, 2018, 12:56:09 pm »

I am attempting to start a IPSec tunnel from a SG-3100 that was upgraded to a 2.4.2_1..

Comcast -- DMZ Port --  3100 WAN --- 3100 LAN --

So first issue is the Web page never updates / refreshes when I try and enable the Link (P2 & P1) But if I try and Disable them it refreshes immed..

I should note that this worked previously from a Comcast link with Multiple IPs and in Bridge mode, but I don't have the luxury here..

-- My Identifier is - Dynamic DNS   With the FQN and that can be pinged and is validated.

--  Peer Identifier - Is Peer IP Address (Is this correct ??)

Must be missing something, but not really sure what at this point -

Any help guidance appreciated --

Official pfSense Hardware / New SG-3100
« on: September 14, 2017, 01:02:32 pm »

So I am looking to replace an old Soekris box that is just not handling the new 2.3.4.p1 code.

But I am confused by the wording of the guide a little -

Today I have a WAN, LAN (, and two other LAN Networks (DMZ) * & configurations so four total ethernet ports --

Can I do this with the SG-3100 or are the four Switched Ethernet ports ports just a bridged lan.

WAN -- Comcast
OPT1 -- DMZ-1 172/20.100.0/24
Switch (Lan 1 -4 )  --
??????   DMZ-2 

I see I might be able to dump a small netgear switch, but how do I get the second DMZ ?

I also have two VPNs to other sites, but this box looks more than capable of handling this --

TIA on the insight for this new hardware. 

My alternative is the SG-2440 but this 3100 is much better priced and may fit the bill.

Installation and Upgrades / Replaced Soekris with Netgate 4860- 1U ??
« on: July 30, 2017, 10:46:00 am »

Short story Soekris box took a hit (surge) via one of the internal connections OPT1 in a storm.   

Ordered a replacement Netgate, dumped the configuration and restored it to the new box..

Updated the Interface assignments as appropriate -  Though we were done.  But I missed a step in that the Comcast link (opt2) did not get a upstream gateway address and I did not notice it till much latter in the day..  This setting apparently critical really should be above the fold..  :-) 

The question I have is more regarding why traffic did not work as the WAN gateway was fine, and the two are combined into a Gateway for the customer with OPT2 as Tier 1 and Wan as Tier 2 (The WAN is a T1 from Cbeyond/Birch an used mostly for SIP traffic).  The problem was most evident in that DNS resolution was failing and  I could not ping any of the external DNS servers from devices using the gateway instead of specific routing rules. 

Rather than Failing I would have thought the Tier 1 gateway target traffic would have timed out, and failed over to Tier 2. NOTE this is not load sharing.  Also, the status screen showed both as UP when in fact the OPT2 interface was down as there was no upstream gateway defined. 

Anyway, all is well just trying to learn for next time --

TIA ---


So over the weekend I needed to upgrade a rather older (but stable) install of 2.0.n on a Soekris Net4801.

Used the Auto Upgrade, which downloaded, then "installed" then Rebooted -- an NOTHING --

Connected to the Serial Console and realized I had not system. 

Did a reboot and watched it upgrade / install the unit this time..

Took a second reboot to get it to the "installed" state.  But I have had all sort of issues from stability to the "502 Bad Gateway" NGIX screen..

After I took the IPSec off the Status screen as suggested here it's better, although it seems to be in a Checking for update loop.  Spining Star --

Also, at least once had to restart service PHP-FPM (16) to get the console back.

Don't think I have had this many concerns / problems in many many years of using pfSense....  So I am looking for some basic guidance on settings / steps to get stable. An recommended steps to get my two IPSec tunnels up, and get NGIX to be at least somewhat responsive.  It seems to hang when I try and update the tunnel configs..

--TIA --  an no I really do not want to by a new box at this time..

Routing and Multi WAN / MultiHome VR3
« on: August 03, 2016, 01:30:30 pm »

So I have a four port pfSense box. The dashboard tells me is Release 1.2.1  (Old I know but Stable.)

So I need to take VR3 and instead of it connecting to a Comcast Router, I want to add a four port switch and connect the Comcast and a New AT&T.

I though I new how to do this -- But it does not work --

* Added a Virtual IP for my AT&T assignment - Type IP Alias

* Added a Gateway for the AT&T Router - Using the Same Interface Name as the Comcast (VR3) ...

---- Gateway Status is always - Offiine--


Do I actually new a New Interface on VR-3 ? 


IPsec / Shared IP -- IPSec and GRE PPTP --
« on: October 09, 2012, 10:56:17 am »

Quick question ---

  Have a functional IPSec on one of 5 Static Addresses, now client also wants to port forward GRE and PPTP to a internal MS Windows box on that same IP.  I know the PPTP is not going to be an issue but would the IPSec tunnel conflict with a GRE port forward ?

   TIA --

IPsec / PfSense - IOS 6 (AT&T LTE) - Asterisk --
« on: October 05, 2012, 07:54:11 pm »

Good Evening,

   I am working on assisting a user with getting the 3CXPhone on a new iPhone5 (IOS 6) to connect to Asterisk 1.8.n 

   The iPhone is linking to the pfSense 2.0.1 box via a Mobile IPSec definition.  So It's something like this --

      iPhone5 (IOS 6 /Cisco VPN) ---  AT&T LTE ----  Comcast Business  ----  pfSense 2.0.1 ---  Asterisk

        10.37.165.n /    -- IPV6   ----    IPV4 (Satic)   -------    IPSec   --------  2198 Nat=no / qualify=3500

      The link comes up and from the iPhone we can ping the Asterisk box, and access other applications.

      But the 3cxPhone attempts to register with the iPhones 10 dot address not the IPSec assigned

      From asterisk when I run MTR to but not the 10 dot address ir just goes out a default WAN route.

      Anyone with any ideas here ???


     SAD -- looks good as does SPD with the assigned

     Phase 1 ---
          Interface - Comcast
          Authentication Method - Mutual PSK + Xauth
          Negotiation Mode - Aggressive
          My Identifier - My IP address
          Peer Identifier -
          PreShared Key -  xxxxxxxxxxxxxxxxxx
          Policy Generation - Unquie
          Proposal Checking - Strict
          Encryption Algorithm - AES / 128
          Hash Algorithm - SHA1
          DH Key Group - 2
          Lifetime - 8600
          Nat-T - Enable
          Enable DPD - Checked
          10 Seconds / 5 Retries
     Phase 2 ---
           Mode - Tunnel
           Local Network - Lan Subnet (
           Encryption Algorithm - AES 128
           Hash Algorithm - SHA1
           PFS Key Group - 2
           Lifetime  - 3600
           Automatically ping Host -
     Mobile Client ---
           User & Group Authentication Source  System
           Virtual Address Pool - Check Provide a Virtual Address Pool
           Network / 24  ( Potential for Tethered Devices is why I changed this from 30 )
           Network List - Checked
           Save Xauth Password - Checked
           DNS Default Domain - Blank
           DNS Servers - Checked -
                    - Internal DNS
                    - Goggle -
          WINS Servers - Blank
          Phase 2 PFS Group - Checked Group 2
     Users -
          Name - xxxxxxxxxx
          Password - xxxxxxxxxxx
          Group Membership - IPSECUSERS -
          Effective Privileges - IPSecUsers - USER - VPN - IPSec xauth Dialin
     Group -
           Name - IPSECUsers
           Assigned Privileges - User - VPN - IPsec xauth Dialin


IPsec / IPSec Tunnel fails ---
« on: August 08, 2012, 07:55:13 am »

Good Morning,

    I have a pfSense 2.0.1 with two IPSec tunnels. 

    Tunnel one is to a pfSense 1.2.3 while Tunnel 2 is a pfSense 2.0.1 box.

     Tunnel one stays up and seems to be fine.  Tunnel 2 keeps dropping Putty sessions on what appear to be Large Packet errors. I changed the WAN MTU on the Tunnel 2 end from default (1500) to 1486 but it failed again just now. Putty error: "Software Error Connection Aborted" 

     Any ideas ?

     TIA ==

General Questions / Replace one end of Linksys RV-042 Tunnel ?
« on: July 10, 2012, 09:12:08 am »

Good morning,

    I have a screen shot of one end of a "VPN Gateway to Gateway" tunnel that was between two Linksys RV-042 units.  Was wondering if any one has replaced the static end of this type of link with 2.0.1 and what issues you might have run into as I am looking at doing this next week.



I have a relatively new pfSense 2.0.1 install on a SoeKris 5501-60.

     VR0 - WAN Cbeyond Static IP
     VR1 - WAN Comacast DHCP
     VR2 - LAN -- Primary Tenant
     VR3 - LAN -- Secondary Tenant

VR0 & VR1 are in a Tier 1 Shared connection Group.

     Two DNS Servers from CBeyond Spread across VR0 & VR1
     Two DNS Servers from Google Spread across VR0 & VR1  ( /

Cbeyond is special in that it returns a for

Well Comcast failed today and the VR1 link went to a down state. 

I appeared to loose all DNS resolution and specifically the CBeyond DNS as the SIP registry went away.


Did I miss something in my configuration(s) ? 


PPTP / PPTP - Can't get a connection. Error code 800
« on: June 06, 2012, 10:16:43 pm »
As back ground I pulled some Linksys RV-042 units with PPTP Passthru and replaced it with a clean new 2.0.1 PFSense on Soekris Hardware.

It solved about a dozen issues.  But I am stuck with getting PPTP passthru to work for me..

For testing the Source is Windows 7 Pro out through a pfSense 2.0.1 NAT to a Static IP.


--- WAN (n.n.n.193/27)
--- WAN 2 (Comcast 10.)
--- LAN 1 (10.1.2.n)
--- LAN 2 (172.1.2.n)

PPTP Passthru 1 - WAN Address (.194) VIA NAT Port Map to 
                            GRE   *
                            PPTP (TCP/UDP) 1723
PPTP Passthru 2 - Wan Virtual IP (.222) VIA 1-1 NAT MAP to
                            Rules to Permit GRE
                                                 PPTP (TCP/UDP)1723


I know I am missing something in the setup of my NAT Maps and Rules.

I did Enable-  System / Advanced / Firewall / Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic.


Any help would be VERY much appreciated..

Hardware / Upgrade and change Soekris hardware ---
« on: June 04, 2012, 12:59:09 pm »
Afternoon all,

   I have a client that has been running a Soekris 4801 for a long time, they want another LAN port and are reworking the LAN rack so we will be moving them to a NET5501-60 in the 1RU case. 

   My question is, can I back up the current Net4801 with 1.2.3  and restore it to the Net5501-60 with 2.0.1. or do I need to move the configurations and rules manually between the two boxes ?


Firewalling / iphone exchange active synch.
« on: May 31, 2012, 08:40:00 am »
Good Morning all,

    I have a customer on AT&T Cellular using iPhone with exchange active synch.  To enable this we opened port 443 (https) to the server and it works well I guess.  But I would like it to be a little less open. 

    So, until I can get them on a PPTP  I have two questions. 

             Is the source port also 443 or do I need (*) ?

             Does anyone know the IP range to white list just AT&T Cellular phones in the US ? 


Hardware / AT&T 2Wire Device with PFSense and Virtual IPS (V2.0 RC1)
« on: December 30, 2011, 07:35:05 pm »
Good Evening all..

  First I found this post that seems to address my issue, but there is not information in it to help, and it refers to a DSLReports posting with an answer but no link to the DSLReports forum..,6049.msg35568.html#msg35568

   So after many years of clean AT&T DSL service with a Netopia Router in Bridge mode, today AT&T spent almost 12 years attempting to replicate the service on UVerse with a "2Wire" interface.

   Well, it seems that the "2Wire" according to their support people can't do this which I find had to believe.

    Basic install was a/29 with .80 being the network, .81 being the Netopia, .82 being the Soekris 4801 (WAN), and .83-.86 being "virtual IPs"with various NAT and 1-1 Nat mapping defined in PFSense..

   Does anyone here have a Uverse "2Wire" working in this way..  Can you share  or reference me somewhere.  If not I will have to have the UVerse link pulled and go back to the DSL next week....

   TIA !!!!   An best wishes for Happy New Year

Pages: [1] 2