Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - gordc

Pages: [1] 2
Official pfSense Hardware / SG-1000 bandwidth issues
« on: October 30, 2017, 07:48:18 am »
I have been working on this case with support since Aug 25 (#27001).   As indicated in the notes I ran extensive testing on the firewall in question only to be told that support could not replicate the problem that it must be an issue with the particular unit I had.   We paid to send the firewall back and we received it back with a new board inside.   When I plugged it in I had the exact same issue.  By this time the issue is two months old.   The client that purchased the firewall has been using a borrowed firewall during this time.  Now I am told it is a bug #7532 and that I have to wait for the bug fix.

So here are my concerns.  If this is a bug and support was supposed to have tried to replicate the problem why did they indicate they could not.
When I look at the bug I notice that it is stated that it was to be fixed in 2.4.1 but then pushed to 2.4.2 and now 2.4.3
So how long do we have to wait so that the product purchased over two months ago is usable since in the meantime the client has a firewall that is useless to them.   This may not seem like an issue to you but it is to the client who is a small non-profit company with little money to spend on IT which is why we went with this unit to begin with.
I am not happy at all with pfSense at this point. 

2.4 Development Snapshots / SG-1000 issue
« on: August 22, 2017, 12:50:51 pm »
I keep seeing the following repeated every minute or so.

Time                           Process                  PID   Message
Aug 22 13:31:15   check_reload_status      Reloading filter
Aug 22 13:31:15   check_reload_status      Restarting OpenVPN tunnels/interfaces
Aug 22 13:31:15   check_reload_status      Restarting ipsec tunnels
Aug 22 13:31:15   check_reload_status      updating dyndns WANGW

Current Base System 2.4.0.b.20170710.2021

Firewalling / States column
« on: August 16, 2017, 08:43:37 am »
I am doing a review of my firewall rules and I have a question regarding the states column when looking at the rules list. 
It shows X/X B

I am a little confused with this. 
I have done some reading that this is the amount traffic associated with a state.  So that number will show 0/0B if there is no current state made using that rule.   Does that mean that rule is not being used, or just that it is not being used at the time of viewing.  When I look at my list of rules and see 0/0 B it makes me wonder if the traffic is being handled by a different rule that I am not expecting.

Any clarification on this would be greatly appreciated.


2.4 Development Snapshots / SG-1000
« on: August 16, 2017, 08:23:12 am »
I recently purchased a SG-1000 for a client.  I was looking at this as a good fit since they are a small office with 5 people in it.   When I got it I was surprised to find that it is running 2.4.0 BETA.  I don't see anywhere that it says the unit shipped with BETA software.  This ended up with spending an hour reassuring the client that the system would be ok, that the version was about to be released.  They are still asking when the stable version is going to be released.

I then spent some time going through the system and noticed new some changes.  Some I was able to figure out but one I am still not sure what it is.  Under Interfaces there is a new menu item called switches.  I have searched and I can not find any documentation on it.   I emailed support about it and they referred me to the online documentation showing the new features and changes.  It does not have any reference to this menu item.  When I emailed support back indicating this I never got a response back.

I have been using pfSense firewalls for about 6 years now and currently between our company and clients I have seven of them deployed.  With my experiences with pfSense lately I am reconsidering what we are going to use for firewalls.   The biggest thing being the changes to support.  The cost of support for us has gone through the roof with pfSense if we decide to go with commercial support.  When I questioned this it was mentioned that we also have access to the forums.  My experience with the forums has been poor the last while.  I don't know how many times I have posted something on the forums ( and I do a lot of reading and research before doing so) and have never received an answer.


Firewalling / Firewall rules and removed interfaces
« on: June 16, 2017, 07:28:00 am »
I noticed something while doing some maintenance on my firewalls.  Recently we made a number of changes to our network which resulted in the removal of about 25 vlans.  Around that time I noticed that I was having some minor issues with the firewalls.  One in particular was annoying.  Every few hours the same port on the main firewall would switch from master to backup and back again.  All within a couple of seconds.  I folllowed a number of recommendations found in the forums on adjusting the base and the skew with no effect.   What seems to have resolved the issue was a firewall rule that I missed related to one of the removed vlans.   Now that I have removed that rule the problem seems to have been resolved.  As a suggestion would it be possible to have a rule that does not have a valid interface associated with it automatically disabled.  I am wondering now since that rule was near the top of the list what else it may have been affecting.


Captive Portal / Captive Portal page on wrong subnet
« on: September 30, 2016, 03:47:26 pm »
I am trying to setup captive portal for the first time. 
I have the following subnets created

vlan 100 (servers)-
vlan 110 (work)-
vlan 120 (client)-
vlan 130 (Guest-

Currently I have an NPS server setup to determine which vlan a user gets assigned to.  This works great.  Now what I want to do is if a user gets bumped to the guest network I want to use captive portal to have the user login to get internet access.

I have setup captive portal on vlan 130.  I uploaded a page and when I click view it uses which is the work vlan.   I need it to go to

Any suggestions would be great.

OpenVPN / OpenVPN problems
« on: August 25, 2016, 12:43:27 pm »
I have been researching this for two days now and I don't think I am much closer than I was when I started.

I am trying to setup so that when a client connects the windows logon script for that user runs and sets up their shares.

These are the problems that I am running in to.

1) The client that is exported using the client export utility has to be run as administrator in order to work.  Not everyone has admin privileges.
2) When I try to connect the one of the commands in the logon script is net use \\server\%username%$   - instead of using the login name it wants to use the admin account that the client is run under.
3) I tried using the OpenVpn Manager which eliminates the need to run the program as an administrator but when I run this it does not run the XXXX_up.bat script.

I am using LDAP to authenticate the users.

There has to be an easy way to have a non-admin user connect and automatically have their network drives setup for them.  As I indicated I have been looking for two days.

Installation and Upgrades / Upgrade 2.3.1_1 to 2.3.1_5
« on: June 20, 2016, 04:40:19 pm »
I have four firewalls that I run.  Today I decided to do the upgrade to the latest.  3 of the 4 went well.  The 4th I had to do a complete rebuild.  When it rebooted a message came up about a interface mismatch and kept starting the command line configuration sequence.   I went through that and then selected option 15 to restore from console.   It restored and showed all my connections and vlans.  When I rebooted I got the same message again about an interface mismatch.  I finally just rebuilt it since I need to put it back into production.

Firewalling / Firewalls and subnets
« on: June 06, 2016, 03:16:19 pm »
I have a question regarding firewall rules and subnets.

If I have a subnet defined using

Can I create a rule for using

I want to be able to take a range of IPs and reserve them for Administration.   

I would test this but I don't have a test environment yet.   I will have one soon though.

Installation and Upgrades / Manual Update Option not available
« on: May 27, 2016, 11:12:43 am »
I currently have two c2758 systems that I am building to put into production running 2.3
I wanted to update them to the latest version but I am not sure how to do it.  The system currently do not have internet access and won't till I move them in to production.
When I go to the update page I get a message that states the system is up to date and I don't have any options for updating the system.  So now how do I update them

The following is what I have tried so far.
I have gone over the upgrade instructions a number of times but I don't get the options indicated. 
When I go to system/updates.  It just tells me that the system is up to date and I have no options
When I go to the cli and use option 13, it runs and shows it is trying to check the internet for an update, fails and stops.

There has to be a way to update them without doing a backup, full install and then restore.  I have had issues in the past with doing a restore and would prefer to avoid it.

Installation and Upgrades / Upgrade vs new install
« on: April 28, 2015, 03:59:01 pm »
I am wondering about the best option here.
I have two firewalls setup with HA running 2.1.5
Because of the number of changes to pfSense lately, ie FreeBSD 10 and moving to StrongSwan I am wondering if it is better to do a clean installation of the system or do an in-place upgrade.

I do know one thing.  I did a clean install on my spare firewall and then tried to restore the cofig from the production firewalls and the system would not boot after.  So I would be looking at entering all the settings manually.

Thanks, Gord.

Firewalling / Block incoming URL
« on: July 29, 2014, 02:29:06 pm »
I have been reading up on using alias to block a URL.  I am not sure this will work in my situation but would like to check.

We have a number of URLs using the same external IP address.   We then have a proxy server that redirects according to the address.

We would like to be able to block an external address from accessing just one of these URLs.  From what I have read since the URL resolves to an IP address the result would be that all the URLs would be blocked.  Can someone please verify if this is true.

Thanks  Gordon.

NAT / Avaya IP Office issues
« on: May 15, 2014, 03:35:47 pm »
We have been trying over a month to get this to work.  We have an Avaya IP Office v9 that we recently installed.  Everything works fine for the people in the office.  We have a couple of people that have offices in other cities that we want to have their phones connect to the system.   I have spent hours trying to get these phones to register on the system.
When we try the stun server  we get "Blocking Firewall" and we believe that is the root of the problem.

In our current setup we have /29 on the WAN interface.  One of the public IPs is setup using 1:1 NAT to the IP Office IP.  I have the following ports open on the WAN UDP: 1701, 1718-1720, 49152-53247, 69      TCP:  5061, 50805, 8443       TCP/UDP: 50802, 50804, 50812, 50798, 5060, 50798, 50794

I can see where the packets are coming and leaving but for some reason nothing works.

Does anyone have a working configuration that they are willing to share?  That would be great.

NAT / Port Forwarding & 1:1 NAT
« on: February 20, 2014, 09:45:07 am »
I am fairly new to pfsense and have a question regarding port forwarding & 1:1 NAT.
We currently have /28 subnet for our WAN connection but are getting short on public IP addresses.  In our current setup we are just using 1:1 NAT and no port forwarding.  I am looking at possibly using port forwarding to take better advantage of our subnet. 


I would like to be able to combine two of our external addresses that don't see a lot of use and combine them to free up a public IP.
Currently we have a 1:1 NAT for our video conferencing system and one for FTP.  Neither see a lot of usage.  Would I be able to set these up using port forwarding instead of 1:1 NAT?  How would it work for the video conferencing system that uses multiple ports?


Traffic Shaping / Limit by VLAN
« on: February 14, 2014, 10:19:05 am »
Our setup includes one 50/50MB WAN connection, and 11 lan connections.  We currently have approximately 8 clients using one of the interfaces.  We started having issues where some clients were killing our bandwidth so we implemented traffic limiters.  I am just not sure if it has been done correctly.

I created two limiters for each vlan - one in and one out.
I then assigned the limiter to each of the rules created for each of the vlans. 

I gave an example of the rules with the limiters applied to each one.  Each vlan is setup similarly.  Is there a better way to do this

I don't want to limit by user.  I want each vlan to be limited.  So if I assign the vlan 8/8MB they all share that bandwidth.

Thanks Gordon

Pages: [1] 2