Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - AndrewZ

Pages: [1] 2
1
DHCP and DNS / Split DNS with Resolver
« on: January 11, 2018, 11:55:56 am »
I have multiple subnets like 192.168.1.0, 192.168.2.0, etc
For NTP server I have a hostname assigned in DNS which points to 192.168.1.1
What I want to do is to respond with the different IP depending on who is asking, i.e. for request from 192.168.2.X DNS should respond with 192.168.2.1 instead of 192.168.1.1
Is that possible?
 

2
OpenVPN / CRL not saved for a client connection (2.4.1)
« on: November 13, 2017, 04:56:07 am »
Just noticed that the CRL is empty for an OpenVPN client connection I have.
The CRL itself was imported into Cert.Manager some time ago and it was selected in a drop-down for that connection earlier.
I've re-selected the CRL in the connection settings again and saved - the field in question is still empty when I'm checking back.

3
Installation and Upgrades / ssh changes in 2.3.2 ?
« on: July 26, 2016, 02:40:16 am »
The update went smoothly, but afterwards I'm not able to access the router via ssh from Windows with java-based minderm. Linux ssh still works. It was a problem with putty too, but updating the binary resolved the issue.
From the logs:
Quote
Connection closed by 192.168.5.61 port 51532 [preauth]

Mindterm:
Code: [Select]
Error generating DiffieHellman keys: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)
Any suggestion?

4
DHCP and DNS / FreeDNS Dynamic DNS changes
« on: May 27, 2016, 01:38:59 pm »
There is a new version 2 of the dynamic update interface available since February 17, 2016.

The default option is Randomized Update Token, in order to use it we have to pick Custom as a Service Type in pfSense.

The Update URL looks like http://sync.afraid.org/u/{token}/ (https supported as well)

Will be great to have this new format natively supported in pfSense.

5
Installation and Upgrades / {packagename} installation failed
« on: April 18, 2016, 12:50:59 pm »
One more (cosmetic?) problem after upgrade.
Installed  'blinkled' today, got the 'installation failed' message in the Web UI while installing. No error in the installation log.
The same happened few days ago when I reinstalled pfBlockerNG and openvpn-client-export right after the system upgrade.

No errors in the system log:
Code: [Select]
Apr 18 10:33:51 pkg pfSense-pkg-blinkled-0.4.7_1 installed
Apr 18 10:33:51 php /etc/rc.packages: Successfully installed package: blinkled.
Apr 18 10:33:43 php /etc/rc.packages: Beginning package installation for blinkled .

pfBlockerNG and openvpn-client-export are working fine for a few days already, so I suppose it's a minor cosmetic issue.

6
Firewalling / Default deny rule
« on: July 25, 2015, 11:24:49 am »
Just noticed that some traffic has been blocked on LAN interface by "Default deny rule".
Why is that? How can I see the actual rule?
Thanks!

7
General Questions / wrong time
« on: January 20, 2015, 11:30:32 am »
Current date/time    : Tue Jan 20 20:26:54 MSK 2015

Running a packet capture and see 8:22pm and 21:22 on the same screen.
Attaching a screenshot from Diagnostics - Packet capture.

Edit: pretty much the same situation in a system log (timestamp should be 20:15:10):
Code: [Select]
Jan 20 21:15:10 php-fpm[4249]: /index.php: Successful login for user 'admin' from:

8
2.1.1 Snapshot Feedback and Problems - RETIRED / still SIP unfriendly
« on: March 02, 2014, 02:39:23 am »
Is it still possible to call the user's script on a filter reload with the current version?
With the previous version(s) I used
Code: [Select]
<afterfilterchangeshellcmd>/usr/local/etc/rc.d/reset_state.sh</afterfilterchangeshellcmd>
where reset_state.sh was a script which kills all the states.

The problem that today after the short ISP outage I've got via DHCP the same WAN IP with the same Gateway IP as before and SIP registrations from my server were not possible until I manually killed the states through the web gui.
My understanding that the states now get killed automatically only if WAN IP get changed.


9
I've upgraded to a latest version after my vacations and noticed that I cannot copy my script anymore as I did it before:
Code: [Select]
[2.0-RC3][root@gw.lan]/root(4): cp /cf/conf/reset_state.sh /usr/local/etc/rc.d/                                                                                              
cp: /usr/local/etc/rc.d/reset_state.sh: Read-only file system
[2.0-RC3][root@gw.lan]/root(5):

Something changed?
Thanks!

10
Hello

Running 2.0-RC2 (i386) built on Thu Jun 9 20:28:39 EDT 2011, had the same issue with 2 or 3 previous snapshots as well.
No DynDNS update, 'Unknown Response' logged:

Code: [Select]
Jun 10 10:53:50 php: /services_dyndns_edit.php: phpDynDNS: (Unknown Response)
Jun 10 10:53:50 php: /services_dyndns_edit.php: phpDynDNS: PAYLOAD: Resource id #65
Jun 10 10:53:50 php: /services_dyndns_edit.php: DynDns: Current Service: dyndns
Jun 10 10:53:50 php: /services_dyndns_edit.php: DynDns: DynDns _checkStatus() starting.
Jun 10 06:53:49 check_reload_status: Syncing firewall
Jun 10 10:53:49 php: /services_dyndns_edit.php: DynDns: DynDns _update() starting.
Jun 10 10:53:49 php: /services_dyndns_edit.php: DynDns debug information: DynDns: cacheIP != wan_ip. Updating. Cached IP: X.X.X.189 WAN IP: X.X.X.174
Jun 10 10:53:49 php: /services_dyndns_edit.php: DynDns: Current WAN IP: X.X.X.174 Cached IP: X.X.X.189
Jun 10 10:53:49 php: /services_dyndns_edit.php: DynDns debug information: X.X.X.174 extracted from local system.
Jun 10 10:53:49 php: /services_dyndns_edit.php: DynDns: updatedns() starting
Jun 10 10:53:38 php: /services_dyndns_edit.php: phpDynDNS: (Unknown Response)
Jun 10 10:53:38 php: /services_dyndns_edit.php: phpDynDNS: PAYLOAD: Resource id #65
Jun 10 10:53:38 php: /services_dyndns_edit.php: DynDns: Current Service: dyndns
Jun 10 10:53:38 php: /services_dyndns_edit.php: DynDns: DynDns _checkStatus() starting.
Jun 10 06:53:37 check_reload_status: Syncing firewall
Jun 10 10:53:37 php: /services_dyndns_edit.php: DynDns: DynDns _update() starting.
Jun 10 10:53:37 php: /services_dyndns_edit.php: DynDns debug information: DynDns: cacheIP != wan_ip. Updating. Cached IP: X.X.X.189 WAN IP: X.X.X.174
Jun 10 10:53:37 php: /services_dyndns_edit.php: DynDns: Current WAN IP: X.X.X.174 Cached IP: X.X.X.189
Jun 10 10:53:37 php: /services_dyndns_edit.php: DynDns debug information: X.X.X.174 extracted from local system.
Jun 10 10:53:37 php: /services_dyndns_edit.php: DynDns: updatedns() starting

11
General Questions / right location for custom scripts
« on: May 23, 2011, 04:32:50 am »
Hello

What will be the right location for my own scripts?
I don't want to loose my files after upgrades.

Thanks

12
Hello

Running 2.0-RC1 (i386) built on Fri Apr 8 19:08:10 EDT 2011, Platform nanobsd (1g)
The same issues observed with a few previous builds, last known good for me is 2.0-RC1 (i386) built on Thu Apr 7 00:04:17 EDT 2011

1. ISP's DNS servers are not assigned anymore (DHCP on WAN). Have to statically configure servers.
From the log:
Code: [Select]
Apr 9 12:04:29 dhclient: BOUND
Apr 9 12:04:29 kernel: arpresolve: can't allocate llinfo for 188.x.x.1
Apr 9 12:04:29 dhclient[3220]: unknown dhcp option value 0xf9
Apr 9 12:04:29 dhclient[3220]: unknown dhcp option value 0xf9
Apr 9 12:04:29 dhclient[3220]: DHCPACK from 188.x.x.1
Apr 9 12:04:29 dhclient[3220]: DHCPREQUEST on vr1 to 255.255.255.255 port 67
Apr 9 12:04:29 kernel: arpresolve: can't allocate llinfo for 188.x.x.1
- not present with the older version(s).

2. In Diagnostics - Packet Capture:
Packet Capture is running. Only Stop button is available. No "Download" after pressing Stop. Going away from the page and back - Packet Capture is running. This repeats on every access attempt to that page.

13
Hello

Just observed really weird behavior with the last snapshot (2.0-RC1 (i386) built on Sun Mar 13 07:27:46 EDT 2011).

WAN ip changed like 15 mins ago, but according to the packet capture on WAN the old ip is still used as a source for NATed packets!
Code: [Select]
Mar 14 20:41:57 dnsmasq[62415]: using nameserver x.x.x.x#53
Mar 14 20:41:57 dnsmasq[62415]: using nameserver x.x.x.x#53
Mar 14 20:41:57 dnsmasq[62415]: reading /etc/resolv.conf
Mar 14 20:41:48 php: : Resyncing OpenVPN instances for interface WAN.
Mar 14 20:41:43 php: : Gateways status could not be determined, considering all as up/active.
Mar 14 20:41:42 php: : Gateways status could not be determined, considering all as up/active.
Mar 14 20:41:42 php: : phpDynDNS: (Success) IP Address Changed Successfully! (x.x.166.205)
Mar 14 20:41:42 php: : phpDynDNS: updating cache file /conf/dyndns_wandyndns'xxxxx.homedns.org'.cache: x.x.166.205
Mar 14 20:41:42 php: : DynDns debug information: x.x.166.205 extracted from local system.
Mar 14 20:41:42 php: : DynDns: _checkIP() starting.
Mar 14 20:41:42 php: : DynDns: Current Service: dyndns
Mar 14 20:41:42 php: : DynDns: DynDns _checkStatus() starting.
Mar 14 20:41:41 php: : DynDns: DynDns _update() starting.
Mar 14 20:41:41 php: : DynDns debug information: DynDns: cacheIP != wan_ip. Updating. Cached IP: x.x.34.82 WAN IP: x.x.166.205
Mar 14 20:41:41 php: : DynDns: Cached IP: x.x.34.82
Mar 14 20:41:41 php: : DynDns: Current WAN IP: x.x.166.205
Mar 14 20:41:41 php: : DynDns debug information: x.x.166.205 extracted from local system.
Mar 14 20:41:41 php: : DynDns: _checkIP() starting.
Mar 14 20:41:41 php: : DynDns: _detectChange() starting.
Mar 14 20:41:40 php: : DynDns: updatedns() starting
Mar 14 20:41:40 php: : DynDns: Running updatedns()
Mar 14 20:41:39 apinger: Starting Alarm Pinger, apinger(29815)
Mar 14 17:41:39 check_reload_status: reloading filter
Mar 14 17:41:38 check_reload_status: reloading filter
Mar 14 20:41:38 apinger: Exiting on signal 15.
Mar 14 20:41:38 php: : ROUTING: change default route to x.x.160.1
Mar 14 17:41:33 check_reload_status: Rewriting resolv.conf
Mar 14 20:41:33 apinger: ALARM: GW_WAN(x.x.32.1) *** down ***

20:55 and later I still see in wireshark:
Internet Protocol, Src: x.x.34.82 (x.x.34.82), Dst: ...

14
Hello

Already spent some time searching... Can anybody point me to a step-by-step MultiWAN configuration (for fallback only) in 2.0?

To be more specific - do I need to manually clone any existing NAT and/or firewall rule from WAN1 to WAN2 ? Currently I'm using Advanced Outbound Nat on WAN1.

Thanks!

15
Too bad... This issue was fixed in 1.2.3 by the additional package (fit123), but for some reasons it still present in 2.0 !
I'm running the latest snapshot - 2.0-RC1 (i386) built on Sun Mar 6 03:41:16 EST 2011

Single WAN is configured for PPPoE, my WAN IP address just changed but I still see the old one (91.79.X.X) in the table:
Code: [Select]
udp 192.168.5.77:5060 -> 91.79.X.X:5060 -> 213.85.Y.Y:5060 SINGLE:NO_TRAFFIC
udp 192.168.5.77:5060 -> 91.79.X.X:5060 -> 212.53.Z.Z:5060 SINGLE:NO_TRAFFIC
udp 192.168.5.210:123 -> 91.79.X.X:24304 -> 213.141.Q.Q:123 SINGLE:NO_TRAFFIC

As a result my SIP client cannot register to external servers. I had to manually remove those entries from the table.

Pages: [1] 2