Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - hege

Pages: [1]
Post a bounty / [SOLVED] 50$ Fix my routing issue
« on: December 07, 2017, 03:57:41 am »
I need some (urgent) help with my routing issue.

I would prefer paypal.

I solved it by myself. (more in the link above)

IPsec / site-to-site wan traffic through site B BUT with exceptions
« on: November 20, 2017, 12:03:42 pm »

I want to route all my internet traffic through site B, but I have to make some exceptions.

To do this I made a simple S2S Setup - LAN<-> with Traffic Rules to allow the traffic.

At this point I'm able to connect to internet sites with my public IP on site B, but now I need to make an exception for IP

I though I can do this by simple add a firewall rule on site A and specify the gateway, but this doesn't work - the whole traffic from site A (LAN 2 WAN) get to site B.


   WAN - A                                     WAN - B
      |                                               |
      |                     S2S ipsec            |
     FW - Site A         --------       FW - Site B
      |                                               |
    LAN (                  LAN (

I also tried to use the usual P2 setting LAN-A <-> LAN-B but add an additional gateway (with property - allow outside interface range on) but this also does not work.

All help is gratefully accepted.

Traffic Shaping / Borrow and Guarantee Bandwidth per Interface
« on: February 21, 2017, 12:09:15 pm »

my setup:

WAN (100/100Mb)
|          |           |
Top1   Top2     Top3

Top1 pays for 30Mb
Top2 pays for 50Mb
Top3 pays for 20Mb

Currently I have a simple CBQ shaping setup with the borrow option enabled, but that only allows me to upload with 100Mb (if available) and download with the paid bandwidth.
As far as I know, I simple need to create a bridge with Top1-3 as member and apply the shaper to the bridge, but my problem is, that top1-3 are defined as Vlan and I have no other option except vlan.
So I tried enabling the bridge and also set the pf filter option for the bridge in tunables but it does not seem that the bridge get the traffic.

Any idea what I made wrong?

General Questions / 10Gbps - pfSense 3,4Gbps / ubuntu 9,4Gbps ??
« on: December 14, 2015, 01:20:17 pm »

I only get arround 3,4Gbps with my setup, (only 4,4Gbps with pctl -d / pfSense 2.2.5)
With Ubuntu 14.04 I get 9,4Gbps

Setup: (both systems are 1:1)
CPU: Intel i5-4590 @3.3Ghz
Ram: 2x 8Gb
HDD: 120 Gb SSD
NIC: Intel  X520-DA2

PC1 <- X520-DA2 -> PC2

used commands:
Server: iperf -s
Client: iperf -c SERVER -t 10

Changed settings:

sysctl hw.intr_storm_threshold=10000

What did I do wrong, what have I forgotten?

Packages / 2.3.3 -> 2.2.4 nrpe2 service can't start
« on: July 31, 2015, 11:02:08 am »

after upgrading I now have an issue with a packages (NRPE v2)

The script /usr/local/etc/rc.d/ has the line ". /etc/rc.subr" but this command exit with an error.
Code: [Select]
mount: : No such file or directory
/etc/rc.subr: WARNING: : Unable to mount devfs on


IPsec / [Solved] IPSec 2.2.2 -> 2.2.3 Connected but no traffic
« on: June 25, 2015, 12:50:27 pm »
I upgraded 3 of my boxes to 2.2.3 and now my S2S tunnels doesn't allow traffic (in any direction)

B -> A <-C

Mobile VPN still working. (Edit: - that was because on box C, where I tested Mobile VPN aes-ni is disabled)

RSA / AES256 / SHA256 / DH5
3 P2 entries (tried it with only 1 - same issue)

Anyone else with same issue?, I currently don't have time for further testing.


As a workaround I deactivated AESNI as suggested in

Post a bounty / [Completed] Working eap-tls / pfSense 2.2 - $100 USD
« on: January 13, 2015, 02:34:18 pm »

I'd like to see a working eap-tls VPN implementation for mobile clients in pfSense 2.2, so I'm able to connect from Windows Phone or Windows 8.1 with OOB features.

ermal already pushed a first implementation of eap-tls (thank you) but this implementation is currently not usable like I want to use it.

The current implementation generate a config with

Code: [Select]
leftauth =  eap-tls
rightauth = eap-tls

but that’s not supported by WP and Win8. (

I was able to connect from WP8 with this config:
Code: [Select]

ike = aes256-sha256-modp1024!
esp = aes256-sha256!
leftauth = pubkey
rightauth = eap-tls
right = %any
eap_identity = "C=XX, ST=XXXXX, L=XXXX, O=XXXXX, OU=XXXXXX, CN=*, E=*"

I think you can choose a different Value for eap_identity, but I don’t know.

Requirements for success:
A working GUI configuration in pfSense 2.2 with certificate validation. pfSense/strongSwan should accept all certs with EKU “Client Authentification” ( created by a choosen certificate authority
The patch/code must be included into the main branch for pfSense 2.2

working eap-tls vpn setup now possible, thank you very much ermal!

Cert requirements,
  • Full trust of chain (Root CA have to be installed on the client)
  • pfSense Server cert needs the EKU "Server Authentification", also the FQDN in the Subject Alternative Names
  • pfSense Client Cert needs the EKU "Client Authentification", also the CN name as a FQDN in the SAN

2.2 Snapshot Feedback and Problems - RETIRED / ipsec v1 - no traffic
« on: October 14, 2014, 02:55:01 pm »

I can't send traffic over my IPsec connection with 2.2 (I tried every snapshot since 2 months)
If I use the same setup with 2.1.5, I can send traffic immediately.

The only difference I've found is the route with the current 2.2

Complete fresh installation (without importing anything)
IPsec v1 Mobile Client

Mobile clients: Virtual address pool: / Provide a list of accessible networks to clients

 PH1: v1 / Mutual PSK / Aggressive / AES256 / SHA1 / DH5 / DPD / NAT-T enabled
 PH2: Tunnel IPv4 / LAN subnet / ESP / AES256 / SHA1 / PFS5

pfSense 2.2 / WAN Static IP / LAN:
Shrew Soft Client / behind a pfSense 2.1 / LAN:

I've already create rules to allow all protocol on wan,lan and ipsec interface.... (not necessary, I know)

setkey -D

Code: [Select]
        esp mode=tunnel spi=1133534127(0x43905baf) reqid=1(0x00000001)
        E: rijndael-cbc  234b1565 3c132fe5 4dbb2852 00226f69 2e2cc005 69afdee9 6a6dae7d b0ca2d2a
        A: hmac-sha1  a1ae239a 277baa0d 95b8376a b394072a a8c5e820
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Oct 14 21:30:11 2014   current: Oct 14 21:30:34 2014
        diff: 23(s)     hard: 3600(s)   soft: 2592(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=2 pid=51565 refcnt=1
        esp mode=any spi=3416878343(0xcba96d07) reqid=1(0x00000001)
        E: rijndael-cbc  ffd4f217 207506d5 fd1b885e b5a7da35 6f23db1c 79e94d42 58b2fb77 000385b5
        A: hmac-sha1  71f401ee bdaace50 ba876af8 faf14c78 ef2190a3
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Oct 14 21:30:11 2014   current: Oct 14 21:30:34 2014
        diff: 23(s)     hard: 3600(s)   soft: 2653(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=51565 refcnt=1
        esp mode=any spi=3303778327(0xc4eba817) reqid=1(0x00000001)
        seq=0x00000000 replay=0 flags=0x00000000 state=larval
        sadb_seq=0 pid=51565 refcnt=1

netstat -r

Code: [Select]
Routing tables

Destination        Gateway            Flags    Netif Expire
default            93-129-14-17.rev.i UGS       hn0        link#6             U         hn1
fw20               link#6             UHS       lo0    link#5             U         hn0
93-129-14-20.rev.i link#5             UHS       lo0
localhost          link#3             UH        lo0        93-129-14-17.rev.i UGHS      hn0


Code: [Select]
# This file is automatically generated. Do not edit
config setup
        uniqueids = yes
        charondebug="ike 2"

conn con1
        aggressive = yes
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes
        rekey = yes
        reqid = 1
        installpolicy = yes
        type = tunnel
        dpdaction = clear
        dpddelay = 10s
        dpdtimeout = 60s
        auto = add
        left =
        right = %any
        leftid =
        ikelifetime = 28800s
        lifetime = 3600s
        rightsourceip =
        rightsubnet =
        leftsubnet =
        ike = aes256-sha1-modp1536!
        esp = aes256-sha1-modp1536!
        leftauth = psk
        rightauth = psk

Any ideas?

General Questions / IPsec v2 - EAP-TLS Support
« on: September 11, 2014, 05:02:51 pm »
Does the ipsec v2 have EAP-TLS support?
If not, it would be nice, so we can use IKEv2 VPN by Windows Phone / and native VPN Connection by Windows 7+ without any other software installed.

Windows Phone only supports PEAP-MSCHAPv2 and EAP-TLS

Post a bounty / Bounty - DLNA over OpenVPN (tun) ($75) or IPSec ($50)
« on: April 26, 2014, 08:27:05 am »

i want to use my DLNA server (Plex Media Server) over VPN, if possible over OpenVPN with the tun device.
I tried to configure it several days, but no success.

I have 1 Main Location (with the DLNA server) 2 guest locations, both connected to the main location via OpenVPN (tun) S2S
On each location a pfSense 2.1.2 instance is the router/gw

I tried this one, but it doesn't work for me (pfSense with IPSec)

Not working at the moment:
  • lg smart tv can't find the dlna server (from both guest locations)
  • windows and vlc can't find the dlna server

Languages: German and English (German preferred)

I hope someone can assist me with that.

Pages: [1]