Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - rowebil

Pages: [1]
I just got to play around with IPv6 and what a nightmare.
I've been using IPv4 for so long, passed ALL college classes with 100%'s, students shocked when I was done first and the professor smiled after grading a test with 100%, etc.
I've been doing this my entire life.

Now I am using IPV6 and the learning curve is like coming from Dreamweaver to Drupal.

I learned that IPv6 does not need NAT, it's typically automatically assigned in most cases, and it's complicated for me lol.
I am going to keep this short and hopefully you guys can surprise me with some answers.

My home network consists of pfSense - Windows Active Directory, Windows DHCP, and Windows DNS.
Works flawlessly.
To be honest, there are more settings on pfSense DHCP and DNS than Windows, but people told me to stick with Windows because it's more seamless.

I followed a tutorial to setting up IPv6.

I have pfSense 2.3.4.
1 IPv6 Tunnel since my ISP is slow with rolling out IPv6.

Code: [Select]
LAN has IPv6 Static IP set - /64

System > Advanced > Allow IPv6 - Allow IPv6 Tunnel.

Firewall > WAN > PASS IPv4 ICMP- source being my Server IPv4 Address.

The IPv6 firewall tab I have PASS IPv6 ANY (testing).

There are SO many IPv6 addresses around here that I don't know which is which.

I learned that the one is link-local and the other is the routed IPv6.

With Router Advertisement, my phone and other devices gets an IPv6 within half a second. If I turn RA off, it disappears as quickly.
It just WORKS.

However, when I go to the list of DHCPv6 Leases, nothing is there. How am I supposed to control the flow of information through IPv6 when I don't know which client is which...?

If I go back to DHCPv6 Server and enable the DHCPv6 server, RA does it's thing and forwards it to the DHCPv6 server in pfSense.
Again, just MAC addresses. No host names. No IPv4 addresses.

I'd REALLY like to have my DHCP v6 clients go to my Windows DHCP server so that I can see who is who -- OR BETTER YET, SOMEHOW HAVE MY WINDOWS DNS AND DHCP UPDATE TO PFSENSE. So then I have hostnames in pfSense logs, I'd have hostnames in DHCPv6 releases, and plenty more.

I have been a Windows guru my whole life, but I really enjoy the look, the feel, and the settings that pfSense DHCP and DNS has to offer... but I'm a Systems Administrator who hosts his own email and using Windows is kind of critical for me.

So is there any way to redirect DHCPv6 requests to my Windows DHCP? Also maybe use DNS and DHCP relays to 'sync' information between the two?

IPv6 / IPv6 Tunnel and Netflix - Windows DNS - How Do I solve this?
« on: July 05, 2017, 08:15:56 pm »
At home, I have a Windows Active Directory network for myself because I host my own email.
It runs DHCP and DNS.

DHCP is set to set each client with the DNS server running on the same VM.

It works.

It's been slow because Windows uses IPv6 first to communicate and I don't have IPv6. This happened after a recent update.
I enabled IPv6 tunnel and it worked amazingly.
The Internet is super fast... very strange.

The only problem is that my Sister watches Netflix and I heard it gives an error message.

Someone solved this issue by using BIND on pfSense.
This is what I need assistance with...

With Windows DNS, could I set my forwarder to pfSense?
Then on pfSense, can I set it so that ' uses IPv4' only?

Someone told me he has done it and followed a guide doing it, but the guide does not show steps.

It would actually be more beneficial for me to have Windows DNS use my pfSense box as a DNS resolver because I hear you can control more.
Windows DNS Forwarders are supposed to be DNS servers like BIND, so you can have more granular control.

So does anyone have any steps/guides/instructions on how I need to set this up?

Windows DNS > to pfSense - but what does pfSense run? Resolver? Forwarder?

I'm just playing with IPv6 - nothing major. I'm enjoy it so far. I don't know if it's because my Windows PC finally feels relieved that it has an IPv6 address, OR if IPv6 is really that fast...

It is time to admit that I need help with ACME, Let's Encrypt, and HAProxy.
Usually I try my hardest to research and do it myself and rarely admit that I need help -- doing so just prevents me from learning from others.

So here I am asking for assistance with my set-up.

I have ACME working with their development server and am able to generate certificates properly.

Now I need help with HAProxy.
I have multiple hosts that run HTTPS 443 - Outlook Web App and now PRTG and a webserver I rarely use.

I am so confused about frontend/backend with HAProxy and I need screenshots/video tutorial on how to set it up, OR just an explanation on how it works and then I can go from there.

I do not learn by reading -- but if someone shows me how theirs is set-up, or an example, then I can learn.

I can gladly set-up a GoToMeeting, Skype, Teamviewer, etc.

I am running pfSense 2.3.2_1.

Here is my scenario -

I have (1) Exchange Server using HTTPS and (1) Apache/Nginx Web Server running HTTP/S as well.
Both are using the same port, including the web server using port 80 as well.
Exchange Server does require a SSL cert, but I'm not sure if that's necessary to include on pfSense.
It is binded on IIS so I assume from what I read that I may need to store the cert on pfSense?
Honestly I'm not sure...

How do I direct traffic coming to '' to a certain server IP on my LAN and '' to a different server IP on my LAN?
People mention squid reverse proxy and others mention HAProxy being better, but I have not seen any documentation on setting this up the way I intend.

Now pfSense has changed and new features have been added - so I'm wondering what is currently the best way to set this up?

Mind you, I am the only person using this Exchange Server and probably the only person that will be using the web server.
The web server is for a project I'm developing and I'd rather host the site locally because I have better hardware than most web hosts.
I'd like to access the website from the Internet (WAN) on it's normal ports.
So changing ports isn't really an option.

The residential ISP I have allows all ports. I have a static IP.
Another IP is out of the question. I do have another WAN link with an IP, but port 80 is blocked on that specific port.
They only allow ports open on the static IP.

All help is appreciated - you guys are very helpful!

Thank you

Here is my situation -- I have two WANs.
It is the same ISP... but I just got another modem and it works.
I have two modems -- one is going into WAN on the pfSense box.
This has worked for a year.

I asked for another 'link' with a new IP Address and they advised me what to do.
It works.
This other link is going into OPT1 on the pfSense box.
I enabled the interface and it got an IP Address.
I can ping this IP Address from a PC in Pakistan.

NOW -- I do not want to set-up a MultiWAN for the purpose of failover.

I want to experiment with this.

How do I take my desktop PC and route ALL traffic through this other WAN/OPT1 link through pfSense?
It can be done with Virtual IP's because I've done it a year ago... but I have not done it with another WAN interface.

For instance -- if I go to IPChicken, it displays my IP Address I've always had.
I want to enable this routing to go through WAN2(OPT1) and then it would display the other IP Address.
I've had this working for Virtual IPs a while ago, but not a different interface.

How would I achieve this?
I want to take and route ALL of that Internet traffic through WAN2 (OPT1).

How do I take my VPN Server IP and credentials, connect it to pfSense, and serve it to my LAN machine(s)?

Is that even possible?

I know you can tunnel pfSense to another pfSense.

I want a host on my pfSense LAN to be connected to the OpenVPN Access Server. Only one host. I understand I may need to create another Interface just for that machine, because I have a feeling I cannot just tunnel it to one host on the LAN -- it might be the entire LAN.

I have a OpenVPN Access Server off-site. I can connect perfectly with the OpenVPN client software installed on the host. The host can only connect to the OpenVPN access server, cannot access anything on the WAN side (which is my home network), and can access the gateway. It works perfectly. When the host disconnects from the VPN, firewall rules take over and blocks access to the gateway. The host is forced to connect to the VPN. Therefore, no VPN, no Internet. VPN, access to the Internet. Perfect.

BUT, can I do this easier without installing OpenVPN client?

I don't want to have to install OpenVPN on all of the hosts -- so I was wondering if it were possible to connect the pfSense LAN Interface (or host) to the OpenVPN Access Server only utilizing pfSense, and not the OpenVPN client. Of course pfSense will act as the client.

Basically, I guess I want the host's gateway to be the 'VPN'. So the WAN would essentially be the VPN. Everything that happens in that host to the gateway, would go to OpenVPN Access Server.

I hope I explained it well. I think I explained it a little too much and repetitive.

Also, another explanation -- if I need to change the VPN server (and will need to based on my project we are doing), it will be easier by changing the IP address in pfSense, rather than uninstalling the OpenVPN client and reinstalling the new one.


I appreciate your help!
I am learning.

I have a good understand on this WAN/LAN set up -- but I still do not understand Firewalls and VLANs.

Here is what I have --  a cable modem going into a Tomato router. Router into a switch, then a long cable to the basement into a 24 port switch.

From the Gigabit switch, I have it going to NIC#2 with vSphere.

pfSense side --

For WAN, I have a vSphere 'virtual' switch connecting to the physical NIC #2.
For LAN, I have it going to another Virtual switch (separate from other) which hosts my VM.
I need that VM completely isolated from my home LAN x.x.254.x  - network.

pfSense is using a WAN static IP address in the home LAN network.
LAN is on the same subnet, but at a different network IP.

It works -- everything is perfect.
I can ping anyone, both networks, and in LAN.

I do not want to be able to do that. I want the VM (in pfSense LAN) to have access to the WAN gateway ONLY, which is on the home LAN network. I want everything else -- such as VM to home LAN PCs -- blocked. From the 1.1 network to 254 network should be restricted, unless it is to the source of 254.x (gateway).

I do not want him to be able to ping my laptop from the pfSense LAN to WAN.

So, really, behind the pfSense LAN -- I want those devices to NOT be able to ping anything outside of it's WAN (which is my home LAN) except gateway (which is in my home LAN).

So I know it would be a 'not' rule. So block everything -- but 'NOT' ''.

Is this correct?

Funny thing is - I can never ping a machine from my home LAN to the pfSense LAN VM -- but from the pfSense LAN VM I can ping to my laptop which is on my home LAN.
I have no rules set, and Windows firewall is off.

That is exactly what I want to be able to do but opposite. I don't want to be able to ping my home LAN laptop from the pfSense LAN VM.

I am looking at a cheap box that I want to use and am wondering if it would be worth purchasing and putting pfSense on it.

It is an OptiPlex 745 with 4GB of RAM and a Celeron 3.06GHz CPU.

The onboard Ethernet is 10/100/1000 and I would buy a PCI card with the same 1 Gigabit capability.

I already looked up the Ethernet card on here and someone had it working perfectly as LAN.

This box would be my router, right after the Cable modem. I have a 75Mbps down/ 15 Mbps up connection. It would also serve as a firewall, and *maybe* VPN.

Would this be able to handle 75Mbps download?

Summary - cable modem ethernet run down in the basement into esxi server - one physical port - into pfSense WAN - then LAN would be my esxi virtual adapter which is another physical port - going into a switch with all other cat5 cables - and then in that switch, a cable running back upstairs and into a Cisco wireless router. Is this possible or are they too many routers and wires that would completely bottleneck everything?

So, this is my layout. I have a cable modem which needs to be on the first floor. IT has my phone line and a few other things like TiVo wireless connectors.
Now, I can send a cat5 line down in my basement (I have one coming up into the router upstairs - switched in the basement) and in a rack server that I have.
The rack server will run ESXi - and with two network cards in the virtual machine. One will be WAN only, and the other will be LAN - which will hook up existing virtual machines if I put them on that node (I have other servers, but I don't want only pfSense on this because it's a crazy powerful server.

So that would be my WAN, correct? Would it automatically see that? So, just like a router has an IP address, I'd set one up in pfSense I'm assuming. So then, LAN would be the other virtual adapter and would have virtual machines on it as well. But, a network cable will then go into the 24 port switch - which then connects all other servers and remote KVM instances. Then, in that same switch, will be a wire going upstairs. There, it will go into a 'Internet(?) or WAN(?)' port and then be my wireless AP and switch to connect the printer server, caption phone, and that's it.

So the DHCP server is on a different server than the pfSense install. I'm confused on how I'd set that up, being there is so many cables and routers involved. So I would setup the IP address for the gateway... that would be my gateway, right?
Now, how about the wireless router upstairs? I'd disable DHCP, but I'd set it as a different IP (instead of default).

I don't know - I don't have time to experiment or even the availability, unless I take everything in the basement and run it there. However, I trade currency and I cannot have the downtime because of my charts, and I have a family of 5 that always need Internet. Two younger sisters, the one doesn't have a large pool of data on her phone and uses our wireless.

It just seems like with being so many cables and such, this is going to lag like hell. There aren't any bottlenecks, everything runs on Gigabit, but it seems like it has to go so far.

Any kind suggestions?   

I would definitely put the cable modem downstairs if I knew it didn't have a bunch of stuff that needed connectivity, primarily only the phone. So that is a bit out of the question since it's away from the TV (the TV is closest to the basement wire rundown) and the guy already put a hole through the siding to fish the coaxial into the house. But with that being down there, it would be so much easier to run my pre-existing cable up being my LAN.
Ah lol.

It just seems like so many routers and so many IP addresses.

I have a good amount of networking experience. I've studied it thoroughly in vocational school while in high school. It was my major for a semester, but got boring. :/
I was directed to a college in Pennsylvania, my state, and the statewide competition - my college won, first, second, and third place out of six winners with a networking competition. So I was taught pretty good but not being my major, I didn't really take too many networking classes. Just intro, and about five more up to CISC300 classes. I was the smartest in one or few of my classes. I was calling out cname, mx, a records, and the professor said "So you know this?" and everyone was like "No, he knows it but not us!"

So I learn on my own, and it's been that way forever. I haven't learned anything new in college, which is why my major is now changing to behavioral neuroscience.
So that's my introduction, I do have experience and all, so provide a thoughtful response if you'd like! haha

Pages: [1]