Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - kejianshi

Pages: [1]
Quick question.  I'm not sure if this is the right category to post in.  Anyway.

I have a small VM with only about 1.25GB Ram allocated and only added package is Suricata.

It is running wonderfully and not showing any ill effects at all but for some reason it shows between 8% and 10% swap usage even though its not acting like any machine I've ever seen using swap.  No problems at all.  Just wondering if this is something weird or often seen?  I'm not used to seeing swap usage when nearly half the RAM is free on a machine.  Not complaining at all.  Its running fine.

last pid: 34413;  load averages:  1.01,  0.86,  0.72  up 0+02:00:17    11:43:12
41 processes:  1 running, 40 sleeping

Mem: 156M Active, 386M Inact, 82M Laundry, 486M Wired, 77M Buf, 94M Free
Swap: 410M Total, 30M Used, 380M Free, 7% Inuse

77375 root          7  21    0  1000M   539M nanslp  0   8:20   1.86% suricata
 7123 root          1  27    0   263M 30064K piperd  0   0:00   1.86% php-fpm
14329 root          1  20    0 20348K  5308K select  1   2:10   0.00% openvpn
  306 root          1  20    0   261M 18460K kqread  1   0:10   0.00% php-fpm
43365 root          1  52   20 13084K   968K wait    0   0:08   0.00% sh
22324 root          5  24    0 13028K  2240K uwait   1   0:07   0.00% dpinger
31128 root          1  20    0 37704K  7644K kqread  0   0:06   0.00% nginx
17601 root          1  20    0 12696K  1996K bpf     0   0:04   0.00% filterlog
30837 root          1  20    0 37704K  4872K kqread  0   0:03   0.00% nginx
32150 root          1  20    0 24604K 12424K select  1   0:02   0.00% ntpd
16644 root          1  20    0 20348K  5252K select  0   0:02   0.00% openvpn
87639 root          1  20    0 10472K  2512K select  0   0:01   0.00% syslogd
92561 dhcpd         1  20    0 16648K  7696K select  1   0:01   0.00% dhcpd
10824 _dhcp         1  20    0 10528K  2052K select  1   0:01   0.00% dhclient
31597 root          1  52    0 12496K   664K nanslp  1   0:01   0.00% cron
23110 nobody        1  20    0 31868K  2860K select  1   0:00   0.00% dnsmasq
11435 root          1  52    0 39432K     0K wait    1   0:00   0.00% <login>
  320 root          1  40   20 19436K  1144K kqread  0   0:00   0.00% check_reload_status

Netflix has started blocking all VPN associated networks that they can detect or identify as VPN or proxy. 

They are clumping Hurricane Electric tunnel broker IPs in with "proxy".

So, even if you are in the USA and have a real USA IP, you will probably see this:

So, just having HE IPV6 tunnel on your pfsense will probably cause netflix to throw an error screen in your face about being naughty and using VPNs and proxy.

So, I had to go into the firewall and make a quick floating rule REJECT all of the following:


These are all associated with amazon cloud services and netflix streaming.

Rejecting those causes Netflix to fail over to IPV4 and then everything works again.

I assume people with native IPV6 don't have this problem.  Just the people using tunnel brokers.

For me, to make it simple I made an alias containing all those IP ranges.

Then I selected all interfaces in my floating firewall rule and told it to apply as soon as it matched.

Not sure if this will be a permanent fix or if Netflix will come up with new IP ranges all the time, but for now it works.

DHCP and DNS / Unbound stopped and won't start
« on: October 10, 2015, 10:47:31 am »
Well - unbound quit today.  Pfsense is fine.  Nothing changed on the network. 
It has been unchanged for months and today, the service just crashed and no matter what it won't start and stay started.

Switched back to DNS forwarder.

Maybe I could figure this out myself but I hate to tinker on boxes 1000s of miles away.

Just upgraded to 2.2   

Dnsmasq is still running on pfsense.

Whats the process to dump dnsmasq and move to unbound?  Is it even urgent that I do so?

NAT / NAT Reflection in 2.1 release... Seems to be working 100% now.
« on: September 29, 2013, 01:33:31 am »
So, my NAT reflection has been broken for as long as I can remember for UDP in the past and only TCP NAT reflection has worked for me.

So - For 2.1 I decided to play with it once again.  (In case something has changed. )

I tried a variety of things that sort of worked and failed at other times, but in the end what works for me is:

System > Advanced > Firewall / NAT

NAT Reflection mode for port forwards - NONE

Then, in Firewall > NAT:

For every TCP port forward, I use NAT reflection - NAT + Proxy
For every UDP port forward, I use NAT reflection - Pure NAT

This seems to give me reliable UDP NAT reflection and Reliable TCP NAT reflection.   

I don't know why this combination works, but I like it.
Any other way, seems to break one, the other or both for me. 

SIP UDP NAT reflection works and so does my UDP VPN (Not that I need it inside the LAN)
The only thing that hasn't worked so far is IAX2 (not that I need it) but that may be a server issue.

EDIT:  I later also set Enable automatic outbound NAT for Reflection on under:  System > Advanced > Firewall and NAT
Now everything works, including IAX2

OpenVPN / Ubuntu as client to Openvpn on Pfsense
« on: September 21, 2013, 02:14:07 am »
I always see strange behaviour from Ubuntu when using it as client to pfsense/openvpn.

So, I'm using the exact same server and client config for windows, android and ubuntu.

I have a server behind pfsense.

If I broadcast phone wifi and connect with windows and then openvpn, I can see the LAN just fine.  If I check my ip on one of the many what is my IP sites, it shows the public IP of my pfsense WAN.  If I connect to my internal server, the IP of pfsense LAN shows up.  All good.

Same is true of android.

But with ubuntu, I can't reach the LAN and if I connect to my internal server using my dyndns domain name, it shows the IP of the cell phone but then if I connect to any external server or a what is my ip server it shows the IP of pfsense WAN.

Its really really weird.

So, I guess I'll be SSHing into my pfsense to see the gui if I'm using ubuntu away from home.

This is one of those rare things windows really does much better.

Packages / Dansguardian and Shutterfly
« on: August 17, 2013, 12:35:51 am »
I should say Dansguardian and lots of things...

So, someone on the network was trying to upload files to shutterfly photo site and after 2 days of chronic failure I decided to shut down dansguardian and see what would happen.  The problem was immediately corrected.

So, I've decided rather than wondering if every anomalous failure is dansguardian related I'd just uninstall it and save myself the hassle.
I don't really need the blocking features that much.  Maybe others do.

I could have just entered a URL bypass for that one site, but I already have a bunch of them and adding bypasses gets old.

Strange thing happened today.  This is pfsense 2.1 32 bit running on ESXI system.
This isn't my system, but its one I have access to.  The Openvpn client that was exported wouldn't work.
It would connect, but the distant client couldn't hit the servers or LAN behind pfsense.
So, after many installs/uninstalls of the client that was exported, went to the site download the windows client, installed it and substituted in the client settings that were exported from pfsense and that does work.  Very strange.

DHCP and DNS / OpenNIC for pfsense DNS
« on: July 18, 2013, 12:10:21 pm »
Does anyone have much experience with OpenNIC DNS on pfsense?
Its an alternative DNS system to what is widely used.
Seems their main interest is to get away from ICANN and logging for a number of reasons.
It seems to resolve everything without issues but without ICANN or government controls.

I ran a list of these servers through benchmarks.
They come up as faster that DynDNS, slower than OpenDNS but on par with Google's.
No filtering, No redirects.  Seems solid so far.  (so far is only 2 days  :P)   Fast Reliable    Logs deleted hourly   New Jersy   Fast Reliable    Logs Deleted daily   New Jersy  FAST Reliable    Bind logging only   Chicago   Fast Reliable    No Logs              Dallas TX   Reliable         Logs deleted daily   Buffalo NY

But I have exactly 2 days experience testing these on a PFsense box so though I'd ask if there are any horror stories or anything?
I was just labeling some as fast or slow and reliable or not and location.
My originals list was 2x as long but I immediately cut out the slow or unresponsive servers.
(I got off on this tangent a couple days ago when my DynDNS was being unresponsive and making me wait forever)

I'm a big fan of controlling things like content filtering directly on my own box, but for some people who for whatever reason want to be able to filter content but have small processor and ram so can't afford to run packages:

There is a way to have content filtered by a dns server before it hits your pfsense.

This is the process roughly.
Feel free to clean it up and post a friendlier version if you like.

On this topic, to get further blocking from the router, you can also set up a free dyndns account and then:
Set up a dynamic dns account with them.  Load the dynamic dns info for your account into pfsense's dynamic dns service.

After that, on the dyndns website, set up your "defense plan".

in the defense plan check off the blocks for the sorts of things you don't want kids to be able to access, like porn or whatever.

Then go into general > setup

put the dns setting for dyndns into DNS servers list.  For dyndns its and

Also un-check the "Allow DNS server list to be overridden by DHCP/PPP on WAN" box to allow your settings to take effect on all computers on your LANs.

dyndns uses barracuda filtering for dns, so it should make a good compliment to a system running squid and dansguardian or for people who have systems with not enough processor for those things.

There.  Now you have content filtering by barracuda on your PFsense and everything attached to it (presuming they don't modify their computer's DNS settings by hand to circumvent).  Can be used in tandem with squid and Dansguardian to give more fail safe protection.

You can then go to this site to see if this is working for all your computers:   

(I decided its best to list only and in the general config for this to work well because even if the google servers are listed below the dyndns servers, if google resolves even ever so slightly faster on occasion, it will bypass your filtering.  So, make sure that and are the only servers you list if you intend to go with dyndns.)

Packages / Stunnel and IP Cameras
« on: July 12, 2013, 03:37:37 am »
I'm ambivalent about having IP cameras facing the public IP with no VPN required to get at them, but seems most of them have no SSL web interface.  I wanted to have one on a port I could turn on and off with a button click to my firewall rules but leave configured.

I put stunnel facing the web and pointed the other side of it at my IP camera.

Of course its better to have it behind firewall and access through VPN, but stunnel works to hide my user name/pass when logging in and seems to keep it all inside SSL nicely.

No guarantee camera won't get DOSed but I have no plans to leave it open all the time.

Of course, it would be nice to have an intermediary tool of some sort similar to captive portal that would request a username and password before a single packet was sent to the camera since pfsense can handle a DOS attack much better than the little camera can but not sure how I'd set something like that up in short order that was specific to a single port on the WAN and didn't get in the way of other things.  I'm think about it.

Originally, pinoyboy had pasted an observation that IPsec on pfsense is still exhibiting this behavior.
I just wanted to ask about the feasibility of a work-around till its fixed.

IPsec fails to pass traffic when disconnected and then reconnected until raccoon service is restarted:

I went into my logs and I noticed that there is a common thing that is going on whenever this happens:

racoon: ERROR: no configuration found for (I deleted the IP)
racoon: ERROR: failed to begin ipsec sa negotication

I also noticed that a restart of the raccoon process, without requiring a logout/login cycle of the client corrects the issue until next disconnect.

I also ran across this script to restart raccoon in the event of a WAN IP change.

ListenInterface() {
  local iface="$1"
  if [ "$INTERFACE" = "$iface" ]; then
    /etc/init.d/racoon restart
RacoonInstance() {
  config_list_foreach "$1" listen ListenInterface
if [ "$ACTION" = "ifup" ]; then
  config_load racoon
  config_foreach RacoonInstance racoon

So, what I was wondering about is killing two birds with one stone.
Rewrite this script a bit to work on pfsense and apply it on pfsense to check for WAN IP changes that break IPsec and to also
check the IPsec logfile for instances of:
"racoon: ERROR: no configuration found for"
"racoon: ERROR: failed to begin ipsec sa negotication"

and then empty the log and restart raccoon if found.

What do you think?  Anyone?

Hi all.

I have fooled with ipsec vpn to pfsense router with limited success. 

Here is the deal.  On a cellphone using Android Ice Cream Sandwich on the built in IPsec Xauth PSK:

It authenticates and connects.

If I open the phone browser and google "whats my IP"
Then check my IP, it will give me the IP of my cell phone provider.
Its accessing the internet as if not using a vpn.

Now.  If on the very same browser, I give it the IP of a server of a machine running on my LAN it will access that server on the LAN behind the pfsense router.  So, those packets are tunnelled correctly.

Any idea what is causing this split routing?

Packages / squid stable stops working and can't be restarted
« on: July 02, 2013, 01:46:17 pm »
squid stable stops working and can't be restarted.  This was really annoying.  I'm pretty sure this was happening because my squid cache settings were less than ideal causing squid to eventually crash and not even start on reboot. Un-installing the package and reinstalling didn't help either.  My fix, was to install the package, ssh to the box, go to command line and issue to clear the cache:

cd /var/squid/cache
rm -rf *

Then I rebooted the box and reloaded the squid package.   Adjusted my disk cache and ram cache from web interface.

There is also the issue that there is no clear matrix for setting up squid cache.  So far, to me it seems that physical ram (not hard drive size) will determine maximum cache size since the disk cache has to be indexed in ram and that adds up.  I'm going to try (physical ram / 2) * 25 = max disk cache

allowing 1/2 of my ram as ram cache (for me I have 3GB so half is 1.5 GB)
allowing space for 4% of my disk cash in ram, so that there should be at most for me 37.5 GB disk cache. 

I have yet to see a clear, safe formula for calculating cache allocation based on system ram (1st) and disk space (2nd) and it seems this should be a very simple, easy and clear calculation, not alchemy.  What I am 100% sure of so far is that too big disk cache will exhaust ram long before disk space.

Hi all.  I was having a problem with very high MBUF approaching the limit.  Example  24460/25600.  This was fairly new.  Never happened before.  Normally, it would sit around  3460/25600 or so for many many days and never really change much.  The only things I had changed is I added squid stable and dansguardian to an otherwise absolutely vanilla setup.  So, I wiped the box and re-installed.  With no packages loaded, there was no MBUF issue.   After adding squid stable, there was still no MBUF issue.  After then installing Dansguardian, the MBUF problem returned.  So, I removed Dansguardian again leaving only squid stable and the MBUF numbers are back where they have always been.  Low. So, I figure this must be an issue with Dansguardian causing some sort of memory leak.
Anyway, it would be nice is it didn't do that because I like dansguardian. 
I'm using Pfsense version:
2.0.3-RELEASE (i386)
built on Fri Apr 12 10:22:57 EDT 2013
FreeBSD 8.1-RELEASE-p13

Pages: [1]