Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - arduino

Pages: [1] 2
1
General Questions / Security: FQDN alias vs IP alias
« on: December 23, 2015, 05:56:30 pm »
Wondering if FQDN alias provides a higher level of security than IP.

I am using pfSense to query AD for FQDNs for my alias records. I had previously been using IP, but believe this to be a more secure approach.

Am I correct?

2
Packages / Postfix retry rejected emails
« on: December 14, 2015, 12:03:31 pm »
Our company uses pfSense Postfix package as an MSExchange gateway.

Every so often we get a 550 rejected error. I can't remember the last time we were on a blacklist, but it still seems to happen with a couple domains regardless. I've tried sending variations of the emails (removing signatures, images, links etc etc) but still rejected.

Typically, I will just manually switch over the mail server outbound NAT to a different static IP address as a temporary fix but am wondering if it would be possible to do something like this automatically?


3
General Questions / Debian + Shorewall vs pfSense
« on: December 01, 2015, 08:36:23 pm »
I know I am likely missing something, but I am wondering why pfSense routing speed is low compared to a my Debian system?

I've tried several different hardware setups and the Debian system always performs better. I am able to route 10GB on my Pentium G3220 Debian system regardless of size of rule set, yet pfSense on the same hardware can't go beyond 1.4GB/s.


4
General Questions / Unlimited certificates for the price of one?
« on: November 23, 2015, 11:54:00 pm »
I use Namecheap for our company SSL certificates. We have several SAN and wildcard certificates in production right now.

I notice after I have received my completed request, I have the option to reissue my certificates.

This is all fine and well, but what I find interesting is that they do not enforce the original requested name be the same.

An example,

Having only paid for a single ($99) wildcard certificate, I am able to generate wildcard certificates for *.mydomain.com, *.subdomain.mydomain.com and even *.differentdomain.com..so on and so forth.

I am also able to register SAN certificates with completely different SAN entry names (the common name must be the same).

I have been doing this for quite a long time, no one has said anything and they have always worked. Nothing has ever been revoked (besides the expiring certificate, of course) and I have otherwise never had an issue.

Does anyone know if this is the normal way things are done? I have only used cheap vendors for SSL certificates and haven't had the opportunity to view other mechanisms for requests.

5
Our company was looking at getting a dedicate fibre link to our head office.

Our current office line is an 80/20 coax line. The sales person replied with the email below.


"Dedicated fibre connections work a little different from coax connections. I would say that our 20Mb dedicated fibre connection would be hugely superior to your current coax connection.
 
A dedicated fibre connection makes use of capacity that's reserved solely for the individual company. Unlike your coax connection, the bandwidth available does not drop at peak times, when many users in your office are attempting to make use of their connections.  As more users connect, your coax connection gets slower and slower.  In theory, if you were to have 10 users all trying to upload a document at the same time on a 20Mbps coax connection, each user is only getting 2Mbps  as the connection has been divided by the total number of users.  This doesn’t happen with a dedicated connection."




My question:

How is a 20/20 dedicated fibre line supposed to allow multiple to gain FULL 20/20 network speed? How does this make any sense?



6
CARP/VIPs / CARP gateway packet loss (but it works?)
« on: November 10, 2015, 03:36:24 am »
I have pfSense deployed as a guest within Hyper-V.

I am using pulling two DHCP leases for my two WAN addresses (same ISP, different gateways).

I have five /29 static CARP IP's and setup the default gateway to be in the same network.

I am using Manual Outbound NAT for all local networks and the firewall, pointing to the CARP addresses.

Everything is working except the host does not have access to the internet. The default gateway, since it does not lay in the same network as the DHCP leased WAN, shows 20-40% packet loss and well over 1000ms RTT.

If I switch outbound NAT for the firewall to use a CARP, it does work for a short time, but eventually falls back into showing packet loss and high RTT times.

CARP failover DOES work fine at the moment.

Is there a solution to this? I am of the understanding that this isn't a supported setup, but I do not want to lose my static IPs on the supported setup.

7
CARP/VIPs / CARP with two DHCP
« on: November 07, 2015, 03:14:44 pm »
Is it possible? Im trying to not use up the only 5 static IPs I can get without jumping up to a "data centre" package with my ISP (its very expensive)

If I setup each pfSense host with DHCP on the WAN, but use a static CARP VIP, will there be any issues?

I have never had an issue with 1 DHCP on the WAN and my static IPs as VIPs, regardless of the gateway.

8
CARP/VIPs / CARP packet loss (Hyper-V deployment)
« on: November 06, 2015, 03:05:15 pm »
I've been using pfSense as a Hyper-V guest for quite some time now (since 2.0 release).

Yesterday we added a second server, identical hardware, which I've installed pfSense on as a guest. I setup CARP and am having some issues.

When a single pfSense guest is running I see no issues. Minutes after I turn on the second pfSense guest I see 200-900ms gateway latency, followed by packet loss 5-8 minutes later.

I've setup the network adapters in Hyper-V to allow MAC spoofing so that isn't the issue. Im wondering if it could be a configuration on my modem side? Maybe ISP?

I don't see any flapping between the two in the logs. We also have 15 internal CARP addresses and they do failover.All internal networks show no packet loss or issues at all.

9
Hardware / $18.99 Intel i350-T4
« on: August 31, 2015, 01:28:28 pm »

10
Hardware / Mellanox ConnectX-2 VLAN
« on: May 18, 2015, 10:34:52 am »

I am trying to use a Mellanox ConnectX-2 with pfSense as 10G SFP+ connection to a MikroTik Cloud switch. Everything seems to work fine, the interface shows up and iperf shows full speed, but whenever I create a VLAN interface on the interface pfSense crashes.

After the crash, the VLAN interface shows as assigned but anything trying to connect on that VLAN fails.

I downloaded the the FreeBSD drivers, packed and moved to /boot/kernel ( ibcore.kp, ipoib.ko, mlx4.ko, mlx4ib.ko mlxen.ko )

added the below to /boot/loader.conf.local
mlx4_load=”YES”
mlx4ib_load=”YES”
mlxen_load=”YES”
ipoib_load=”YES”



Here is part of the crash report:

vlan1: changing name to 'mlxen1_vlan2'
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x18
fault code   = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff80aa8684
stack pointer          = 0x28:0xfffffe001a3ee380
frame pointer          = 0x28:0xfffffe001a3ee3a0
code segment   = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags   = interrupt enabled, resume, IOPL = 0
current process   = 12 (swi4: clock)



Anyone have any idea what I am doing wrong? I am pretty sure these interfaces are not supported but I would really like to do some testing.

11
I have 5 modems:

40/20 with 5 static IP
100/10 with 1 dynamic
100/10 with 1 dynamic
100/10 with 1 dynamic
100/10 with 1 dynamic

Total is 5 lines with a combined total of 440/60, this is where I want to go.

If I was to load balance these connections, would clients connecting from outside the office using VPN benefit from the increased speed? Its my understanding that it is not possible to balance the upload since client connections are by IP, and since there are 5, it would bound to only one specific IP, but I could be completely wrong.


I do have the ability, since this is the same ISP for all the lines, to use the static IPS across all 5 lines and use the gateway that they provide allowing me to do away with the dynamic IPs they provide and just have a single static IP bound to each connection.

12
Hardware / x1 with a x4 card
« on: May 10, 2015, 02:14:17 pm »
I am using and Intel DQ45EK as my main board. This board only has one (1) pci-e x1 slot, but I have an Intel quad port EXPI9404PTL network card that uses a x4 slot.

I've used a pci-e ribbon cable which allows me to connect the card using a x1 to x4 and it works perfectly fine.

This is a production firewall and I am worried this may be unstable, should I be looking at changing this?

 I know that the bandwidth is limited to ~2Gbs but I am not concerned with this.

13
Routing and Multi WAN / File server routed through pfSense
« on: May 09, 2015, 01:15:55 am »
I have a file server on my LAN-1 network (10.0.0.0) and clients whom access the file server on my LAN-2 network (10.0.1.0).

LAN-1 is high security network with only internal access servers
LAN-2 is for desktop clients, about 90.

I poked holes in the firewall to allow SMB shared to be accessed on my LAN-1 network and obviously the throughput causes higher CPU usage on pfSense.

My question is:

Is there a better way to do this? I don't want to put the file servers on the same network as the clients for security reasons, and having two interfaces on the file server so that it can be accessed from the client side without being routed through pfSense kind of negates the purpose.

14
Routing and Multi WAN / Changing the WAN VLAN MAC Address
« on: October 01, 2014, 10:40:43 pm »
Is it possible to change a VLAN address without changing the parent interface MAC?

I have we just got another internet line and a mini-itx board with only two interfaces and no room for expanding.

I have a managed switch capable of tagging each line but when I put the parent interface in promiscuous mode using Shellcmd and change the VLAN MAC addresses it changes the parent and other VLAN.

15
Routing and Multi WAN / DHCP and Static WAN
« on: September 23, 2014, 06:08:12 pm »
Is it possible to have 1 WAN using DHCP and another using Static? I would like to split up traffic and have all static addresses used for servers and the DHCP WAN used for everything else.

Pages: [1] 2