Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Finger79

Pages: [1] 2
I'm looking for the ultimate Travel / Off Grid / Emergency Operations security appliance that I can store and operate in a small Pelican case off DC power if AC is not available.  The SG-1000 is cute and affordable @ $149, but I just want a little more "oomph" in the same form factor.
  • Same or similar form factor as SG-1000.
  • Multi-core CPU.
  • Higher clocked CPU.
  • AES-NI support for future proofing (pfSense 2.5 and beyond).
  • Include 1-year Gold Subscription.
  • $199 price point possible?  ;)

Packages / NUT vs. apcupsd?
« on: November 19, 2017, 10:41:35 pm »
I finally hooked up my APC Smart UPS SMT1500 (tower) to the pfSense box via USB, and I'm trying to find the easiest way to have pfSense automatically power down after x time passes or y% battery left (haven't decided yet).  I also want pfSense to send out shutdown signals to all slave servers on the network.

With NUT and the usbhid driver, I can see all the details, but it doesn't really let me configure anything.  [Edit, there's a ton of Advanced settings text boxes, so I'll have to read up on that.]

With APCUPSd, I see a lot more configurable parameters.

I'm confused which package to go with.  NUT seems to be more universal, and there's binaries for Linux and Windows and other BSDs.  But APCUPSd seems to have more configurable parameters in the pfSense GUI.

Edited to Add:  To be fair, I need to do a ton of reading, so that's on me.  Was just hoping it would be a quick setup, but I guess not.

Currently if we want to encrypt the config.xml file, there is one textbox for password entry.  If a typo is made, there is no way of knowing.

Not sure if this is expected behavior.  It used to show/highlight if a new package version was available and check for packages every time the dashboard is refreshed, which is overkill.  Now it only shows the currently installed version, and I have to go to System -> Package Manager to see if there are updates.

I'm actually OK with this new behavior, since the widget loads instantly.  Just curious if this was a recent change.

System:  2.4.0-RELEASE

  • I have two OpenVPN client tunnels set up in a Tier 1 Gateway Group.  Let's just call it the VPN Gateway.
  • I have LAN firewall rules set up so that traffic will go out the VPN Gateway gateway.
  • I want to make an exception for a tablet I'm using.  I set up a DHCP reservation so that this tablet always gets issued a .103 IP address.
  • I have another LAN firewall rule set up so that if the Source is .103 to go out the WANGW Gateway, as opposed to the VPN Gateway gateway.  This exception rule is higher than the rules below that normally route traffic through the VPNs.
  • Upon a fresh reboot of pfSense, the exception appears to work, and all traffic from this tablet go out the naked WAN.  After some period of time, all traffic from the tablet goes out over the VPN, totally ignoring the firewall rule and policy-based routing.

Something is overriding the system routing table and the way policy-based routing should work.

Just wanted to throw out a data point that in my specific setup, I upgraded my [home] Production rig with no hiccups.  :)

1.  I run pfSense on an SSD and have key material like passwords and my PKI root certificate private keys, so I wanted to play with doing an ATA Secure Erase to properly "wipe" the SSD.  I paid $11 for Parted Magic and burned an ISO to CD-R.

2.  ATA Secure Erase was successful.

3.  Used Win32DiskImager to copy the 2.4.0-RELEASE Memstick image to a USB flash drive.

4.  Booted off flash drive.  Installed to SSD in about 5-10 minutes.

5.  I tried following the Automatically Restore During Install procedure and had a second USB flash drive with \conf\config.xml on it, but it was an encrypted XML file so it didn't work.  It's worked in the past with a plaintext config.xml file.

6.  Rebooted and manually configured WAN/LAN interfaces from the console.

7.  Went to a laptop and used the WebGUI to Restore from an encrypted backup file.  It automatically rebooted and started downloading packages.

8.  Manually rebooted one more time since I had had issues in the past with FreeRADIUS package not loading until another reboot after an upgrade.

I did run into the gigantic "pfSense" logo but a quick F5 got rid of that.  Long story short, no issues with DNS, DHCP, OpenVPN client tunnels, CPU and RAM utilization.  Everything seems just like 2.3.4-p1.

First and foremost, this is not a showstopper and doesn't appear to affect any functionality.  Everything is working.  The system boots up just fine after entering the correct password.

I have a test instance in VirtualBox running 2.4.0-RELEASE.  I've been playing with GELI Full Disk Encryption for several months and haven't gotten this error until now.

2.4.0-RC 10/8/2017

I was troubleshooting a pkg update issue and booted into Single User Mode once.  Ever since then, I get a Single User shell opening every boot.  I've tried everything from the boot Menu:  Hitting "1" or "Enter" for Multi User Mode doesn't work.

Screenshot shows the screen I get.  I have to hit Enter then type "exit" before the system boots up into Multi-User Mode.

I'm on 2.4.0 RC October 8

Option 13 gives me "Another instance is already running... Aborting!"

When typing in pkg update -f from Shell I get:

Code: [Select]
Updating pfSense-core repository catalogue...
pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSen
se-core.sqlite) failed: No such file or directory

then after a couple minutes:

Code: [Select]
pkg: No address reco
repository pfSense-core has no meta file, using default settings
pkg: https;// No addre
ss record
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sq
lite) failed: No such file or directory

then after a couple minutes:

Code: [Select]
pkg: No ad
dress record
repository pfSense has no meta file, using default settings

then after a couple minutes:

Code: [Select]
: No address record
Unable to update repository pfSense
Error updating repositories!

Let's say I want to establish a VPN client tunnel to, which resolves to:

among many other A records.  Assume that new A records are added and removed all the time.  I also have the DNS Resolver (unbound) to only resolve DNS out the VPN connection.  I've lately just hardcoded an IP address I've chosen at random into the client configuration, but this limits me to always connecting to one endpoint, and it may or may not go down for maintenance or suffer other issues.  Plus I want my VPN IP to change every time the tunnel is established and not limit myself to just one address, for privacy reasons.

My goal is to use FQDN in the client configuration; e.g. use instead of, but as it currently is, since DNS resolves over the VPN tunnel (to prevent DNS leaking out over the naked WAN connection to my ISP), it will be unable to resolve and find an A record in order to connect.

Are there any advanced options/settings where I can tell unbound to resolve DNS over the naked WAN if and only if the VPN tunnel hasn't been established yet?

OpenVPN / PIA - What's the proper way to do gateway monitoring?
« on: August 04, 2017, 07:32:39 pm »
I currently disable gateway monitoring for the PIA gateway since it doesn't respond to ping.  Is there an alternate address that one can enter in the "Monitor IP" field?

Whenever there is a WAN outage, the existing client OpenVPN tunnel fails (obviously).  When the WAN connectivity is re-established, I'd like for the OpenVPN tunnel to also reconnect.  As it is, I am having to manually log into pfSense and restart the service.

I've tested this in both OpenVPN 2.3.x on pfSense 2.3.4-p1 and OpenVPN 2.4.x on pfSense 2.4.0-beta.

I'm normally a pretty good troubleshooter, but I'm not sure exactly when this issue started happening, so it's hard to narrow it down to any "changes" made to my environment.

Supplicant:  My Windows 7 Pro x64 laptop
Authenticator:  Asus RT-N66U running in AP mode.  Latest firmware.
Authentication Server:  pfSense 2.3.4-p1 amd64 running freeradius3 package 0.8

WLAN Architecture:  WPA2-Enterprise (EAP-TLS)

Symptoms:  I've had no problems with this setup since Fall 2016, but for the past several weeks or so, every hour (ish), my laptop will lose connectivity, but it won't show any outward signs other than web pages suddenly not working.  It still shows connected to my wireless network.

[Edited to Add:  The 1 hour mark came and went, and I didn't lose connectivity this time.  I saw a new "radiusd" entry in the pfsense System Logs showing a successful authentication attempt by my laptop, via the AP.  I guess this issue is inconsistent.]

Workaround:  Manually disconnect from my wireless network then reconnect.  Everything immediately works again.  pfSense System logs show a fresh authentication attempt to FreeRADIUS.

Possible causes:
  • Something changed with the latest June or July Windows Updates?
  • Something changed in the latest Asus RT-N66U firmware updates?
  • Something changed going from the freeradius2 to freeradius3 package?
  • Hardware failure?  Overheating?

Enter an option: 13

>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
pkg: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSen
se-core.sqlite) failed: No such file or directory
pkg: hxxps://
xz: No address record
repository pfSense has no meta file, using default settings
pkg: hxxps://
esite.txz: No address record
Unable to update repository pfSense
Error updating repositories!

I had been updating every couple weeks just fine.

On 2.3.4 Release.

In OpenVPN client configuration, there's a checkbox labeled "Server hostname resolution - Infinitely resolve server" but it seems to make no difference to the configuration whether it's checked or not.

Looking at /var/etc/openvpn/client1.conf:

When not checked:
resolv-retry infinite
^ You'd think this directive would be removed when the checkbox is unchecked.

When checked:
resolv-retry infinite
^ Directive is there as expected.

Pages: [1] 2