Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - whitewidow

Pages: [1]
Routing and Multi WAN / IP Monitor offline on USB LTE modem gateway
« on: September 23, 2016, 06:12:32 pm »
Im trying to have a multiwan setup that will have WAN = comcast and WWAN = ATT ZTE MF923 ( via USB. The MF923 was assigned as a interface ue0 and pulled a and gateway of from the devices dhcp server, I have internet access . I tried to find a way to set it to bridged/IP pass-through mode to pull the external IP but have been unsuccessful. So I just put the ip in DMZ on the device to prevent any firewalling by the MF923.

The issues im having to configure load balancing & failover is that the IP monitor on WAN (comcast) works fine with google dns, but show offline on the WWAN with I can ping from the WWAN in the gui, on the lan when using the MF923 exclusively for internet access so im assuming the gateway can respond to pings. WWAN will show online if the monitor ip is set to (gateway ip).

Anyone have a idea how to get ip monitoring working on this interface?

I have attached some screenshots of my config. Please note that right now the WAN (comcast) will show an interal ip as I am configuring it behind another router, once deployed it will have a public ip.

I also have upped the payload to something greater than 0 with no luck

Hardware / AirCard 781S Netgear 4g Modem - No usable interface shown
« on: March 03, 2016, 01:52:56 pm »
Hello all, Im trying to set up a  AirCard 781S Netgear 4g Modem as a failover WAN interface. It has USB capability and works fine on windows and Linux

The issue when plugged in, pfSense does not show up as a interface nor can I add it as a PPP.

It does show up as a usb device

Code: [Select]
/root: usbconfig dump_device_desc

ugen1.2: <AirCard 781S Netgear, Incorporated> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (500mA)

  bLength = 0x0012
  bDescriptorType = 0x0001
  bcdUSB = 0x0210
  bDeviceClass = 0x0002
  bDeviceSubClass = 0x0000
  bDeviceProtocol = 0x0000
  bMaxPacketSize0 = 0x0040
  idVendor = 0x0846
  idProduct = 0x68e1
  bcdDevice = 0x0228
  iManufacturer = 0x0001  <Netgear, Incorporated>
  iProduct = 0x0002  <AirCard 781S>
  iSerialNumber = 0x0003  <013804000227124>
  bNumConfigurations = 0x0002

I know this is device is not on the list of working 3g/4g modemd but is there anything I can do to try to get this assigned as a interface?

IPsec / Hub & Multi-Spoke VPN - allow communication between spokes?
« on: October 23, 2014, 10:50:53 am »
I currently have a hub and spoke ipsec vpn set up with communication working only from each spoke to the hub not the other spokes. I would like to have the spokes communicate with each other with out destroying the current configuration and moving to a mesh (tinc) but id be open to some feedback on the benefits of tinc over my current configuration so maybe in the future I will migrate to that.

I have read that adding another phase 2 to the spoke I wish to communicate with then repeat that on the other spoke will accomplish this but I have been unsuccessful getting that to work. Do I need to add another phase 2 to the each spoke in the hub as well? I have 7 spokes and it seems like to get them to communicate will be a lot of phase 2 entries...

Here is my current vpn



Let me know if what I want to accomplish with what I have set up is feasible.

At our all of our retail stores we have pfSense firewall appliances and all locations have a ipsec tunnel to out main location.

At our newest location we are opening we want to add a dedicated access point out in the show room.

We want 2 SSID's one for private traffic that is on the same subnet as the LAN interface ( so that laptops can communicate down the VPN and access network resources just like whe wired PC's on the switch. DHCP is handed out by pfSense. This is for employees.

Then the second SSID must be completely restricted from the private traffic and on it own subnet ( with internet access only.  This will be for customers.

Ive been searching how to set this up but nothing I have read specifically states how to accomplish this. Most say not to use bridging of the LAN interface and to have the 2 SSID's on their own separate subnet but this will break communication down the vpn tunnel I need the employees to have on the private ssid.

Can anyone help me out on what is the best way to accomplish this?

Also what features should I look for in the access point besides multiple ssid?

Thanks in advance!

Here a quick rundown of my test set up:
Windows 2012 R2
PfSense 2.2 sep 29th build on hyper-v

3 interfaces
Wan - dhcp
LAN1 -
LAN2 -

LAN2 is my test network and all that concerns this issue.
Dhcp is handed out on lan2 via pfSense.

For testing purposes all firewall rules were removed and created an "allow any/all" on the WAN & LAN1&2

FYI Enabling Disable all packet filtering. breaks all network traffic thus unusable.

Issue 1
I set up an ipsec tunnel to my corporate location ( that is running old pfsense 2.0.1 the same way as I do for all 7 other remote locations. When i bring up the tunnel pfSense on the hyper shows connected and no errors in the logs but on the other end of the tunnel (pfsense 2.0.1) shows disconnected. No traffic.

Here is the logs from the corporate location:
Code: [Select]
Sep 30 20:01:47 racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: can't start the quick mode, there is no ISAKMP-SA, XXXXXXXXXXXX:XXXXXXXXXXXX
Sep 30 20:01:05 racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: can't start the quick mode, there is no ISAKMP-SA, XXXXXXXXXXXX:XXXXXXXXXXXX
Sep 30 20:00:52 racoon: [Compsmith]: INFO: ISAKMP-SA deleted XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:XXXXXXXXXXXX:XXXXXXXXXXXX
Sep 30 20:00:52 racoon: INFO: purged ISAKMP-SA spi=XXXXXXXXXXXX:XXXXXXXXXXXX.
Sep 30 20:00:52 racoon: INFO: purging ISAKMP-SA spi=XXXXXXXXXXXX:XXXXXXXXXXXX.
Sep 30 20:00:52 racoon: [Compsmith]: [XXX.XXX.XXX.XXX] INFO: DPD: remote (ISAKMP-SA spi=XXXXXXXXXXXX:XXXXXXXXXXXX) seems to be dead.
Sep 30 20:00:51 racoon: ERROR: XXX.XXX.XXX.XXX give up to get IPsec-SA due to time up to wait.
Sep 30 20:00:41 racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Sep 30 20:00:41 racoon: ERROR: failed to get sainfo.
Sep 30 20:00:41 racoon: ERROR: failed to get sainfo.
Sep 30 20:00:41 racoon: [Compsmith]: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
Sep 30 20:00:41 racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
Sep 30 20:00:31 racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: notification PAYLOAD-MALFORMED received in informational exchange.
Sep 30 20:00:28 racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Sep 30 20:00:28 racoon: ERROR: failed to get sainfo.
Sep 30 20:00:28 racoon: ERROR: failed to get sainfo.
Sep 30 20:00:28 racoon: [Compsmith]: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
Sep 30 20:00:21 racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).

The vm pfSense is uneventful and just show connection established making me think inbound packets are being blocked by the firewall to complete the handshake.

FYI OpenVPN seems to work but i can not run it simultaneously with ipsec on the same destination subnet.

Issue 2
On my same Server 2012 R2 hyper-v I brought up a Asterisk server.  Got a few physical SIP phones communicating on the LAN and making OUTBOUND calls. Inbound is not working at all, Asterisk CLI verbose shows nothing is making it to the server/ no verboose output. Again thinking that some inbound packet are being blocked.

Issue 3
No matter what rules i have in place, including the current allow all/any rule I have now, I can not RDP in where as it was fine on my old netgate appliance with 2.1.5

Issue 4
ASterisk service pfSense add is broke.

If anyone can chime in that either has these issues or admins that have replicated these issues so that I know its not on my settings Id appreciate it. Also if there are any workarounds please let me know.


IPsec / Asterisk addon package not routing traffic down ipsec tunnel...?
« on: September 25, 2014, 05:53:39 pm »
I have a IPSEC VPN connections between 2 locations.

Location 1 Has a pfsense router ( with a dedicated Asterisk server ( behind the routers LAN port.

Location 2 is a pfSense Netgate router with Asterisk installed on the router (

At location 2 anything behind the Netgate router LAN port ( ipsec traffic travels to Location 1 ( fine with out issues. But from inside the Netgate router ( either via trying to ping in the GUI or ssh the Location 1's network (  no packetes travel down the VPN.

So my issues is that I have short codes (ie *80) to dial the two locations but since Asterisk is not using the VPN tunnel on the Location 2 Netgate router ( they time out.

I need to find out how to get Asterisk from Location 2 to communicate down the VPN. Right now it simply does not even see the network at location 1 from inside the router.

Testing from Location 1's router and Asterisk Server I can ping Location 2's router. I cannot ping from inside Location 2's router or Asterisk CLI to Location 1's network (

Ping output:
Code: [Select]
PING ( from 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=22.600 ms
64 bytes from icmp_seq=1 ttl=64 time=30.619 ms
64 bytes from icmp_seq=2 ttl=64 time=21.115 ms

--- ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 21.115/24.778/30.619/4.174 ms

Code: [Select]
PING ( 56 data bytes

--- ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Code: [Select]
Pinging from with 32 bytes of data:
Reply from bytes=32 time=26ms TTL=126
Reply from bytes=32 time=24ms TTL=126
Reply from bytes=32 time=25ms TTL=126
Reply from bytes=32 time=23ms TTL=126

Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 26ms, Average = 24ms

Not sure where to put this as im not sure what the issue is. I have a ipsec vpn set up with 7 remote locations. Every location with the exception of 2 have dedicated Asterisk boxes. The 2 other have only pfsense with the Asterisk package ad. I have short dial codes setup to dial other locations over the vpn. all work except for the 2 pfsense/asterisk boxes.

At both locations were the short codes do not work while in the pfsense gui or ssh'd into the routers i cannot ping/connect/talk to anything at the corporate location. so (remote router) cant ping (corporate location) inside the router.  But from behind the router (any host on the network) I can ping anything on the corporate location just not inside the router. To confuse me more at the corporate location i can ping/connect/talk to anything on the remote networks from the router.

So my theory why I cant use these short codes is this lack of communication between the 2 locations from remote router to corporate router.  Verbose output from asterisk shows and unreachable destination when the short code is entered.

Firewall rules on one of the 2 locations is set to allow any on both the WAN and LAN just to try to get it to work. 

Thanks for any help you can give.

IPsec / pfSense VPN router behind a Tomato router
« on: June 25, 2014, 09:54:49 am »
Quick summery of what im trying to accomplish
Im testing a Netgate pfSense router at home and wish to connect it behind my Shibby Tomato router as not to disrupt my normal home network set up. The VPN will be connected to my corporate location. I have configured the tunnel and have it working if the pfSense router is the gateway. The issue I have now is when I put the pfSense router behind my home tomato router, the VPN on both ends shows connected but I cannot ping the corporate network from the workstation at home I have connected to the pfSense router likewise from corporate to the pfSense subnet.

Overview of network
Motorola DOCSIS 3.0 Modem (

Router 1 "Gateway" (
Shibby Tomato Firmware 1.28.0000 MIPSR2-115 K26 USB Big-VPN
Static Route to pfSense router
Destination Gateway / Next Hop Subnet Mask Metric Interface 0 br0 (LAN)
I have also put in a DMZ in hope to open op all ports to the pfSense router
DHCP for the network and DNS is handled by my Windows server for the devices in my home.

Router 2 "pfSense" (LAN
DHCP scope -
1 Workstation connected to the LAN (
VPN to corporate shows a connection in pfSense on both ends but can not assess or ping either way
Corporate is fine as it the other locations currently have a working VPN and I connect fine when the pfSense router is the gateway.
Firewall has been opened to allow ANY connection on the WAN

I can ping from the network to the network
I can ping from the network to the network
I CAN NOT ping from the network to the network (corporate)

netstat -rn from the pfSense router
Routing tables

Destination Gateway Flags Refs Use Netif Expire
default UGS 0 347005 re1 link#3 U 0 800027 re2 link#3 UHS 0 0 lo0 link#14 UH 0 36 lo0
173.XXX.64.XXX UGHS 0 5273 re1 link#2 U 0 19842 re1 link#2 UHS 0 0 lo0

Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
fe80::%re0/64 link#1 U re0
fe80::20d:b9ff:fe33:8758%re0 link#1 UHS lo0
fe80::%re1/64 link#2 U re1
fe80::9644:52ff:fea6:e6f3%re1 link#2 UHS lo0
fe80::%re2/64 link#3 U re2
fe80::20d:b9ff:fe33:875a%re2 link#3 UHS lo0
fe80::%lo0/64 link#14 U lo0
fe80::1%lo0 link#14 UHS lo0
ff01::%re0/32 fe80::20d:b9ff:fe33:8758%re0 U re0
ff01::%re1/32 fe80::9644:52ff:fea6:e6f3%re1 U re1
ff01::%re2/32 fe80::20d:b9ff:fe33:875a%re2 U re2
ff01::%lo0/32 ::1 U lo0
ff02::%re0/32 fe80::20d:b9ff:fe33:8758%re0 U re0
ff02::%re1/32 fe80::9644:52ff:fea6:e6f3%re1 U re1
ff02::%re2/32 fe80::20d:b9ff:fe33:875a%re2 U re2
ff02::%lo0/32 ::1 U lo0

netstat -rn from the Tomato router
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface UH 0 0 0 vlan2 UG 0 0 0 br0 U 0 0 0 br0 U 0 0 0 vlan2 U 0 0 0 lo UG 0 0 0 vlan2

VPN is IPsec and as I said the testing pfSense router and the Corporate pfsense router show the VPN tunnel is connnected

So now im suck. I thought the static route would allow packets through to the pfSense router but no luck. Im thinking its a NAT issue but im not sure. Any help would be appreciated. Thanks.

Pages: [1]