Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - FarmerB3rd

Pages: [1]
1
General Questions / VLAN routing stops working by itself
« on: February 03, 2018, 04:05:52 am »
Folks,

I posted about this a while back but it seemed like a ramble...

I have a VLAN (300) which simply has an any/any rule. From laptop plugged into the switch I can ping the vlan's gateway. Perfect. I can also ping 8.8.8.8. This stays working for a while.

I go to speedtest.net and do a speed test and all of a sudden it stops working.

The screen print below is my test laptop connected into the switch. Pinging quite happily and all of a sudden the lights when dim.

I have:
Netgear switch;
Port 5 (U, 300, laptop)
Port 6 (T, trunk to OPT6 (trunked) on pfsense)

pfSense;
OPT6 2 VLANS, 300, 400
Rule in VLAN300 any/any

VLAN1 = 10.10.50.1/24
VLAN300 = 10.10.30.1/24


As said, this all works so I don't think there is any issue with the config.
It just stops working by itself. VLAN1 continues to work without hassle.

A reboot of pfSense is the only way to solve it (that I have found so far). Still trawling through the logs.
Hardware is a Gigabyte JI900 which, other than this issue, has never missed a beat in 3 years.

Any help with finding out why this is happening?


thanks,


 

2
General Questions / Instability when multiple VLANs and rule editing.
« on: January 02, 2018, 07:36:42 pm »
Hi folks,

I have what I think is an odd stability problem.

I have the following:
WAN
LAN 10.10.50.0/24
OPT6 (trunk)
VLAN300 (parent is OPT6) 10.10.30.0/24

I have UBNT wifi kit with two SSIDs - Main and IoT
IoT is VLAN300

DHCP is working on both LAN and VLAN300.
I set up a rule on VLAN300 to route between main and it. I can ping from 10.10.30.50 (My phone on IoT) to 10.10.50.1 (LAN gateway) As expected, all is well.

So far, so good.

Now, if I play around with the rules on vlan300 such as disabling and re-enabling, things get weird. DHCP stops working and from time to time, internet vanishes for the main LAN.
This is pretty repeatable.

In the logs I can see my phone asking for IP address and the DHCP server offering one but my phone never seems to accept it.

The cure for all this? Reboot pfSense. Without fail, everytime, it will come right until I mess about with the rules again.

Am I missing something really daft? Any logs I can furnish to help diagnose this?

I am using the latest build.


thanks and Happy new year.


Bob



3
Packages / upsmon parent process died - shutdown impossible
« on: December 26, 2016, 11:10:04 am »
Hi folks -

Merry Christmas!


I've recently added a UPS to my firewall and started getting these errors emailed to me -

Code: [Select]

upsmon parent process died - shutdown impossible


The firewall talks ok to the UPS and when the power goes down it gets shutdowns ok but I'm not sure it'll work after this?

Any tips?

C

4
OpenVPN / Is PC/Firewall fast enough for AES-128 VPN?
« on: October 04, 2016, 01:43:38 pm »
Folks,

I have a J1900 quad-core Celeron PC running as a pfSense FW. (Details)
From it I maintain a VPN connection to Private Internet Access using OpenVPN. This CPU does not have the AES extension.


When I first set it up about a year ago I was getting 200Mb/s throughput (connection saturation  on the VPN. Today I get around 50-60 average, down to 20 on a bad day.

I'm working with PIA to try work out why but so far we're not getting to the bottom of it. They're amendment they have the bandwidth and appreciate that I can do a speed-test which reads 200 down and 12 up.

I'm wondering though, what do others get on VPN throughput? Anything better than this? When does AES start becoming a problem?

The load average on the PC is 0.17, 0.14, 0.09 and does not vary much with or without tests.

pfSense version is latest and greatest.

TIA
F

5
Firewalling / Cannot add new rule - Please enter the format requested
« on: October 01, 2016, 12:30:37 am »
Hi folks,

I'm using the following:
2.3.2-RELEASE (amd64)
built on Tue Jul 19 12:44:43 CDT 2016
FreeBSD 10.3-RELEASE-p5


I have many VPN client connections setup to Private Internet Access and they work perfectly.
I recently install OpenVPN on a server I own in Germany. I now have a connection to that too. Connection works fine.

I am trying to setup a new rule to route traffic from a single IP on my network to the server.
I have many of the same rule forcing traffic out over various VPN gateways. They work fine.

When I copy an existing rule or or outbound NAT rule I get the following error: Please match the format requested. (See attached)

This is happening if I copy an existing rule and then simply try clicking save. i.e. nothing has changed but it no longer likes it.

I've tried with a single IP and an alias but neither work.

What am I missing? Why would it not allow a new rule.

Thanks
F



6
General Questions / pfSense crashes ever few weeks - log is blank
« on: March 14, 2015, 05:17:32 pm »
Hi folks,

I've happily been using pfSense for home for about 6 months now. I am using the following:
2.2-RELEASE (amd64)
built on Thu Jan 22 14:03:54 CST 2015
FreeBSD 10.1-RELEASE-p4

I am running this on a Gigabyte GA-J1900N-D3V, 4GB RAM and a 64GB SSD.


I have a problem where I would lose internet connection from some clients. Oddly, it affected most clients on my network by some were ok.
When I tried logging in to the GUI I would get php errors about /tmp/session<something or other> was not found.
I SSH'd into the the box and could see the menu but trying to select an option, 8 for shell, spewed back php errors and I was still in the menu.

So, I did a hard-boot on it and all is well now. It came up, nothing seems wrong.
Having a look at the system.log in /var/log/ shows a massive blank from about the time my wife said "there is something wrong with the internet" and the reboot. It's as if the machine was off. (pasted below)

This has happened twice when I was using the alpha builds way back when and now on the release. I said nothing back then because it was alpha.
I'm more curious now as to why it happened and if there is any interest from the (awesome) writers of pfSense as to why it happens. Is it hardware or software bug?


Thanks,
Fred


Code: [Select]
Mar 14 09:03:07 pfSense kernel: ue0_vlan10: link state changed to UP
Mar 14 09:03:07 pfSense check_reload_status: Linkup starting ue0_vlan10
Mar 14 09:03:07 pfSense kernel: ue0: link state changed to DOWN
Mar 14 09:03:07 pfSense kernel: ue0_vlan10: link state changed to DOWN
Mar 14 09:03:07 pfSense kernel: ue0: link state changed to UP
Mar 14 09:03:07 pfSense kernel: ue0_vlan10: link state changed to UP
Mar 14 09:03:07 pfSense check_reload_status: Linkup starting ue0
Mar 14 09:03:07 pfSense check_reload_status: Linkup starting ue0_vlan10
Mar 14 09:03:07 pfSense check_reload_status: Linkup starting ue0
Mar 14 09:03:07 pfSense check_reload_status: Linkup starting ue0_vlan10
Mar 14 09:03:07 pfSense check_reload_status: Linkup starting ue0
Mar 14 09:03:07 pfSense check_reload_status: Linkup starting ue0_vlan10
Mar 14 09:03:07 pfSense check_reload_status: Linkup starting ue0
Mar 14 09:03:07 pfSense check_reload_status: Linkup starting ue0_vlan10
Mar 14 09:03:08 pfSense php-fpm[8651]: /rc.linkup: Linkup detected on disabled interface...Ignoring
Mar 14 09:03:08 pfSense php-fpm[8651]: /rc.linkup: Linkup detected on disabled interface...Ignoring
Mar 14 09:03:08 pfSense php-fpm[8651]: /rc.linkup: Linkup detected on disabled interface...Ignoring
Mar 14 09:03:08 pfSense php-fpm[8651]: /rc.linkup: Linkup detected on disabled interface...Ignoring
Mar 14 09:03:08 pfSense php-fpm[8651]: /rc.linkup: Linkup detected on disabled interface...Ignoring
Mar 14 09:03:08 pfSense php-fpm[8651]: /rc.linkup: Linkup detected on disabled interface...Ignoring
Mar 14 12:52:08 pfSense syslogd: kernel boot file is /boot/kernel/kernel
Mar 14 12:52:08 pfSense kernel: Copyright (c) 1992-2014 The FreeBSD Project.
Mar 14 12:52:08 pfSense kernel: Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
Mar 14 12:52:08 pfSense kernel: The Regents of the University of California. All rights reserved.
Mar 14 12:52:08 pfSense kernel: FreeBSD is a registered trademark of The FreeBSD Foundation.
Mar 14 12:52:08 pfSense kernel: FreeBSD 10.1-RELEASE-p4 #0 36d7dec(releng/10.1)-dirty: Thu Jan 22 15:12:35 CST 2015
Mar 14 12:52:08 pfSense kernel: root@pfsense-22-amd64-builder:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.10 amd64
Mar 14 12:52:08 pfSense kernel: FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512
Mar 14 12:52:08 pfSense kernel: CPU: Intel(R) Celeron(R) CPU  J1900  @ 1.99GHz (2000.05-MHz K8-class CPU)
Mar 14 12:52:08 pfSense kernel: Origin = "GenuineIntel"  Id = 0x30673  Family = 0x6  Model = 0x37  Stepping = 3
Mar 14 12:52:08 pfSense kernel: Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Mar 14 12:52:08 pfSense kernel: Features2=0x41d8e3bf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,TSCDLT,RDRAND>
Mar 14 12:52:08 pfSense kernel: AMD Features=0x28100800<SYSCALL,NX,RDTSCP,LM>
Mar 14 12:52:08 pfSense kernel: AMD Features2=0x101<LAHF,Prefetch>
Mar 14 12:52:08 pfSense kernel: Structured Extended Features=0x2282<TSCADJ,SMEP,ERMS>
Mar 14 12:52:08 pfSense kernel: VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID







7
General Questions / Options for alerting
« on: January 02, 2015, 09:09:38 am »
Folks,

I've been using pfSense at home for a while now and quite happy with it. I maintains VPNs (both server and client) and just hums along without a problem.

A friend of mine has started using Sophos UTM9 and swears by it. To-date, there is nothing that he has told me that makes it worth my while to explore it , never mind switch to it. Until now....

He installed some software he downloaded ( :o ) and the firewall started emailing him about suspicious traffic heading back to China. He checked the logs and true's Bob, there was traffic heading back to China from his machine.

He said it "just does it" out the box. Is there something like that in pfSense? I would like to be told (or able to be told) and then filter out noise as I need but if there is an exception, I want to know.

Thanks
Fred.

8
General Questions / pfSense and Asterisk and SIP trunks not working
« on: September 14, 2014, 04:20:46 pm »
No, not "that ol' question" type of post. I'm posting for posterity's sake and hopefully so someone else does not have the same problem.

I've had pfSense running for just over a month now (geek-home use) and been very happy with it and the rather interesting learning curve.
I got my Asterisk (on LAN) setup and working quite easily and outbound trunks functioned without anything special or any hassle.

All of a sudden I noticed the trunks no longer connected. As I only make use of the trunks a few times a month I don't know when they actually broke.
I've spent about 3 days (evenings, weekends etc) trying to work it out.
Tried siproxd - nudda
Tried sniffing the traffic, did not help (see requests going, nothing returned)
Spoke to hosting company - they said nothing has changed
Basically just poking it hoping I would find the problem. Networking being a side-show for me, this is all I can do.


I stumbled across a post where a guy had a HP switch which was swallowing packets. It turned out, he found some 40 hours later, that the switch decided the when a packet had a source and destination port that matched it must be a DoS attack and dropped them.
Ta-Daaaa when the lights in my head; I had installed Snort a few weeks back.
Off I go and sure enough, snort has decided these are all very very bad packets and swallowing them hence the inability of my Asterisk box to register the trunks.
Turn off snort and voila, all trunks spring to life.  No to configure snort properly...


Would it not be a good idea to make Snort's logs (dropped, error etc) push into the system log? It seems better to have a single source of what is dropped etc. Just a suggestion.


Posting this in the hopes that it helps someone else... Please move if there is a more adequate place.


FarmerB



9
Hi Folks,

I've got a scenario where DDNS is showing the correct WAN address on status page but dyndns has the wrong address.

I have a VPN running and have a Lan -> * rule pushing all traffic out over the VPN. I accept this is why it's updating dyndns to be that address however, why would the status page be showing the correct WAN address (I have the monitor interface set to WAN).

Could I class this as a bug or misrepresentation of what is actually happening?

I would have expected it to update DynDNS with the address shown in the DDNS status page. More so that I can select the VPN from the list if I wanted to update it with it's VPN.

I've added a preceding rule to the firewall for the LAN IP to go out via the WAN GW and not the VPN. I will see how this works.

I am using "2.2-ALPHA (amd64) built on Sat Aug 23 02:30:11 CDT 2014 "


Thanks
FB3rd

10
General Questions / Does marking a gateway as default mean anything?
« on: August 24, 2014, 04:37:25 am »
Hi Folks,

I have a single WAN and a VPN connection which is setup as OPT1.
I have a rule sending traffic from certain clients via the VPN by specifying the gateway. That works.

I have the default rule of LAN* to use the default gateway. This however does not seem to make any difference and traffic still goes via the VPN. (Confirmed rule is hit in the logs).
If I change the default GW on the rule and force it to use the WAN then all is well.

To me it then seems that default gateway means nothing and the rules will take any gateway.
I am sure there is more to it than that but that is how my noob mind is understanding it. Where am I going wrong?


As always, a picture is worth a thousand words.

Gateways



Using default: (Still sending traffic via VPN)



Force WAN gateway - works as-expected.




As always, thanks for any help and guidance.


Fred.

11
NAT / NAT stops working when I enable VPN client
« on: August 21, 2014, 03:58:50 pm »
Hi folks,

I've been stuck on a problem now for a few days and have no hair left to pull out :(

I have NAT set up and it works a treat (yay!)
I then set up a VPN connection with a firewall rule which sends traffic from my laptop via the VPN by setting the gateway to the VPN. This too works well.

When this is set though, NAT reflection stops working on any computer sent through the VPN. I cannot (read:don't understand why) get it to work. Other computers however work ok.

The odd thing though, to my noob mind, is that NAT stops working all together from the outside world.

I'm lost, I have slowly turned things on and off and tried to work out what is happening but cannot...

Screenshots of various pages:












12
Hi Folks,

I am trying to get my hands on the traffic data which draws the graphs. Finding it in the source and using it is quite simple but I want anonymous access to it as it'll be an Arduino polling the information.

Is there an existing method of me getting this type of data or would it be best (possible?) for me to create a package to expose this. If going the long way around, package, then I could put a basic username / password on the request.

Or, best of all, is there an existing method I can do this? I've had a look at the packages like Bandwidthd and given what an Arduino can do, would be better to get the basic data and ease up on parsing it.


Thanks for any tips

Crispin


Pages: [1]