Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - virgiliomi

Pages: [1] 2
1
So I've been running the 2.4 beta from the day I got my SG-2440. As release nears, I know that the "factory" version is of course optimized for the Netgate hardware, and thus would like to return to that once 2.4 has been released. But I don't want to just restore my CE config file and have it remove any of those optimizations because they aren't present in my config.

Is there a way to get my box back to running the factory version with its optimizations without having to manually redo my config? Are there certain sections that I shouldn't import from my CE config, or that I could merge between my config and an unmodified factory one?

2
2.4 Development Snapshots / ZFS on SG-2440
« on: April 06, 2017, 09:21:24 pm »
So I'm the daring type who took my SG-2440 and put 2.4 on it as soon as I got it home. But I wasn't able to install with ZFS. When I tried, the installer completed, rebooted, I removed my USB drive, and ZFS failed to mount.

My thought is that when my USB drive was connected, it was da0 and the built-in storage was da1, but when I removed my USB drive, the device identifiers changed, so the config no longer reflected the correct location. Unfortunately, I wasn't even able to get it to pick up when I tried pointing it to zfs:zroot/da0 (I think that's the format I used, based on what was presented) and the specific partitions as well, so I don't know what was going on.

Any thoughts on how best to install ZFS on a 2440? I'd rather not try things until there's a known good process in place. For the moment I'm just running with UFS instead. I'm fortunate that power where I live is extremely stable, even in the worst of severe thunderstorms and icy winter weather... though I still have a UPS connected anyway.

3
2.4 Development Snapshots / DHCPv6 leases not updating in webgui
« on: March 19, 2017, 08:50:59 pm »
So I run DHCPv6 on my main LAN, and many of my devices connected to this network are using DHCPv6 to obtain IPv6 addresses (Android gets sent to the Guest network, where only SLAAC is used). Anyway, I noticed today that when I went to look at my DHCPv6 leases, it only showed two addresses... one is static, the other is my network printer. But when I go look at the /var/dhcpd/var/db/dhcpd6.leases file, I see many other leases there (iPhone, iPad, Apple TV, and a couple other Windows computers).

Any thoughts on why they might not be showing up in the webgui, or how to get it so that they show up?

4
2.4 Development Snapshots / POST issue? DDNS "Save and Force Update"
« on: February 19, 2017, 06:57:22 am »
The Save and Force Update button on the DDNS page doesn't seem to do anything... it certainly doesn't save the settings and nearest I can tell, it doesn't force an update either.

5
Hardware / Intel Atom C2xxx LPC failures
« on: February 05, 2017, 07:29:31 am »
Get ready folks... this is going to be a fun ride soon. :) Cisco has started having routers and switches fail due to an LPC clock failure. Coincidentally, Intel has updated the errata of their Atom C2000-series chips, indicating that an LPC clock failure can prevent the system from booting. Cisco didn't name-and-shame the company producing the failed part in their gear, but it's pretty coincidental that Intel happens to update their errata at the same time Cisco announces issues with their hardware indicating the same failure.

Cisco claims that the failure can start after as little as 18 months of use.

Intel claims to have a platform-level workaround that can be used. Of course, there are no details in the errata about the workaround.

This could make for some fun times soon, given all of the Rangeley chips being used in systems running pfSense.

Article on The Register, the update at the bottom indicates the Atom may be at fault in Cisco's gear.

6
DHCP and DNS / DHCPv6 Static Mapping + DNS issue
« on: September 06, 2016, 08:39:32 am »
I've already created a bug report (#6768)for this, just wondering if others might be seeing the same thing...

I have two devices on my LAN with static DHCPv6 mappings... yet when I look up their hostnames, the IP address returned by unbound is not correct. The prefix in the DNS IP address would be the prefix 0 value (x:y:z:7a70::) for the /60 that I get from my ISP... but my LAN uses prefix 1 (x:y:z:7a71::), not prefix 0.

I haven't tried this with my guest network (which uses prefix 5) to see what gets returned in that case.

Edit: Well, I'd love to try it with my guest network, but I can't get pfSense to show me the DHCPv6 leases for that interface so I can get the DUID and create a DHCPv6 static mapping! But the computer has received a DHCPv6 address on that interface...

Edit 2: Still can't get DHCPv6 lease on my Guest interface to show up to try a static mapping there, but I noticed something looking at the static entries... When entering the DHCPv6 static mapping, ONLY the host portion of the address is entered. But I'm guessing that in creating the DNS entry, it appears as though the prefix appended to the host portion is the base (0) prefix, not the proper prefix for the interface that the static entry is being configured on (1 for my LAN).

7
2.3.2 Development Snapshots / Monitoring graph > NTP produces error
« on: July 16, 2016, 12:06:34 pm »
When I go to the monitoring graphs, then select "NTP", when I update the graph I get this error:

Error: SyntaxError: Unexpected token W in JSON at position 1

Additionally, there's a crash report (I've submitted two over two days, IPs below)

v4: 73.171.116.x
v6 WAN: 2001:558:6036:61:x:x:x:x

I don't think it would come from the v6 LAN, but if you can't find from the v6 WAN, let me know and I'll provide the LAN address.

I did not have this issue with 2.3.1, so not sure if something changed in the RRD data between versions, or if there's a new issue.

8
The following log entries regarding bogons update appeared... the one about IPv6, however, is incorrect.

Code: [Select]
Apr 1 03:01:00 root rc.update_bogons.sh is starting up.
Apr 1 03:01:00 root rc.update_bogons.sh is sleeping for 35853
Apr 1 12:58:33 root rc.update_bogons.sh is beginning the update cycle.
Apr 1 12:58:34 root Bogons V4 file downloaded: 3759 addresses added.
Apr 1 12:58:34 root Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off
Apr 1 12:58:34 root rc.update_bogons.sh is ending the update cycle.

IPv6 Allow is on, and always has been. I have and use IPv6 on a daily basis, and all of my interfaces are configured, and it's working great too. Someone might want to check this script to make sure it's checking the right setting for IPv6 Allow...

9
So I've seen this for a couple of days now... and it's a unique one.

I'll turn on my Windows system... desktop, laptop, it doesn't matter. IPv6 RA is Stateless DHCP (since Windows doesn't use RDNSS to get DNS server info). Computer receives the RA, determines a SLAAC IP address with privacy extensions, etc.

IPv6 works great. Sites load using IPv6 (as determined by the IPvFoo extension to Chrome). I can ping hosts using hostname and an IPv6 address is used. IPv6 test sites pass wonderfully.

24 hours pass... this is the default valid lifetime of the RA. All of a sudden, sites load using IPv4. Pinging a hostname results in the IPv4 address being pinged. IPv6 is no longer preferred over IPv4. BUT... it DOES still work. If I ping -6 google.com, I get replies. IPv6 test sites show IPv6 works, but that IPv4 is preferred.

Not sure if this is a Windows issue. None of my other devices - Apple (iOS and OS X) or Android, that I can see/tell - have an issue like this. But this issue only just started happening, and the only thing that's changed is the 2.3 snapshots on my pfSense box. I can reboot the computer and IPv6 works great again... for the next 24 hours.

Thoughts?

10
2.3-RC Snapshot Feedback and Issues - ARCHIVED / NEW Monitoring graph
« on: March 03, 2016, 04:20:54 pm »
Looks great! Definitely has a few bugs though...

Here are a couple I found just quickly trying it out...

Quality graph: Loss is identified in "ms"... oops! :)

I set both left and right axes, then when I set the right axis to none and updated, the colors and lines remained on the graph (though they moved vertically a bit when I pressed update). The right axis lines remained at whatever time scale it was set to when it was on (evident by the fact that when I was at the 8 hour mark for the left axis, the line dots were about 1/3 across on the right axis).

RRD graph for NTP is enabled, but no option for NTP as an axis.

11
So I updated to the latest snapshot through the GUI update function... I noticed that among the packages that were downloaded was rrdtool... but after pfSense rebooted, I no longer have the RRD option on the Status menu. What can I do to get it back?

12
So here's a chain of events from last night that seems to have earned me a loss of IPv6 connectivity from my hosts.

1. Opened interface settings for GUEST (OPT1/igb2) network.
2. Changed no setting (though I could've easily just changed something simple like speed/duplex).
3. Saved, then applied, the settings for the interface.
4. Dashboard showed no IPv6 address for GUEST interface.
5. In interface settings, disabled GUEST interface, saved/applied, then re-enabled the interface, saved/applied.
6. Dashboard shows GUEST interface with IPv4 and IPv6 addresses. WAN and LAN show both addresses as well.
7. Host on LAN network is now observed as only browsing to IPv4 addresses for dual-stack sites.
8. Try pinging dual-stack host from LAN network, IPv4 responds, IPv6 does not.
9. Reboot pfSense.
10. Still no IPv6 on LAN. Try host on GUEST, no IPv6 there either.
11. It's late, I go to sleep.
12. 6 hours later, tried connecting from different host on LAN, hoping something might have worked itself out overnight... still no IPv6 connectivity.
13. I can ping IPv6 from pfSense, even from LAN interface (didn't try from GUEST), so routing seems to be fine.

WAN requests and receives a /60 from ISP via DHCP-PD.
LAN interface is configured to track WAN, using prefix ID 0. LAN RA is managed, DHCPv6 configured (::1000-::1FFF).
GUEST interface is configured to track WAN, using prefix ID 5. GUEST RA is assisted, DHCPv6 configured (::1000-::1FFF).

Possible radvd issue? I didn't see anything unusual in the Services widget... maybe its config got borked somehow?

Separately, the fact that after making a change (or not) to interface settings in step 2 and applying them in step 3 caused the IPv6 address to disappear from an interface seems unusual. I think that should be checked out as well, but after figuring out what has caused both of my networks to lose IPv6 connectivity.

Any chance someone could try and duplicate this and see if it happens for them? :)

13
When I log into pfSense on either my iPhone or iPad, then browse to a list (for example, either of the DHCP/v6 Leases lists), when I tap on a header to sort the list on that field, it sorts the list (ascending), then reverse-sorts the list (descending). I've tried in both Chrome and Safari on both devices (of course, I know that Chrome is really using the same Webkit engine behind-the-scenes as Safari, so I'd expect the same behavior in both).

I don't have any Android devices I can try to see if it happens there also.

14
The DHCP Leases list shows start and end date/time info for all of the static DHCP entries, even if that date/time is in the past. See my screenshot for example.


15
2.3-RC Snapshot Feedback and Issues - ARCHIVED / DHCPv6 on Track Interface
« on: February 27, 2016, 09:59:03 am »
Again, happy to see this added!! :)

One thing I noticed... while I request a /60 from my ISP, a /64 is given to each of my networks. But when  I go to the DHCPv6 Server settings, it shows Subnet Mask: 60 bits. While that holds true for the Prefix Delegation function, I don't think it should be valid for the service to be handing out individual IP addresses outside of the /64 that the interface is using (and while I haven't tested the validation of entering a range outside of my LAN's /64, the way it appears to me is that it would be accepted).

Example... I have 2001:aaaa:bbbb:ccc0::/60 from my ISP... On LAN, I select prefix 2 (2001:aaaa:bbbb:ccc2::/64)... the ADDRESS range I should be able to specify should be within only the /64.

The PREFIXES for delegation obviously need to be within the /60 though. Also, there should probably be an example way to enter the prefixes for delegation, as it took me a bit of trial and error to get it to accept my entries.

Edit to add: If the prefix that has been delegated is just a /64, the Prefix Range boxes should probably be disabled, since there aren't other prefixes that could be sub-delegated.

Pages: [1] 2