Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - NotAnAlias

Pages: [1]
Firewalling / Networking two subnets together
« on: February 11, 2018, 05:48:46 am »
This is my current setup:

Modem > Openwrt(wrt1200ac) > Pfsense > Computers

Openwrt creates a subnet, and pfsense is assigned on its wan interface.

Pfsense then creates a subnet and all the computers plug here.

The setup was made because during power outages you can still connect to the openwrt router. It uses a lot less power than pfsense, so only the openwrt router is connected to the UPS.
This results in computers connected to the Openwrt router via wireless unable to connect to pfsense, which makes sense. Pfsense will see those computers on WAN and block them.
I tried to plug pfsense's lan port and openwrt's lan port into the same switch along with the computers. I unchecked authorize DHCP on openwrt's LAN. Computers are still assigned 192.168.1.x ips so that's good.
So I tried to manually set a computer to and it can ping to the internet sometimes but constantly drops packets. It also cannot connect to the 192.168.1.x computers on pfsense either.
Is there a solution to make it so the computers on the different subnets can talk to eachother?
Would buying a TP-Link 5 port managed switch be able to do this?


IPv6 / Can't get IPV6 on LAN with two routers
« on: February 09, 2018, 02:43:07 am »
Hello, I have a setup with two routers.
The reason I have two routers is because the first router runs wireless, and is connected to a UPS. It is low power, so it will stay on much longer compared to a desktop with pfsense.

Comcast assigns a /60,
The first router runs LEDE. It assigns a /64 to connected devices, and all my computers can browse ipv6 sites fine. The WAN interface on LEDE is assigned a /60 as expected.
Settings for IPV6 on LAN for LEDE.

Pfsense sucessfully gets an IP on the WAN interface, a /64. I can ping ipv6 addresses through the web interface.
However the LAN interface gets no ipv6 address.

WAN is set to DHCP6, LAN is is set to Track.
Computers connected to pfsense cannot get an ipv6 address.

I have disabled bogon blocking in the WAN interface tab but that did not help, any ideas?

Installation and Upgrades / Can't install with ZFS 2.4.2
« on: February 09, 2018, 01:00:20 am »

I am using the amd64 2.4.2 pfsense version.

Motherboard: GA-B150M-D3H
Memory: 2x2gb ddr3 1066
Flash drive: Sandisk ultra usb 3.0 for installation
SSD: Silicon Power 60GB SSD S60 MLC
CPU: G4400

When I try to install with ZFS, I select stripe option and select the 60gb Silicon Power SSD.
It errors saying:

Code: [Select]
ahcich1: Timeout on slot 0 port 0
ahcich1:  is 00000000 cs 00000000 ss 00000001 rs 00000001 tfd 40 serr 00000000 cmd 0000c017
ada8:ahcich1:0:0:0): SEND_FPDMA_QUEUED DATA SET MANAGEMENT. ACB: 64 02 00 00 00 40 00 00 00 00 00

It gets stuck here, a picture may be more helpful(large):

Any ideas why this may be happening? UFS seemed to install just fine. However I do not trust UFS, it corrupts very easily. It is worth noting, this same system had issues with a nanobsd install as well on 2.3.x. It took a very very long time to boot up. Others with the same configuration have the same issue.

I have tried different SATA cables and different ports. The SSD works fine connected via a USB adapter to a different computer, it checks out with crystaldiskmark and crystaldiskinfo.

Routing and Multi WAN / Double nat and ipv6
« on: July 04, 2017, 02:14:28 pm »

I made a thread here marking my setup,
The tl;dr is that I have two internet connections from the same isp, so they share the same gateway. I put a wrt1200ac with openwrt after one of the modems, which then connects to pfsense's WAN.

I am assigned a /60 ipv6 from the ISP. Openwrt I have set to assign a /60 on the LAN address, I am not sure if this is correct.
I tried having pfsense set to a /64 on the WAN and then /60, and pfsense can ping out via ipv6. But the LAN clients on pfsense cannot ping.

On a computer assigned on LAN:

Code: [Select]
   Connection-specific DNS Suffix  . : localdomain
   IPv6 Address. . . . . . . . . . . : fd0e:c91c:a166::d0b
   IPv6 Address. . . . . . . . . . . : fd0e:c91c:a166:0:d474:xxxx:xxxx:bfb
   Temporary IPv6 Address. . . . . . : fd0e:c91c:a166:0:8fc:b454:xxxx:xxxx
   Link-local IPv6 Address . . . . . : fe80::d474:14f7:2153:bfbf%20
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . : fe80::1:1%20

I can't ping out.

I don't have much experience with ipv6, I know there is no NAT with it. I thought it would work automatically because of that. I am not sure how the ipv6 delegation sizes work when there are multiple routers. Could anyone give me some insight? Thanks

EDIT: Just set the prefix delegation size on openwrt's wan to /60, realized it was /64. That worked fine on Openwrt, but I still can't get ipv6 out on pfsense's LAN. On pfsense I set the ipv6 interface on LAN to OPT2(the other modem with no router) and I couldn't connect to pfsense at all(ipv4), but pfsense  did not kernel panic and it wasn't frozen. I rebooted it and I could connect again, but I still didn't have ipv6 access. I tried switching the ipv6 interface back to WAN and I lost all access, a reboot fixed that again. Looks like switching the ipv6 interface on LAN causes pfsense problems.

General Questions / Double nat and 1:1 nat
« on: July 01, 2017, 08:59:35 pm »

I have two modems and since they share the same gateway I know pfsense does not support that.
So I went ahead and put a Linksys wrt1200ac router after of one of the modems.
I'd like it so the wifi connections on the linksys can still communicate with the computers on the lan network.

I have assigned the linksys a LAN ip of
Pfsense is assigned on WAN as

LAN on pfsense is

How can I go about doing this? From what I looked up I have to set up some rules in 1:1, but it would always be nice to get some direct feedback.

OpenVPN / Openvpn does not reconnect on disconnects
« on: May 09, 2017, 07:47:42 am »
Whenever there seems to be an Internet outage, the openvpn service seems to stop. It says daemon not running status > services
I have to manually start it.

Is there way for it to automatically start up again?

I am on 2.3.3 amd64, nanobsd.

I would show the log, but I started the service again and it made too many new log messages to see the old ones.

Seems like a similar issue here,

I am using a domain name to connect to, not an ip address directly. I'll go ahead and try using an ip address instead, but I'm not sure why that would make a difference.

General Questions / g4400, aes ni not an option
« on: January 29, 2016, 12:02:24 am »
Running /usr/bin/openssl engine -t -c

I get the output

Code: [Select]
[2.2.6-RELEASE][root@pfSense.localdomain]/root: /usr/bin/openssl engine -t -c
(cryptodev) BSD cryptodev engine
     [ available ]
(rsax) RSAX engine support
     [ available ]
(rdrand) Intel RDRAND engine
     [ available ]
(dynamic) Dynamic engine loading support
     [ unavailable ]

There is no aes-128 in the output, anyone have any idea?

Code: [Select]
[2.2.6-RELEASE][root@pfSense.localdomain]/root: openssl speed -evp aes-128-cbc -engine cryptodev
engine "cryptodev" set.
Doing aes-128-cbc for 3s on 16 size blocks: 207206376 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 56470392 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 14539010 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 3653627 aes-128-cbc's in 2.98s
Doing aes-128-cbc for 3s on 8192 size blocks: 459608 aes-128-cbc's in 3.00s
OpenSSL 1.0.1l-freebsd 15 Jan 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-cbc    1105100.67k  1204701.70k  1240662.19k  1253634.03k  1255036.25k
[2.2.6-RELEASE][root@pfSense.localdomain]/root: engine "cryptodev" set.

Actually just running
Code: [Select]
kldload aesni
Seems to make it work. I see aes-128-cbc in the openvpn section for the bsd acceleration now.

Oh... System > advanced setup > Misc

You can enable aes ni there

I was using an old qx6700 and 4 gigs of ram.

I moved to a g4400 skylake cpu, and this motherboard

I tried to just boot off the old nanobsd stick I was using, but it got stuck at booting at /boot/kernel/kernel
So I tried a fresh install wiping the usb, and putting it on again and the same thing occurs.

Even before it gets to that, the text appears very slowly on the boot menu.

I tried using the live cd on a cd rom drive, everything worked fine.
I tried disabling the serial port in the bios, no change.
I am using a sandisk 4gb usb stick with the 4gb nanobsd install.

EDIT: After 20 or so minutes, it booted fine and everything seems to be working at full speed. However, every reboot is very slow. Any ideas?

IPv6 / ipv6 not working on LAN
« on: January 04, 2016, 02:41:12 am »
Using 2.2.6-RELEASE (amd64) nanobsd

I can ping ipv6 likes on pfsense, but lan devices do not got an ipv6 address.

Under status services, radvd is not present.

If I type radvd in shell I get:

Code: [Select]
[2.2.6-RELEASE][root@pfSense.localdomain]/root: radvd
[Jan 04 00:38:40] radvd: can't open /usr/local/etc/radvd.conf: No such file or directory
[Jan 04 00:38:40] radvd: Exiting, permissions on conf_file invalid.

ipv6 used to work fine, but it seems to have stopped functioning after I reset my comcast modem. I just upgraded to 2.2.6 from 2.2.5, and it made no difference.

Packages / Pfblocker on one computer
« on: August 07, 2015, 04:40:58 am »
 I'm trying to use pfblocker for just one computer. By that I mean I want one computer that is only allowed to access ip addresses in the united states.

Is this possible? I checked if pfblocker left some rules in the firewall rules so I could specify which computer for it to act on, but I didn't see anything.

Traffic Shaping / Active congestion control
« on: September 25, 2014, 03:22:33 pm »
To my knowledge codel does not take any parmaters. In OpenWRT's implementation it uses both hfsc and codel. hfsc is used to limit the amount of bandwidth so you have to enter your bandwidth settings manually, and codel is used to shape it.
The problem is that if your internet speed varies through the day you will be limited to the numbers you entered in.
In gargoyle there is active congestion control which pings a host and adjusts the buffer on the router as to not let the ping get too high.

pfsense doesn't require any paramaters to be inputted for codel, so how does it function? E.g how does pfsense know when the buffer is full on the cable modem?

Pages: [1]