Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - 21hertz

Pages: [1]
1
Hey,

The number of users in one of our networks have increased to over 6000 concurrent clients.
We're using Manual Outbound NAT on one WAN IP-address to NAT all these clients at the moment (internal traffic is not NAT:ed though) and of course this will become a problem when there aren't enough ports left to use.

We already got a few more unused IP-adresses on the WAN subnet, routed by another router, which I'm ready to setup.

Since it is not possible to have multiple WAN-adresses that share the same gateway/subnet, I have to use Virtual IPs I guess.

I'm not sure how to setup this. I've added two Virtual IP's with Proxy ARP, from the same subnet as the WAN (one of them being the same IP as the WAN IP).

Now, under the NAT Outbound rules, I want to add a "PAT rule" to match all my LANs to my virtual IPs.
But I can only choose ONE virtual IP when configuring Translation, and no way to configure a group of "Virtual IPs"?
And If I add a whole network/subnet with IP-adresses as a Virtual IP, I guess pfSense will try to use all IP-adresses on that subnet even though I only want to use a few IP's from that WAN subnet, not all IP's from the whole subnet.

I must be missing something here..

Edit: re-phrased my questions.

2
We got 3 different rsyslog-servers, 1 running on OpenBSD and 2 on Linux. pfSense is sending all its logs to these three servers ("Everything").

We are getting more logging since updating to 2.3.1 and nginx is the source of this (about 500 MByte per day extra). Nginx does not log to our syslog-servers in the same way as the rest of the logs (Everything, System/Firewall etc). We are not using any extra packages except NRPE and VMware-tools.

When logging to external rsyslog-servers Nginx creates a new hostname source, in our case adding our domain.tld after hostname (which becomes destination directory/filename in our rsyslog).

You can see what I mean here, a directory listing one of our syslog-servers:
Code: [Select]
drwxr-xr-x    2 loguser      staff   24064 Jun  1 00:00 my-pfsense                      <--- all logs from pfsense except nginx logs.
drwx------    2 loguser      staff     512 Jun  1 00:00 my-pfsense.mydomain.tld          <--- nginx logs appear in here, nginx logs added "mydomain.ltd".
drwxr-xr-x    2 loguser      staff   31232 Jun  1 00:00 my-pfsense-02                   <--- all logs from pfsense except nginx logs.
drwx------    2 loguser      staff     512 May 29 22:55 my-pfsense-02.mydomain.tld      <--- nginx logs appear in here, nginx logs added "mydomain.ltd".

Here is an example of what the nginx-log file contains:

Code: [Select]
# tail 2016-06-01_my-pfsense.mydomain.tld.log
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - [ANONYMIZED@somedomain.tld] [01/Jun/2016:12:37:31 +0200] "POST /Microsoft-Server-ActiveSync?User=[ANONYMIZED@somedomain.tld]&DeviceId=SIVSUP0CTD1D35QNSM4EF9J64C&DeviceType=iPhone&Cmd=Sync HTTP/1.1" 302 5 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.0.220 - - [01/Jun/2016:12:37:31 +0200] "GET /index.php?zone=cpwifise&redirurl=http%3A%2F%2Fofficecdn.microsoft.com%2Fsg%2F39168D7E-077B-48E7-872C-B232C3E72675%2FOffice%2FData%2Fv32.cab HTTP/1.1" 200 91 "-" "OfficeC2R"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - windowsdomain\ANONYMIZED [01/Jun/2016:12:37:31 +0200] "POST /index.php?zone=cpzone&redirurl=http%3A%2F%2Fmail.mydomain.tld%2FMicrosoft-Server-ActiveSync%3FUser%3Dtmd HTTP/1.1" 200 1706 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - [ANONYMIZED@somedomain.tld] [01/Jun/2016:12:37:31 +0200] "POST /index.php?zone=cpzone&redirurl=http%3A%2F%2Foutlook.office365.com%2FMicrosoft-Server-ActiveSync%3FUser%3DANONYMIZED%40anotherdomain.tld HTTP/1.1" 200 1732 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.0.220 - - [01/Jun/2016:12:37:31 +0200] "GET /sg/39168D7E-077B-48E7-872C-B232C3E72675/Office/Data/v32.cab HTTP/1.1" 302 5 "-" "OfficeC2R"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.0.220 - - [01/Jun/2016:12:37:31 +0200] "GET /index.php?zone=cpwifise&redirurl=http%3A%2F%2Fofficecdn.microsoft.com%2Fsg%2F39168D7E-077B-48E7-872C-B232C3E72675%2FOffice%2FData%2Fv32.cab HTTP/1.1" 200 91 "-" "OfficeC2R"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - windowsdomain\ANONYMIZED [01/Jun/2016:12:37:31 +0200] "POST /Microsoft-Server-ActiveSync?User=tmd&DeviceId=SIVSUP0CTD1D35QNSM4EF9J64C&DeviceType=iPhone&Cmd=Sync HTTP/1.1" 302 5 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - [ANONYMIZED@somedomain.tld] [01/Jun/2016:12:37:31 +0200] "POST /Microsoft-Server-ActiveSync?User=[ANONYMIZED@somedomain.tld]&DeviceId=SIVSUP0CTD1D35QNSM4EF9J64C&DeviceType=iPhone&Cmd=Sync HTTP/1.1" 302 5 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - windowsdomain\ANONYMIZED [01/Jun/2016:12:37:31 +0200] "POST /index.php?zone=cpzone&redirurl=http%3A%2F%2Fmail.mydomain.tld%2FMicrosoft-Server-ActiveSync%3FUser%3Dtmd HTTP/1.1" 200 1706 "-" "Apple-iPhone5C4/1306.69"
2016-06-01T12:37:31+02:00 my-pfsense.mydomain.tld nginx: 10.x.3.77 - [ANONYMIZED@somedomain.tld] [01/Jun/2016:12:37:31 +0200] "POST /index.php?zone=cpzone&redirurl=http%3A%2F%2Foutlook.office365.com%2FMicrosoft-Server-ActiveSync%3FUser%3DANONYMIZED%40anotherdomain.tld HTTP/1.1" 200 1732 "-" "Apple-iPhone5C4/1306.69"

These are my concerns:
1. Our syslog-server gets a lot of nginx logs containing upper layer information (http post etc) (may be normal to nginx, but its a new behaviour of pfSense).
2. nginx seems to log separetly from anything I configure in Settings under Logging in pfSense? (not confirmed every setting)
3. nginx creates another source hostname than the rest of the logs do -> logging destination gets affected (depending on your rsyslog configuration of course). ngninxt sets its logs' hostname source to hostname.domain.tld instead of just hostname for everything else.

It would be nice to be able to configure the nginx logging feature from GUI so that it matches what you need to be logged - and where.


Take care,
J.

3
Hello!

I manage a network with Cisco-switches where each the Cisco-switch inserts a DHCP Option 82 with the switch name + port number + VLAN to every DHCP Request made a client.
The purpose is to keep track where users connect. I have, with success, used this solution together with a standalone ISC DHCP server.
I'd like to do the same thing in pfSense.

In the standalone ISC DHCP-server I have this configured:

Code: [Select]
if exists agent.circuit-id
{
log ( info, concat( "Lease for ", binary-to-ascii (10, 8, ".", leased-address), " is connected to switch ",
substring( option agent.remote-id, 2, 9999), " port ",
binary-to-ascii (10, 8, "/", suffix ( option agent.circuit-id, 2)), " via VLAN ",
binary-to-ascii (10, 16, "", substring( option agent.circuit-id, 2, 2))));
}

Which results in these logs:

Code: [Select]
Apr 16 20:01:41 dhcp-1 dhcpd: Lease for 10.1.109.85 is connected to switch CISCO-SWITCH-1 port 1/38 via VLAN 7
Apr 16 20:01:41 dhcp-1 dhcpd: DHCPREQUEST for 10.1.109.85 from 00:6c:8f:00:6b:31 via 10.1.109.2
Apr 16 20:01:41 dhcp-1 dhcpd: DHCPACK on 10.1.109.85 to 00:6c:8f:00:6b:31 via 10.1.109.2


My questions:

1. Is it possible to do the same in pfSense DHCP-server via GUI (in the DHCP Option menu)?
2. If not - can I add configuration via shell, to /var/dhcpd/etc/dhcpd.conf, without it being flushed/reset by pfSense once DHCPD is started again?


Regards,
J.


Pages: [1]