Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Schnyde

Pages: [1]
NAT / Outbound Natting Through DMZ Address
« on: September 12, 2017, 11:05:55 pm »

Due to some complexity on my network, I need to have a LAN host mapped to a DMZ address then out the WAN.  Is this possible?  I have been playing with the Outbound NAT rules and have set my outbound to manual, setup a mapping that is:

Interface: WAN (or LAN, I tried either way)
Proto: any
Source: (created host alias)
Dest: any
Translation Address:

I cleared my states to after applying config.  Host still traceroutes out the LAN gateway then the WAN gateway, does not seem to translate to the DMZ address at all.  I realize that I am attempting to NAT to a DMZ address, and not a WAN address, but the DMZ address is public and accessible via the WAN.

Pic attached of what I am trying to do:

Please let me know if I can supply more information.



I wanted to give a quick shout out to the pfSense team, you've saved me so much time, money, and confusion over the years.

I have now replaced over 20 Cisco ASAs with pfSense firewalls, and the benefits are abundant.  Not only can I use newer technologies than what Cisco provides (like OpenVPN for instance), I can use licensed Cisco features for free (like BGP, which the ASA can't even do), create more advanced networks (using VLANs and trunking, which again, the ASA does not do), better reliability, scalability, and performance than the ASA also.

Over the last two years alone, I have saved my company countless time and money by deploying pfSense, and from a management perspective, it makes perfect sense for the enterprise.  My uptime and performance has increased significantly, and my operating cost of maintaining these firewalls is incredibly low. 

If your thinking about switching over to pfSense in your enterprise, do it, you will be very happy you did.

Thanks again!

OpenVPN / Route Metrics in Multiple Site to Site OVPN
« on: September 12, 2017, 06:28:34 am »

I am on the cusp of figuring this out, but am stuck on one thing.  I want to provide 2 site to site OVPN tunnels to each of my offices between two data centers, and push routes via OVPN to each office to every other office, and both DCs.  I want to push the same routes to offices in the tunnel configuration, with a different metric.  See diagram below:

I got the VPN configuration figured out and working, however, I am having difficulties in providing metrics to the routes.  I know I can use the Advanced Options to push "route 10" for instance, to give that route a metric of 10.  However, I cannot get the other end of the OVPN tunnel to accept "pushed" routes.  Do I add "pull" to the remote site?

Is there a way I can either push my routes to a remote site in a site 2 site OVPN configuration, or add the metric to the remote networks field in-line?


OpenVPN / OpenVPN Hairpin pf->pf->CiscoASA
« on: June 30, 2017, 12:16:09 pm »

I have setup a pfSense server to do some hairpin VPN off of my ASA.  Basically, I have a VPN tunnel on the ASA that needs to be available at other locations than where this tunnel is physically located, and the client will not allow us to make any changes to the VPN topology, AKA, make new tunnels where needed.  To do this, I installed a pfSense VM at the location where the ASA is at, statically route traffic destined for the client's VPN from pfSense and back from the ASA.

Everything is working as expected, so far, as I can ping the host on the clients VPN from the pfSense router at that location.  Now, I have an OpenVPN S2S tunnel between the before mentioned pfSense VM and a physical pfSense router at another location, and this is working fine, as I can ping hosts from either network.

What I can't do is ping the client's VPN host from the remote location.  The local pfSense VM can ping it.  The remote pfSense box can ping it only if I use the "OpenVPN Client" interface, so I know I am soooo close in resolving this.  Ping on the remote pfSense box from the LAN interface, or a client on that LAN network is a no go.  I have my rules set to allow any / any on LAN and OpenVPN Interfaces on both pfSense routers.

Is there a setting hidden somewhere that I might be missing?

Client Host (VPN) -> ASA (location 1)-> pfSense VM (location 1) -> pfSense Router (location 2)

I can see traffic going up though the ASA and returning back, but nothing in the logs on any of the FWs is telling me what I want to know.  Like I said, I can ping the Client Host (VPN) from the "OpenVPN client" Interface on the pfSense FW in location 2, but cannot do the same on the LAN interface on the same FW (location 2).

OpenVPN / OpenVPN just stopped working
« on: April 06, 2015, 06:29:14 pm »

I am running PfSense on VMWare ESX 4.1.  I had this setup and running perfectly, and had users connecting though OpenVPN, and then, it just stopped working.  By "it just stopped working", I mean that there are no routes in the client to route anything to the VPN tunnel, hence, traffic tries to go out the client's WAN and fails.  Nothing was touched or configs changed, just stopped routing out of the blue.

When this was working (for a few days until today), the client would receive the route, which routed to the VPN tunnel, and successfully reached its destination.  Now, I do not see the network in my ROUTE PRINT on the client.  Clients that were connected before the issue occurred were just fine, until they logged off and back on again.

I tried restarting the OpenVPN service, rebooting the server, double checked my configs, made sure I was pushing routes either with the IPV4 Local Networks statement or using push "route";, was able to ping my network resources from the firewall, IPSec is turned off and there are no other VPN services running on the server but OpenVPN.  Nothing in the logs that tell me that there is an issue.

Currently, the VPN does connect, but no routes are presented to the client, so the only thing that pings on the VPN is the client's IP address assigned to it.

I am running:
2.2.1-RELEASE (amd64)
built on Fri Mar 13 08:16:49 CDT 2015
FreeBSD 10.1-RELEASE-p6

Does anyone else have similar issues?  VMWare issue?  Is there more information that I can provide?


Pages: [1]