Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - jason0

Pages: [1] 2 3 4
Packages / FEATURE Request: acme "lets encrypt"
« on: February 22, 2018, 01:58:47 pm »

I have been playing with dynamic dns functions settings in pfsense under the service menu, most specifically rfc2136.  The rfc2136 function calls "nsupdate" underneath pfsense.  Why not have the acme package gui be able to make the same call and update dns in the same way?  It's not as if the nsupdate command represents a dependency.

Code: [Select]
/usr/local/bin/nsupdate -k /var/etc/XXXX.key /var/etc/nsupdatecmds2
contents of nsupdatecmds2:
Code: [Select]
server <dns master server>
update delete _acme-challenge.<fqdn>. TXT
update add _acme-challenge.<fqdn>. 300 TXT samplehash-c95139f6a0149285bcbf1
local <wan ip address>


General Questions / question about vlans and ethernet promiscuous mode
« on: February 01, 2018, 11:26:39 pm »

Given the following example, if I set br0.200 to promiscuous mode, does that set the parent interface AND br0.100 to promiscuous mode?

Thank you for your time...


br0 = parent interface
br0.100 = lan
br0.200 = dmz

Hardware / questions about the built-in cpsw switch on the SG1000
« on: January 30, 2018, 06:08:11 pm »

When configuring my sg1000, I noticed there are already two vlans assigned:
vlan 4071 to cpsw0 (aka WAN)
vlan 4072 to cpsw1 (aka LAN)

What sort of traffic is on these two vlans? 

Also, when digging into the switch configuration via Interfaces / switch / system, it shows:

TI Common Platform Ethernet Switch (CPSW)   
3 ports   
128 vlan groups   
DOT1Q (vlan mode)   
DOT1Q ( capabilities)

Interface / switch / vlans shows:

VLAN group   VLAN tag   Members   Description   
0                   4072          0,2          Default System VLAN   
1                   1001          0t,2t      
2                   1002          0t,2t      
3                   100            0t,2t      
4                   4071          0,1          Default System VLAN

So by inference I can see that member 1 is probably cpsw0 (the WAN port) and that member 2 is probably cpsw1  (the LAN port). 

So what is member 0?  Is it /dev/etherswitch0? 


General Questions / unsure where to put this
« on: January 30, 2018, 05:51:30 pm »

I have a newly installed sg1000 with a restored configuration from an older alix board running 2.3.  In a nutshell: my linux clients can get an ipv4 address from dhcp, but cannot get an ipv6 address from dhcpv6... UNLESS the ethernet port is in promiscuous mode.

It makes no sense why the ethernet needs to be in promiscuous mode for just dhcpv6.  if there was a problem binding to a port, then it would also affect dhcp for ipv4, right?

Short of starting over entirely (factory reset, rebuilding from scratch)...what can I do to make it work?


SG-1000 purchased in January, 2018: 2.4.2-RELEASE-p1 (arm)

cpsw0 == wan: ipv4 via dhcp via comcast
gif0 == hurricane: ipv6 via tunnel broker.  (comcast ipv6 broken...)
lan == cpsw1
dmz == cpsw1.100 aka vlan100
child1 == cpsw1.1001 aka vlan 1001
child2 == cpsw1.1002 aka vlan 1002

Lan is our network for the adults in the house.  child1, and child2 are vlans with restrictive settings such as opendns.
dmz is where a linux server and a few linux virtual servers are running.   

So, the Lan is configured as a hybrid port: using untagged vlan 1, and the dmz and two child networks are using tags. 

I can try changing the configuration such that the parent interface, cpsw1 is not in use: the pfsense book seems to indicate mine is not a good configuration...

IPv6 / pfsense won't issue
« on: January 26, 2018, 01:29:59 am »

I had a strange thing happen to me yesterday with pfsense.  I have been having trouble with my linux servers
acquirring an dhcpv6 assigned address: there was no sign on pfsense's logs that the linux systems even tried
to acquire an address.  However, dhcp for ipv4 runs properly.

Then a strange thing happened: I shutdown the linux system and cranked up tcpdump on pfsense's command line,
searching for "ether host " with the mac address of the linux system.  I was trying to see what packets
arrived from the linux host.  Lo and behold: the linux system acquirred the ipv6 address.  I tested this with
four different linux systems.  rebooting each system several times, but only when I was running tcpdump on
pfsense, did the linux systems get an ipv6 address. 

Once the linux system had the ipv6 address, access to ipv6 internet worked properly.

two hours later, the ipv6 address lease expired but since tcpdump wasn't running apparently the request
didn't get through to pfsense.

Tonight I ran a slightly different test: I ran the same tcpdump command looking for only the one mac address of the
first linux system.  I left it running, and when I restarted the networking of all of the other linux
systems, each of them was able to acquire its ipv6 address.

why would it appear putting the interface into promiscuous mode caused packets to get
through to the dhcpv6 daemon?

Also wouldn't configuration of the dhcpv6 server create a "hidden" set of firewall rules to allow access to
pfsense via its link-local ip address? 

The details:

1) pfsense 2.4.2-release
2) ipv6 available via tunnel-broker.
3) the network is set to static ipv6 routing working properly

linux systems:
    ubuntu 16.04 lts server
   each /etc/network/interfaces has the following line:
       auto  ens33
       iface ens33 inet dhcp
       iface ens33 inet6 dhcp

DHCP and DNS / using rfc2136 clients for >1 hostname
« on: January 18, 2018, 01:46:06 am »

I am presently using pfsense 2.3.5 with an older alix board.  I do have a new sg1000 on its way so will be running 2.4.x shortly...

I have several internal web servers behind a nat ipv4 address, and haproxy working the inbound web requests to the servers. 

I found the RFC 2136 clients part of dynamic dns and since I control the dns server (bind9), this makes me very happy.

So I have a configuration based on the howto example working.  YAY!

Since I have 8 different web servers in my domain, it looks like I need 8 rfc 2136 clients: one per name needed. 

Can I use the same key, or do I need to generate a separate key for each name?  The BIND9 Administrator Reference Manual seems to imply yes, so I thought I would check. 

Alternately, might there be a need to be able to have >1 name in an rfc 2136 client?  This way, the rfc 2136 ciient "granularity" is at the domain level...

If I can use the same key, I probably have some edit suggestions for the rfc 2136 howto...

Thank you in advance for your time...


IPv6 / comcast business head-scratcher...
« on: January 04, 2018, 04:35:07 pm »

I am running
I have enabled ipv6 on my comcast connection at work.  (this is a completely different setup from my residence).

I requested a 60, because it's the only setting that would get a response from comcast.

on my wan, i received a /64...However on my lan and opt1 that are set to track the wan (0 and 1 prefixes respectively) I received /63 networks.

Here's more:

According to my comcast business login, the range is xxxx:yyyy::38:f600::/56.

The wan settings:

The lan settings:
   track wan
   prefix 0

The opt1 settings:
   track wan
   prefix 1

The astute observer would see that both the lan and opt1 ipv6 addresses are in the same subnet.  If I change opt1's prefix to 2, the ip address assigned to opt1 is the same.


IPv6 / comcast xfinity (residential) non-responsive
« on: January 02, 2018, 11:18:57 pm »

I have been beating my head against comcast for a while now.  I would really like to go native ipv6.

1) my cablemodem is in bridged mode
2) my wan port is set to dhcpv6 (and dhcp for ipv4)
2.5) I am requesting via ipv4 connectivity
2.6) i am requesting prefix size 60
2.7) I am sending a prefix hint
3) ipv4 works fine.

I see the link-local addresses for both wan and upstream, but no global ipv6 at all.

I haven't configured my lan as I am using hurricane electric at the moment. 

When I filter the dhcp logs for dhcp6c, all I see is:

Jan 2 20:47:39   dhcp6c   85061   extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:21:df:12:d0:00:0d:b9:21:55:e4
Jan 2 20:47:39   dhcp6c   85061   failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jan 2 20:47:39   dhcp6c   85061   <3>["/var/etc/"] (31)
Jan 2 20:47:39   dhcp6c   85061   /var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined

What do I do?

General Discussion / old/retiring pfsense hardware sought...
« on: December 20, 2017, 12:13:51 pm »

I am building a business but we don't have a solid enough income stream to use something like aws.  I would very much like to find some hardware capable of running pfsense.  For instance: my day job we have two lanner fw-7541 devices.  I love these things. 

My thought is to ping you guys and see if anyone is retiring/replacing older pfsense hardware that I can acquire before they go to the scrap heap.

So here's my requested criteria:

1) 64-bit capable (assuming x64 hardware)
2) at least 2 gig ram
3) at least 4 gig storage
4) at least 2 ethernet ports, (capable of 100mbps, would be very happy with gigabit ethernet

Would like to have:
a) small form-factor, embedded preferred (no fans, solid state, etc...)
b) a sata port and enough power to drive a 2.5 inch hard drive.
c) upgradable ram...
d) aes-ni cpu crypto
e) capable of running pfsense 2.4+

Please contact me

I don't have a budget yet. 

Traffic Monitoring / ntopng emitter
« on: December 11, 2017, 01:26:25 pm »

The version of ntopng showing in the package manager is 0.8.11, whereas the ntopng's version on their site is 3.x.

Does the 0.8.11 version mean the freebsd ports version, or the actual version of ntopng?

Also, as I am running pfsense on embedded systems, is there a configuration that will send probed info to another ntopng server to be processed and stored there, or should I try to configure nprobe?


DHCP and DNS / Fixed: Not-a-bug: Bug affecting dhcpd failover state
« on: November 08, 2017, 01:37:44 pm »

I believe I found a bug.

I am running pfsense 2.4.1-release (amd64) on two fw-7541c lanner firewalls. ( not supported by the pfsense team...I know).

I have verified the config.xml files are nearly identiical (enclosed). 

The bug is in the dhpd.conf files on either system.  I have also enclosed both files.

Primary dhcpd.conf exerpt:
   failover peer "dhcp_lan" { primary; ... split 128; mclt 600; }
   failover peer "dhcp_opt2" { secondary; ... }

Secondary dhcpd.conf exerpt:
   failover peer "dhcp_lan" { secondary; ... }
   failover peer "dhcp_opt2" { secondary; ... }

Note that "secondary" appears in the failover description from the primary system, and also does not include split, or mclt. 

With this configuration, no dhcp addresses are handed out by either server on the "dhcp_opt2" aka em4.1002.

In the dhcpd logs on either primary or backup, I see the messages (for the correct interface):
DHCPDISCOVER from xx:yy:zz:aa:bb:cc via em4.1002: peer holds all free leases
DHCPREQUEST for from xx:yy:zz:aa:bb:cc  via em4.1002: not responding (recovering)

Otherwise: carp seems to operate correctly.

The symptoms are that no ip addresses are handed out on the guestwifi, and the following appears on the dhcpd.leases status page:

Pool Status
Failover GroupMy StateSincePeer StateSince
dhcp_lan (LAN)normal2017/11/08 18:05:08normal2017/11/08 18:05:13
dhcp_opt2 (GUESTWIFI)recover2017/11/08 17:53:22unknown-state2017/11/08 17:53:22

I followed the instructions on, and no change occurs.

My work-around is I have removed "dhcp server settings" from the sync-options, removed the peer address from the primary dhcp config for the guest wifi, and disabled the guestwifi dhcp server on the secondary system.


General Questions / Phantom rules remain after interface deletion
« on: October 10, 2017, 12:44:28 pm »

I am planning to upgrade from 2.1.5 to the latest release.  In the process I have been significantly reducing my network's complexity here: I removed three vlans, openvpn, ipsec, etc.

I can't delete an alias though: I get the error "cannot delete alias.  currently in use by 'block openvpn from logicbox'"

I backed up my configuration and discovered the rule in question (and others) are still defined in the downloaded configuration. 

Aside from rebuilding the entire pfsense router from scratch, or rebuilding the interfaces and deleting the rules, how do I go about stripping out the cruft?

Thank you for your time!


General Questions / Known 2.1.4 - 2.1.5 upgrade issues?
« on: October 09, 2014, 12:57:35 pm »

Are there any known issues with 2.1.5?  I would like to know before I commit.  The last time I upgraded none of my ip aliases would work and I almost lost customers.

Thanks for all of your time!

Feedback / New forum slot / advanced search
« on: October 09, 2014, 12:54:06 pm »

When I upgraded from 2.1.3 to 2.1.4, I ran into a show-stopper issue: all of my ip aliases used with carp had stopped working.  There had already been a patch published, and once pointed to the correct forum entry I fixed the problem.  It caused lots of gnashing of the teeth while I was trying to find a fix. 

By the way, I am very happy with the response I got, but that really isn't why I am writing this here under feedback.

Prior to the upgrade I spent some time searching the forums for known issues in upgrading to 2.1.4, but wasn't able to distinguish across the >1000 search responses.

This time before I upgrade, I have tried to search for 2.1.5 issues in the forums and redmine.  Again, there's no easy way to filter out issues pertaining to upgrades. 

When I look at the development forums, I see there is always one titled "x.x Snapshot Feedback and Problems", and when the release occurs, this title rotates to the next snapshot release.

May I suggest a similar forum? Perhaps "<version> confirmed issues"? 

Or perhaps a tag that can be searched for and an advanced search feature? (does smf allow tags?)  Is there a such thing as blessed tags, where only the official developers can say "2.1.5_confirmed_issue"?



I have two firewalls configured with carp.  They are at my remote colo, and I access the network there via ipsec vpn.  I noticed recently that I could only access the lan ip address of the primary firewall, but not the secondary firewall. 

It makes sense: only one of the firewalls will have the ipsec vpn functioning while it's in master mode: the other firewall won't have a clue where to send response packets since there isn't a vpn there at all.  It would need to route through the master firewall.

Is there a means to install a route that is dependent on the vpn NOT being present?  ie: firewall B is in carp backup mode, thus to access my side of the point to point vpn, it would need to route the packets through firewall A.


Pages: [1] 2 3 4