Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Chti

Pages: [1]
Official pfSense Hardware / Did my SG-4860 just die?
« on: January 28, 2018, 10:29:59 am »
Hi there

I am rather desperate right now:

I have been happily using my SG-4860 for a while and this morning, in the middle of a browsing session, all contact to the unit broke off.
Initially I rebooted all switches, and the PfSense box, but still no access.

After a while I started having a closer look at the SG-4860 and realised the status led on the back was not green.
After many more back and forth I realised that whenever I turn the unit on, the led stayed red for about 4.5 minutes then turns off and not more leds are on.

I tried booting with my computer plugged into the console, but nothing appeared on the console screen.
I tried the same with a community image written on an USB stick (since my original firmware is on my NAS and currently not accessible), then booting up the unit and still nothing shows up on the console.

My unit is of course no longer under warranty (or at least my gold membership expired).
Now my whole network needs hours of reconfiguring since all my devices are VLAN allocated, my Pas use the PfSense Radius package etc.

Is there anything I can try? What other options do I have?

Many thanks in advance for any pointer

PS: I was not doing any upgrades on the unit and it was still running under the 2.4.1 firmware

Hi there

On my PfSense box I have my LAN and several VLANs.

- My LAN has currently only all switches and access points on it (so it's my management LAN). I moved all my other devices to different VLANs.
- Some VLANs have rules not be to able to access the other VLANs, but all can currently access my LAN

If I want to prevent some VLANs (e.g. Guest VLAN) from being able to access all the management devices on my LAN while keeping Internet access, what rules would be required to achieve that?
Currently, if I block LAN access, I have no Internet access.

Many thanks for any help!  :D


I was wondering if someone could take a look at my settings below as I must have done something wrong somewhere...

My problem:
When signing in with a specific device and FreeRadius account (which I assigned to VLAN 10) into my wireless network, the device still gets an IP address from my default PfSense LAN. It should receive a 192.168.10.X address (VLAN10) but still gets a 192.168.100.X address (LAN).

My hardware setup:
- PfSense appliance (2.4.1)
- Unifi controller
- Unifi switches
- Unifi access points

PfSense parts I configured (showing configuration for ONE user on a VLAN named INT-HOME-10 (VLAN 10)):
1/ On PfSense: FreeRadius, Interfaces, VLANs, DHCP
2/ On Unifi Controller: SSID, VLAN

Details and screenshots of all settings below:

1/ In PfSense, I installed FreeRadius to serve credentials to my wifi access points.
a/ [In FreeRadius/Users] I created a user/password. I want to assign this user to VLAN 10, so I added VLAN 10 in the 'Network Configuration' section
b/ [In FreeRadius/NAS-Clients] I added all my UNIFI devices (controller, switches, access points) with a shared secret
c/ [In FreeRadius/Interfaces] I set up both a 1812 (authentication) and 1813 (accounting) port. They listen to all interfaces.

2/ In my UNIFI controller, I made the following setup:
a/ [In Settings/Wireless Networks] I created a Wireless Network called 'Test-AP'. I chose WPA Enterprise and selected my Radius profile
b/ [In Settings/Networks] I created a VLAN only network with the ID 10
c/ [In Settings/Profiles] I entered the parameters to access the Radius Authentication/Accounting server on my PfSense box

The signing part (username/password) works fine and I can connect to the network (expect for getting the wrong IP address)

3/ In PfSense again, I also have the following configuration:

a/ [In Interface/...] I create the Interface INT10HOME with a static IPv4 of
b/ [In Interface/VLANs] My INT10HOME interface is a child of my LAN interface
c/ [In Interface/Assignments] My INT10HOME interface is a child of my LAN interface
d/ [In Services/DHCP Server/INT10HOME] I enabled the DHCP server for my INT10HOME interface. I also added the static IPv4 as the Gateway.

I also configured Firewall rules, but not sure I need to detail those here, since these are already a step further in the process.

Can anyone point me to the reason why my device does not get an IP from the VLAN but still the LAN?

Any help greatly appreciated  :)


I need some assistance with my first ever VLAN implementation on a SG-4860 PfSense box.

My AS-IS setup, pictured on graph 1, has all devices on the same network.
I want to move away from that setup and implement VLANs to properly separate devices on my network.

Below is the TO-BE state I'd like to reach (pending any wiring errors I might have made):
I drew up graph 2 here-under, assuming this will be a functional setup.
Could someone please have a look and see if it makes sense?

A few notes of importance:
  • All devices on my network, regardless of the VLAN, will have fixed IPs assigned
  • Access points need to be useable by ALL devices regardless of VLAN
  • I am planning on using different configs (SQUID, captive portal, etc) on each VLAN, hence my use of the physical OPT ports on the SG-4860.

  • Did I make any mistakes in the design or would that be a functional setup?
  • In principle I want all VLANs fully isolated BUT with some ability to "reach accross" VLANs to administer devices, etc (Eg if my phone is on VLAN 10 and an IOT device on VLAN 30, I'd like the ability to "reach in" with my phone to administer the IOT device. The IOT device should not be able to reach-out on its own. Is that possible? If so, how would I go about configuring that? Would that be done purely with firewall rules?
  • Do I need to configure the ports linking my Access Points X and Y as trunk or access ports on my switch? I am assuming trunk…
  • Bonus question: I have configured specific DNS servers on my PfSense box. But since my ISP box (NOT in bridge mode) uses my ISPs DNS servers as well, how can I make sure that all devices on my PfSense networks use my PfSense defined DNS and not the ones from my ISP?


Last night I decided to upgrade my SG-4860 from to 2.3.4.

The update seemingly went fine and went until a screen popped up indicating the update was done and the device about to reboot.
From then on however, my device has no longer been accessible.

So I hooked up the console, and the device boots up for a few seconds but then remains indefinitely at a "Boot: F1" line.

I checked the forum, and some other seemed to have experienced the same thing.

I also checked the terminal baud settings and other than on 115000 I just get gibberish.

So I am trying to figure out what my options are now:

1/ Do I really need to re-flash/re-install my device?
Is there anything else I can try other than re-installing from an image?

2/ My support expired and apparently if I want to download the firmware image for my device I need to pay $400 as it qualifies as a support request.
While I am happy to support pfSense, I have to say that this has me somewhat upset!
Paying $900 for an appliance that bricks my device with the built-in update command and then wants to charge $400 for a download is...sad really!
I'm totally OK with paid support tickets when using a support person's time & effort, but I should at least have free access to the original image file of my device, so that I can try to make my device usable again.

3/I'm told I can also install the community edition (pfSense-CE-memstick-ADI-2.3.4-RELEASE-amd64.img.gz) but then I will be loosing some functionalities as well as the fine-tuning for my specific device.
Can someone tell me what exactly I will be loosing if I go that route?

If anyone has any pointers, these would be greatly appreciated.
Thank you in advance for your time.


Today I tried updating my SG-4860 unit from 2.2.5 to 2.2.6 using the GUI build-in update, but this time things went wrong (as opposed to all my previous updates). Now the unit no longer boots.

I followed a couple of troubleshooting posts, installed a SiLabs driver on my Mac and managed to access the console:
The SG seems to boot up fine, initially, but then stops with the following message:

Code: [Select]
can't find kernel
Error while including /boot/menu.rc, in the line:
can't load 'kernel'

From what I read in various posts it seems I need to reflash my unit from an image file (please correct me if I am wrong here).

I located the download area for the image files, but here already I am not sure which file to download for my SG-4860:

Code: [Select]

I selected this one:
Code: [Select]

and in the OSX Terminal entered the following command:

Code: [Select]
gzcat netgate-memstick-ADI-2.2.6-RELEASE-amd64.img.gz | sudo dd of=/dev/rdisk2 bs=16k
(considering disk2 is my USB stick)

The command does write for a while to the stick but the disk still appears as uninitialized to OSX.
I presume this is due to the file format.

I plugged the USB stick into the SG-4860, power cycled and expected it to boot the from the USB stick, but the USB stick seems simply ignored (the drive's light doesn't blink a single time), and I end up with the same error message.
Pressed F12 (FN+CMD+F12) during the bootup sequence show this:

But selecting Option 1 doesn't do anything either (same as above).

Would anyone be able to tell me what I am doing wrong and/or what I am supposed to do?

Many thanks in advance

Greetings :)

My pfSense setup used to work fine but I recently had to switch to a different ISP and my new one does not allow their modems to be set into Bridge Mode.
As such, I am trying to reconfigure my pfSense appliance to work behind my ISP's router.

Here's my current layout:

My issue is currently the following:

- pfSense itself can access the Internet just fine
- pfSense's DHCP server properly allocates fixed IPs to all my devices
- but none of my devices can access the Internet.

I tried the following Ping tests within pfSense and they all seem to work.

DEFAULT ->       OK
WAN ->       OK
LAN ->       OK
Localhost ->       OK

DEFAULT ->       OK
WAN ->       OK
LAN ->       OK
Localhost ->       OK

I'm pretty sure I missed some gateway/DNS setting that prevents my devices from accessing the Internet.

The only things I have NOT yet tried are the two settings in RED in my chart above:
  • Creating a routing table entry on my ISP's router: Destination [], Subnet Mask [], Gateway []
  • Activating the DMZ (although not sure how that would impact my issue)

Below are my key pfSense settings highlighted in yellow.

If any of the great experts here could have a quick look and tell me what I missed I would greatly appreciate it! :)

Many thanks in advance for any help and pointers

Français / Recommendation pour segmenter les machines sur mon LAN?
« on: June 10, 2015, 02:06:04 pm »

Je souhaiterais separer les differents appareils qui se connectent sur mon LAN en 3 groupes: Perso, Travail, Enfants
* Je voudrais que ces 3 groupes soient totalement isoles les uns des autres
* Je voudrais imposer des regles supplementaires au groupe Enfants: Restrictions horaires, restrictions de sites, etc.
* Je voudrais implanter un client VPN permanent sur le groupe Travail

Mon installation
* pfSense SG-4860
* un simple hub ethernet connecte au port LAN du SG-4860 sur lequel se branchent tous les appareils (pas de support pour VLAN)
* tous les appareils qui se connectent sur mon LAN ont une IP fixe
* Dans 'Firewall/Aliases' j'ai cree 3 groupes bases sur des plages d'IP: Perso, Travail, Enfants. Donc chaque appareil est   associe a un groupe.

1/ Mon idee initiale etait de creer 3 VLAN mais je ne sais si c'est possible avec mon simple hub qui se connecte dans le port LAN. Ou me faut-il un switch manage pour ce type de configuration?

2/ Existe-t-il un moyen d'isoler des machines les unes des autres si elles sont sur le meme LAN?

Que me conseilleriez-vous de faire comme configuration? Toutes les pistes sont les bienvenues :)

Merci d'avance

Greetings everyone

So, I decided to make the jump and purchase a more evolved firewall for my home network and bought the SG-4860 appliance.

While I thought the in-depth configurations of VLANs or VPNs would be difficult, I am already struggling in the initial setup. :)
I can't seem to get any connection through (not even the firewall checking if it is up-to-date).

So here is where I come from:

I have an older modem that is in bridge mode and that is currently hooked up to an ASUS RT-N66U with the Merlin custom firmware.
It has been working great for the past years. I didn't have to do anything special on the ASUS, it pretty much worked out of the box.

My goal is to replace the ASUS with the SG-4860 and to use the ASUS as a simple access point.

Now I'm sure I have missed some very obvious step in the pfSense setup process, but I just can't get it to work (even after watching like 20 videos):

So here's my setup:
- I do not have a static address from my IPS
- My modem is in bridge mode and I'm pretty sure the DCHP server is off (there is no option to activate/deactivate it bridge mode anyway)
- My modem admin is accessible via
- My external public IP is (made up)
- The admin info screen of my modem says the modem's Mac address is XX:XX:XX:XX:50   (I replaced the actual numbers with XX)
- The sticker on the modem's back gives the following info:
     * CM MAC: XX:XX:XX:XX:50
    * EMTA MAC: XX:XX:XX:XX:51
    * WAN-MAN: XX:XX:XX:XX:52
    * WLAN-MAC: XX:XX:XX:XX:53

In the pfSense menu, I entered the following settings:

In SYSTEM/DNS SERVERS: I entered my ISPs DNS servers but entered 'NONE' for the "Use Gateway" setting
The 'Use gateway' seems to offer the following options:
     * none
     * WAN_DHCP - wan -
    * WAN_DHCP6 - wan - dynamic

     *Enabled is ON
    *IPV4: DHCP or Static <<<????
    *IPV6: DHCP6 or Static6 <<<????
    In either case, what do I put in the DHCP CLIENT section if DHCP is selected (or in the STATIC section if STATIC is selected)?
    I currently entered STATIC IPv4 using the address
     *Enabled is ON
    *IPV4: DHCP or Static <<<????
    *IPV6: DHCP6 or Static6 <<<????
    I currently entered DHCP and DHCP6
    In the MAC address I entered "XX:XX:XX:XX:50" the address of my modem
    Nothing is entered in the DHCP Client Configuration
So I probably missed many things, but can anyone help me get it running? I've been trying for 2 days now and still can't even get the basics right :/
I'm sure that an additional reason could be that I did not reboot the modem and pfsense appliance between all my attempts at settings.
So maybe I had it right at some point, but I just didn't know it actually worked.

Anyway, ANY help is greatly appreciated!!


I want to significantly upgrade my home's network and am considering purchasing the following devices:
* pfSense SG-4860 or SG-2440
* Cisco SG-300-28

My idea is to set up several VLANs to isolate certain devices/users from each other:
* VLAN-Personal: for my own personal traffic, no restrictions
* VLAN-Kids: for the kids (heavily filtered, time restrictions, etc)
* VLAN-Guest: for the occasional visitor (also some form of filtering)
* VLAN-Home: for future home connected devices (heating, cooling, etc)
* VLAN-Media: for my media players and media library
* VLAN-Proxy: an always-on outbound VPN (proxy)

1/ Having never set up a VLAN before, is that a reasonable breakdown?

2/ Should I set up VLANs at the pfSense appliance level or the Ciso switch level?

3/ Would I assign all my devices to each VLAN using their MAC address?

4/ Owning a Synology server, is there a way I can share parts of my Synology with different VLANs or can it only be allocated to one VLAN?

5/ What is the main purpose of the SSD in the pfSense appliance? To store log files? Is it worth investing in a higher capacity SSD?

6/ Considering I would use a switch, would I need to plug wifi access points into the pfSense box to ensure all filtering is applied to all AP devices too?
Therefore are the pfSense applicance ethernet ports mostly used for AP? If I use the Cisco can I get away with SG2440 only?

7/ Is my computer is assigned to a specific VLAN how can I connect to the other VLANs if I need to configure devices on them?

8/ Is there any form of Growl integration that would notify me when a new devices is seen on the network (e.g. "Laptop just came online")?

9/ Is anyone running a similar setup and willing to share their experience? Is that a good setup?

Many thanks in advance for your input :)

Pages: [1]