Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - ashima

Pages: [1] 2 3
General Questions / Traffic shapper giving priority to rdp
« on: April 11, 2018, 05:43:55 am »
Hello everyone,

 Here's my scenario. Branches connected to HO through  OpenVPN.

At branches we have 3Mbps leased line. The users rdp to server at HO through vpn (configured in pfsense firewall at both end).

Due to heavy internet usage by guest at the location the rdp users don't get bandwidth. I would like to give priority to rdp users.

I have few questions :

For my usage, a simple PRIQ traffic shapping on WAN would be enough.

I'll give highest priority to rdp.

Is there any thing I need to take care. As the box is already running on site... I don't want to messup things.

Any suggestions.


General Questions / Can Wifi APs get overwhemed by torrent connections ..?
« on: February 04, 2018, 11:47:46 pm »
Greetings to all,

   Wish  to discuss an upcoming scenario with high density / high population wifi devices in a small area.

Scenerio is for a  Hostel Accomodation,  wireless APs  are needed to be  installed in the coming week.
Each floor has too many 4inch brick walls (5-6) , hence planning several APs on each floor.

ISP available are :-  ISP-A Broadband 150 Mbps, ISP-B Broadband 80 Mbps , ISP-C Broadband 40 Mbps.
                      ( Upload & download speeds being the same in all the 3 ISPs )

Wi-Fi Access Points :-  Considering to  use Ubiquiti unifi ap ac lite   x  21 Numbers spread across 4 floors.
                        Open for suggestion if Ubiquiti unifi ap ac pro  would be more appropriate.
                        What would your comments be on Engenius EAP1200h . . ?

WiFi Coverage :- No Coverage Issues , -55 db  to -45 db. On Laptop the wifi signal shows 4/5  or  5/5 bars.

Networking : CAT6 , Gigabit switches.
             ISP-A (150Mbps) segmented for 3 Floors.
             ISP-B ( 80Mbps) segmented for 1 Floor.
             ISP-C ( 40Mbps) as a failover for  either ISP-A or ISP-B

Firewall :  pfsense configured with Captive Portal , 190 User Logins with Bandwidth Capped at 4Mbps per user login.
            with limit of 2 device per user login.
            Configured to run Captive Portal.    ( Squid is not required )

Each Access Point expected to receive max 30-40 concurrent device connections (Laptops & Mobiles).

Doubt - 1 :  will this desktop hardware be sufficient  for the job of  pfsense box ?
             AMD A-Series APU A4-6300 3.x GHz  - Dual Core  or
             AMD A-Series APU A8-7600 3.x GHz  - Quad Core (open for suggestions)
             8GB DDR3 Ram,  160GB SATA HDD x 2 Nos  ( RAID 0 - zfs mirror )
             5 GbE LAN Ports

Doubt - 2 :  In a particular area of the property,

We have a doubt about  several users  connect to the same WiFi AP simultaneously in a partucular area may use file torrenting on their laptops.  Since we have seen in the past,  a simple torrent file usually opens 40-50 connections & about 1000 half open connections.
Will this become an issue  &  other users within the same WiFi AP  experience disruptive internet performance  ?
Several users using torrent ( within same AP )  can  over whelm the WiFi AP's capacity to handle  per client connection ?

Also, that we do not wish to block torrents in the network.

Essentially, even thought the signals are strong, and the head count of users is just 20 at a given time,
but several users using torrent can  spoil the user experience in that area,  over whelming the particular WiFi-AP.



General Questions / VIP setting
« on: January 26, 2018, 10:38:56 am »
Here's the setup :

           First pfsense box (Box 1) acting as load balancer , OpenVPN Server for branches and dhcp server for Box 2.

           Second pfsense box (Box 2)  acting as firewall, content filter.
           Two Servers , Server1 and Server 2 are behind the firewall .

All the branches connect to Box 1 through OpenVPN and rdp to Server1. (rdp port 3389 is opened in Box 2  and port forwarded to server 1)

Now I want to assign another IP to Box 2 (VIP) which should port forward to server 2. So that users when use this IP for rdp they are forwarded to server 2.

My Plan :

        My plan is to have Virtual IP in Box 2 with IP Alias. Then port forward for this IP to server 2.

I am not sure about this settings so don't want to take any chance.

Also is there any changes I need to make in Box 1 (as it is the dhcp server for box 2).

Any help.


General Questions / Inter Site Communication Between two VPN Clients Site
« on: January 24, 2018, 05:04:02 am »
Hello everyone,

      My Scenario :

                 Pfsense   working as openvpn server at head office

Site A, Site B  are connecting to Openvpn Server at head Office through OpenVPn Tunnel

Communication happening between Site A and head office and vice versa
Similarly between Site B and head office.

I would like to access Server at Site A from Server at Site B. (Inter Site Communication)

Unfortunately option Inter Client communication is not available for OpenVPN server (Site 2 Site)

I tried putting Site A lan subnet in CSO of Site B local network in Openvpn Server. This pushed the route to Site B. I was able to ping server at Site A from the firewall but not from any other device from Site B.

What am I missing ? Any help ?


General Questions / Cloning pfsense 2.4.2 harddisk
« on: December 29, 2017, 12:50:42 am »
Hi everyone,

      I have recently moved to pfsense 2.4.2. There are lot of packages installed on this box and also this box does an openvpn site to site connection with the head office. I was trying to clone the harddisk so in case of 1st hard disk failure, the user can just connect the secondary hard disk and it is up.

In earlier version of pfsense 2.3.2, I was able to clone the hardisk using acronis but now it clones the second hardisk but doen't boot from the there. Any suggestion on how to clone pfsense 2.4.2 .


General Questions / 2.4.2 not getting install on Intel 945 motherboard
« on: December 14, 2017, 06:15:09 am »


    I have an old Intel 945 motherboard. I am trying to install pfsense 2.4.2 using usb mem stick. But it says Boot record not found.
The same pen drive is working on other systems.

I also tried installing  pfsense 2.4.2 through an iso installer (cd ) but again says No boot record found. However pfsense 2.3.2 through cd is installing perfectly on this board.

Is there any special BIOS setting required on this board for pfsense 2.4.2.

Any pointers ? It's slightly urgent...



Routing and Multi WAN / 3 WAN with load balancing n failover
« on: November 28, 2017, 12:50:43 am »

    I have 3 leased lines (11 Mbps, 9 Mbps, 5Mbps). I want to do following setup :

1) Load Balance WAN A + WAN B
2) Failover between WAN A and (Load balance between WAN B + WAN C with 2:1 weight) ie if WAN A fails traffic should load balance         between Wan B and Wan C.
3) Failover between WAN B and WAN C

To do so I have created Gateway group

1) WanAWanB   

         WanA    WanB
   Tier      1        1
Weight    1        1

2) WanAUP

          WanA     WanB    WanC
   Tier        1        2       2
Weight      1        2       1

3) WanBUp
            WanB     WanC
Tier          1        2

In Firewall LAN Rules

Allow all LAN Traffic through WanAWanB
Allow all LAN Traffic Through WanAUP
Allow all LAN Traffic through WanBUP

Is my setup correct. Any Suggestions

General Questions / Fixing Ip Address of client connected through openvpn
« on: October 16, 2017, 02:56:28 am »
Hello everyone,

      I have Static Ip at Head Office connected to branches through Openvpn via pfsense firewalls at both ends. The branches doesn't have static Ip. There is an application on one of the server at the head office which allows connection from allowed ip addresses.

I am confused what Ip Address a client at branch office would get connected to Head office Server.

The Static Ip at Head Office is :

The Lan Network at Head office :

The Lan Network  at branch office is :

The tunnel Network is :

The branch offices uses 4G dongle to get connected to Head Office.

Can I assign a fix Ip Addresses for clients from particular branch office when get connected to head office.

I am not sure whether I have made the situation clear.

Thank you,

General Questions / Certain sites only work on IE8
« on: September 26, 2017, 07:19:41 am »
Dear All,

       I am sorry if its off the topic.... but our company need to excess certain DMS sites which work only on IE 8 . As a result we are struck to Win XP.

All these desktops are behind pfsense firewall 2.3.2. running squid. Is it possible to do certain settings on the firewall so that when they access these sites they seem to come from IE8 not IE11.

I am completely clueless.
Any Pointers ?


OpenVPN / Site 2 Site OpenVPN with dual WAN
« on: September 18, 2017, 02:02:39 am »

     I  have all my branches connecting to head Office through OpenVPN. Few of the branches  have pfsense boxes and others have cisco  e900 with ddwrt flashed. They are all working fine.

      The head office is getting another Internet line.

      I have gone through the article

      I have configured the Server by setting the OpenVPN interface as localhost and port forwarding.    I have few questions :

      1) At the client site how should I configure so that if  WAN1 of headoffice goes down, it should automatically connect through WAN2 of headoffice.

     2) Do I have to distribute the certificates to the branches again after dual WAN change in the server. ( For road warriors I had to again download the certificates from the OpenVPN export client utility and reinstall it at the client side)

     3) In ddwrt, can I just give 2nd wan IP and port in the additional config ?

Any Pointers ?


Hello everyone,

          I am just struck at a very strange situation. This may not be the right place to ask but If anyone can help me out...

My Scenario :

Pfsense 2.3.2 box with vlan 101 (  on Lan (

 Netgear managed swicth GS108E connected to lan port. The first port is connected to firewall. Ports 2-6 are doing a vlan tagging for vlan 101. All my devices are connected to port7 and port 8 which are on LAN.

 I am able to ping from vlan101 network to Device on LAN network and vice versa. For mDNS I have enabled IGMP snooping in Netgear switch. So any device on vlan 101 are able to discover devices on lan (Port 7 & 8).

The problem arises when I connect a wifi access point to port 2-6 on Netgear switch. The IPAD get IP address in 101 series and it is  able to ping any device on LAN network ( but mDNS is not working ie it is not able to automatic discover devices connected to LAN network. I think the access point is causing the issue. Can any one point where am I going wrong.

Thank You,

Packages / Trouble Configuring Avahi
« on: July 05, 2017, 06:25:00 am »
Hello Everyone,

I need to do a simple home network.

The setup is as follows :

  pfsense router ----> unmanaged switch ------> all wifi devices + 2 managed switch (Netgear GS108E)

Pfsense 2.2.3 with vlan 101 on Lan port.

The last 3 ports of the managed switch are configured to tag vlanid 101. All my devices ( amplifier, streamer ... ) are connected to these ports.

The firewall rules allow any communication between the LAN port and VLAN101.

Avahi is installed for mDNS. But my Airport Utility installed on a pc connected to lan port is unable to communicate to Airport Extreme Base Station on VLAN101 Port. I have tried all kind of setting but I am not able to detect the device. If the laptop and airport are on same port (untagged LAN or Tagged VLAN101) they are able to communicate.

Can anyone help where am I going wrong.

Thank You


   Hello everyone,

                I am having a production box at one of the remote location. So I need to be very sure before I implement any changes. Here's my setup :

PFsense version 2.2.3. Three WAN connections :

WAN A  ---- primary default WAN  (static IP)
WAN B ------ backup WAN     (static IP)
WAN C ------ connected to other branch through a fiber cable. Traffic to should only pass through this. It has it's own dns (10.x.x.x) server. The normal internet traffic should never go through this.

This is how I am planning to do the setup :

Step 1 :  In System--Routing---Gateway group

        a)   AUp
              WAN A   ----    Tier 1
              WAN B   ----    Tier 2
              WAN C    ----   Never

     Trigger when  ---  Member down

         b)  BUp
              WAN A  ---- Tier 2
              WAN B  ----- Tier 1
              WAN C ----- Never
       Trigger when   -----   Member down

  Step 2 :   System---Routing----Static Route

                 Destination : 
                 Gateway     : WAN C

Step 3  :  Firewall ---- LAN Rule

                   Rule 1

                  destination : WAN C net
                   Gateway    : WAN C Gateway

                  Rule 2
                  destination  : any
                   Gateway : AUp

                   Rule 3
                    Destination : any
                    Gateway : BUp

Step 4 : System----ADvanced---- Miscellaneous

               Tick switch default gateway

                Tick  reset states                   ( I read in the forum this is  required when WAN A comes back live after a failover. )

Step 5 : System ----- General

              DNS 1        WANA DNS
              DNS 2         WANB DNS

Is there any thing else I need to take care. Please suggest. I need to make these changes ASAP.

Thank You,


Hello everyone,

      I have done lot of reading about setting up OpenVPN. I am bit confused.
Here's my requirement :

All Branch Offices (15)  should be able to connect to Main Office. No communication required between Branch Offices.
Also there are few road warriors who should be able to connect to Main Office.

MY Settings:

Main Office Local LAN :
Branch Offices Local LAN : 192.168.[1-15].0/24

Steps @ Main Office PFSense box running 2.3.2:

Created a CA VPNServerCA
Created a user with cert with VPNServerCA (For Road warriors)

Used OpenVPN wizard to setup server.
Here are the details:

Server Mode      : SSL/TLS with user auth     
Protocol             : UDP
Device Mode      : tun
Tunnel Network :
Local Network    :

Using Client Export I have downloaded the client installer and it is working perfect for Road Warriors.

Now to connect the Branch Offices,  the same OpenVPN Server Instance will work or I have to create a new OpenVPN Instance @ Server at Main office ?

Do I have to use

Server Mode as Peer to Peer SSL/TLS    or    Peer to Peer Shared Key (I have 15 branches)
Tunnel Network as   
Local LAN as

Do I have to setup remote LAN as ( I am confused here).

Do I have  to do some other custom settings or client override settings.

Please Help.


Cache/Proxy / How to add header request in squid.conf
« on: January 10, 2017, 11:06:51 am »


      I am using pfsense 2.2.6 with squid and squidguard with SSL bumping.

I am would like to block community gmail access. The user can only access gmail of

After some googling I found that I need to add following code to squid.conf

request_header_add X-GoogApps-Allowed-Domains "" all

Now where I do insert this code.

Any help
Thank You

Pages: [1] 2 3