Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - moikerz

Pages: [1] 2
Installation and Upgrades / Minor Setup Wizard issue
« on: February 23, 2018, 12:27:18 pm »
Not sure if this is a "bug" per se - I just wanted to give a heads-up to the Setup Wizard code fixer netwomble:

- Fresh SG1000 with 2.4.2-p1 preinstalled
- Choose Setup Wizard, change LAN IP to different network when prompted (I used 10.x.x.x)
- Wizard bails and cites 500 Server Error in a red box (but still with pfSense header/footer)
- GUI not available on new network/address
- Solution was to use console to set IP assignments

Also not sure if this was related directly to the SG unit, or if it's a more general issue (hell, it might just be my own fault ;) )

General Questions / RADIUS, 802.1x, AD Computer-based authentication
« on: February 09, 2018, 06:43:47 pm »
I'm getting a bit snowed-under with the options available to secure our wireless client access, so I'm finally resorting to asking a question :P

What I'd like is only AD Computers and pre-approved devices to join the corp wireless without additional prompts. If the wireless device has an active AD account, or has a pre-approved MAC, then just connect already.

I have read and a few days' worth of various pfsense & other sites, but:

- I do not want to use AD user/pass authentication, as I do not want my users to join their personal devices to the corp wireless just by entering their AD user/pass
- I do not want to use a Windows CA; pfSense CA would be ok; if possible I'd like to avoid CA altogether.

Unless I'm just not grokking the concept, why is it so hard to have an access point query Active Directory / LDAP to see if a computer is valid, and then allow it to connect?

I should note my driving reason:
I'm tired of people (including my boss) at our remote locations asking for the corp wireless PSK password. I'd rather be happier knowing that all AD devices can connect automatically without my input. Thus I'd rather not use CAs, which would need to connect to the wired network at least once in order to obtain the CA via GPO, which cannot happen for Windows tablets.

General Questions / Change OPT order for VLANs
« on: February 02, 2018, 04:33:50 pm »
As time goes on, I'm adding various VLANs to pfSense. The order that the VLANs display in is ordered by the OPT number (ie, OPT1, OPT2, OPT3). But my VLANs are labelled such that they are no longer alphabetical. That is:


How can I make it so:


so that they're sorted "nicely" in the GUI? I see that I can change the dropdown in Interfaces > Assignments, but will that move the Firewall rules as well, or are rules tied to the OPT number?

A follow up request could be that I want a pretty flower on the dashboard. But I'll settle for sorting alphabetically for now. :P

Hoping there's something silly that I keep missing:

I have one pfSense running two OpenVPN servers - a site-to-site server and a site-to-client (remote user) server. I only want to allow RDP and DNS over the site-to-client link, but allow other services through the site-to-site link.

I couldn't find a way to make seperete firewall interfaces (it just shows as a magical OpenVPN "interface" without being a true Interface), and I couldn't find any filters within the Firewall Rules to be able to differentiate between both servers' traffic.

Is it possible to have different firewall rules for different OpenVPN servers?


DHCP and DNS / DNS settings on an ActiveDirectory domain
« on: April 20, 2017, 04:48:51 pm »
I think I've got myself a little mixed up, and just looking for some clarification.  My goal is to utilize OpenDNS's servers, but I can't figure out where to put those IPs.

I have a domain. All clients point to my internal primary/secondary DNS servers.

My primary/secondary DNS servers both have pfSense as the only Forwarder, and fail-over to Root Hints if the forwarder isn't available.

pfSense > system>general has my internal primary/secondary DNS servers only.
pfSense has DNSForwarder disabled.
pfSense has DNSResolver enabled.
pfSense is also an OpenVPN server using LDAP for authentication, if that has any weight (I don't think it does because LDAP is it's own service, but I'm mentioning it anyway).

Currently, everything is working, but we are not using the OpenDNS servers. Currently, I think a client is asking the internal DNS servers, who are asking pfSense, which is asking my AD servers again, who is saying "no idea" and then uses Root Hints.

I think what I have to do is:
1. Disable DNSResolver
2. Enable DNSForwarder
3. From System>General, remove my internal DNS servers and replace with OpenDNS
4. Disable my DNS Server's abilities to use Root Hints.

I just don't want to break my VPN authentication. Does this sound like the correct steps?

Official pfSense Hardware / SG-1000 CPU usage numbers
« on: March 15, 2017, 12:46:15 pm »
I'm a little confused with some of the usage numbers, and hoping someone can educate me..

I understand the CPU is a single-core (, so a CPU utilization of '1' would mean the single-core is at capacity. And that's what I'm seeing on my Diagnostic>System Activity page (and dashboard), with load averages of ~0.70.

But when I go to the Status>Monitoring page, the graph indicates that I'm barely pushing 20%.

So.. is my SG-1000 nearing capacity (~70%) or is it pretty lax (~20%)? Confused, looking for comments/understanding.

General Questions / SG-1000 processor cores
« on: March 08, 2017, 05:13:35 pm »
Does the ARM chip on the SG-1000 have processor "cores," or is that the term for x86/64 chips?

Just trying to understand the load averages on this model.

(I'm not sure if this should go here, or in the 2.4 Development section. Admins please move as needed)

My remote SG1000 became inaccessible after I (foolishly) upgraded the firmware remotely. After 12 hours, I drove to site, and found the console was going through the startup process. Odd. I sat there and waited; after a few minutes the webconfigurator came up, albeit sluggish. I didn't record the original beta firmware version; after the upgrade, the dashboard shows "2.4.0-BETA (arm) / built on Mon Mar 06 02:44:10 CST 2017 / FreeBSD 11.0-RELEASE-p8" if that helps anyone.

After 10 minutes, the console screen came up with "kernel panic" .. something .. "hfsc_dequeue" then I lost the connection and the SG1000 restarted. This cycle then repeated. (Of course I neglected to take a screenshot here too..)

To resolve it, while the webconfigurator was briefly available, I removed the HFSC shaper. I had originally had this in because I was going to use it on my VLANs (not on the host interface because that's not supported on this platform yet). But I hadn't assigned any traffic to any queues at this stage. After removing the shaper, the system became stable again and I've had no further issues.

I've seen a few other kernel panic threads floating around, but didn't notice any for hfsc_dequeue. Was my process wrong for applying HFSC for VLANs only on an SG1000, or is this a bug? Just throwing this out there.

Traffic Shaping / HFSC basic minimums & maximums
« on: February 11, 2017, 03:52:29 pm »
I have a stable 20/20 fiber connection to my ISP. Still running 2.2.6 (because my SG1000 Gold activation hasn't reactivated my SG2440 Gold like it's supposed to - known bug. As soon as that's established I'll upgrade).

I have a HFSC configuration set to limit to 10/10, but I'm noticing that I don't seem to understand the configuration of minimum guaranteed bandwidth. Particularly the purpose of "Link Share". Also my bufferbloat reports on are stuck at C or D levels.

I want all queues to borrow up to maximum of the parent link if no other queue wants it. (Perhaps this is my mistake?)

I thought setting the child Bandwidth values was the way to accomplish this. But when those damn Windows10 updates start downloading, it caps the 10Mbps link but the other network devices are starved...

Have I missed something?

WAN             (HFSC, Bandwidth: 10Mbps)
   - qInternet      (CODEL, Bandwidth: 10Mbps, Upperlimit m2: 10.0Mb)
      - qHigh              (Bandwidth: 20%, no other options set)
      - qNormal            (Bandwidth: 10%, no other options set)
      - qLow               (Bandwidth:  5%, default queue, no other options set)

LAN             (HFSC, Bandwidth: 900Mbps)
   - qLink          (Bandwidth: 890Mbps, no other options set)
   - qInternet      (Bandwidth: 10Mbps, Upperlimit m2: 10.0Mb)
      - qHigh              (Bandwidth: 20%, no other options set)
      - qNormal            (Bandwidth: 10%, no other options set)
      - qLow               (Bandwidth:  5%, default queue, no other options set)

Hardware / SG-1000 temperatures
« on: December 21, 2016, 05:05:41 pm »
Just got my SG-1000 powered up today, with the base 2.4.0 beta loaded. No WAN configured yet, but I've configured a couple of VLANs and appropriate firewall rules and DHCP service on each. An openVPN client configuration is present, but disabled. And I've done a few reboots.

Sitting on the dashboard, the CPU is spiking to 100% (load avg 0.97, 0.90, 0.79 at time of writing this), with a temp of 64C. This is above the warning level configured at 60C.

Connecting the WAN and establishing internet access with a single device, CPU has settled slightly (0.85, 0.88, 0.79) but is up to 68C.

Should I be concerned at these temperatures, or is the warning just set too low?

I'm noticing on the 2.4beta build on the new SG-1000 that I just received, that if the WAN has not been connected/configured yet (thus is still on default as DHCP), when configuring the SG-1000 as an OpenVPN client (to connect to HQ), the OpenVPN config will not save with WAN as the Interface, citing the selected interface has not been configured with an IPv4 address.

(I haven't posted a possible bug before - hope this is the right place)

I'm ready to upgrade my existing SG-2440 with 2.2.6, to 2.3.

My primary concern is OpenVPN. I have one site-to-site VPN, and a bunch of site-to-client (remote users). Other than changing OpenVPN back to 'net30' instead of the new 'topology', will I need to reinstall the VPN/keys on all of my remote users?

This is a little hard for me to test on a dummy system ... I'm pretty sure the keys would remain intact, but I'm looking for some affirmations.

Traffic Shaping / HFSC/CoDel for 40 devices
« on: May 13, 2016, 12:52:23 am »
I have an office with about 40 devices, with a 6/6 access (yay T1..). All I want to do is de-prioritize SMTP, and prioritize access to one website, while not letting any one user monopolize the connection. Directing traffic to the queues is not an issue.

I've had PRIQ working somewhat well, but lower queues were sometimes starved for bandwidth. (also, dslreport's bufferbloat was always an 'F').

I figured I could try pure CODELQ, but then I was reading that it doesn't perform well for multiple simultaneous users/threads. It gave me an instant 'A' for bufferbloat, but if it would be problematic for 40 devices, I'd prefer not. Is this true?

If so, then I guess I'm left with HFSC. But I'm getting confused. I can understand the parent/child relationship, but I can't for the life of me figure out Linkshare's relationship to Upperlimit/Realtime ...  ???

Example time:
Let's say I have a parent, with two children (HighPriority, LowPriority). I don't care about burst (m1,d); only about m2.
I want HighPriority to have minimum 30% bandwidth, maximum 80% bandwidth.
I want LowPriority to have minimum 10% bandwidth, maximum 40% bandwidth.
So HighPriority's Upperlimit = 80%, Realtime = 30%, Linkshare = ??
And LowPriority's Upperlimit = 40%, Realtime = 10%, Linkshare = ??

WTF goes in Linkshare for the two children?  ??? Am I not thinking of 'maximum' correctly?

Installation and Upgrades / SG-2440 on 2.2.6, wait for 2.3.1?
« on: April 20, 2016, 05:10:02 pm »
I hesitate in writing this so early (well, early-ish) after the release of 2.3...

With an SG-2440 running 2.2.6, should I wait for the 2.3.1 release?

Just running mailreport, OpenVPN, Snort. Current plan is to remove mailreport, upgrade to 2.3, readjust OpenVPN to use net30 instead of topology. Just wanting some advice before proceeding on a production device.

Traffic Shaping / PRIQ - No LAN Bandwidth from wizard
« on: March 07, 2016, 07:01:24 pm »
After going through the traffic shaping wizard for Multi-WAN, Multi-LAN, selecting PRIQ for both and entering the up/down values for my single WAN connection, my LAN queue has no bandwidth associated on it. I'm not sure if this is intentional.

Do I need to have my desired WAN upload limit put on my LAN queue?

Pages: [1] 2