Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Puma

Pages: [1]
General Questions / Need help to configure VLAN in HA environment
« on: February 27, 2018, 04:49:49 am »

I tried to configure VLAN on a HA environment without success and i need help to do this.

Here, it is the actual environment and what i want :

I have two pfsense in HA mode. I have an existing interface on each FW with a CARP IP :

Master, LAN interface, IP :
Backup, LAN interface, IP ;

I have created two VLAN (in interfaces -> VLAN)
VLAN 10 and VLAN 20

VLAN : i want to assign existing IP of LAN interface :

- What shoud i do next for the existing LAN interface ? Disable the LAN interface ? Keep enabled but set to any IP ? This parent interface will host VLAN.

In my essay, i enabled my VLAN interface and set with 192.168.9.X IP. I changed the interface type on the CARP from LAN to VLAN10.

My switch layer 2 is configured like this but i'm not sure of the configuration (see picture).
The port 3 and 4 are PC clients for this example.

Can you help me to make the vlan work and if you can guide me on the process please ?
Thank you in advance.

Routing and Multi WAN / Multi WAN on same interface
« on: January 30, 2018, 05:24:25 am »

Before I start, I specify that I have no nic available and not possibility to do VLAN.

So, we have one interface "VPN" connected to a switch where we have already several ISP routers for our clients. We have set gateways of the routers, virtual IP, static routes and NAT to access some DMZ machines and we can communicate them without problem.

Now, i want to add another router connected to this switch and to have access on DMZ machines. I configured gateway address and virtual IP. I don't want to set static routes. For example, all requests who are coming on public IP : 90.80.x.2 are redirected on DMZ machine : and reply with same IP as the entry.

How can i do this please ?

I tried NAT, NAT 1:1, nat outbound specifying public IP 90.80.x.2.
On this router, i have a direct public IP subnet (90.80.x.1/29) on a port that I would like to use

Actually, i want to display a web page (https), i see the request came (establishing the secure connection) but the page isn't displayed, i think the reply can't be realize (SYN - ACK) and this is the default gateway of the DMZ interface.

I hope you can bring me some advices to do that.

Thank you.

Hardware / Create raid gmirror after install
« on: October 04, 2017, 03:04:58 am »

Is it possible to create raid 1 after install please ?
If yes, can you guide me how to do please ?

At the install, the firewall had 2 HDD, i did quick install.


Installation and Upgrades / GMIRROR - SYNCHRONIZING 100% stuck
« on: August 29, 2017, 02:48:31 am »

We have a pfsense with 2 disks configured in raid 1 with GEOM Mirrors.

One disk was bad, we had replaced with a new disk. The sync is stuck at 100 % :

Code: [Select]
gmirror status
                Name    Status  Components
mirror/pfSenseMirror  DEGRADED  ada0 (ACTIVE)
                                ada1 (SYNCHRONIZING, 100%)

I see that the first disk with smart, we have errors when the firewall has rebooted to replace the second disk failed.

Code: [Select]
SMART Error Log Version: 1
ATA Error Count: 5
        CR = Command Register [HEX]
        FR = Features Register [HEX]
        SC = Sector Count Register [HEX]
        SN = Sector Number Register [HEX]
        CL = Cylinder Low Register [HEX]
        CH = Cylinder High Register [HEX]
        DH = Device/Head Register [HEX]
        DC = Device Command Register [HEX]
        ER = Error register [HEX]
        ST = Status register [HEX]
Powered_Up_Time is measured from power on, and printed as
DDd+hh:mm:SS.sss where DD=days, hh=hours, mm=minutes,
SS=sec, and sss=millisec. It "wraps" after 49.710 days.

Error 5 occurred at disk power-on lifetime: 20844 hours (868 days + 12 hours)
  When the command that caused the error occurred, the device was active or idle.

  After command completion occurred, registers were:
  -- -- -- -- -- -- --
  40 51 00 00 8c a1 40  Error: UNC at LBA = 0x00a18c00 = 10587136

  Commands leading to the command that caused the error were:
  CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name
  -- -- -- -- -- -- -- --  ----------------  --------------------
  25 00 00 00 8c a1 12 00      00:51:12.327  READ DMA EXT
  25 00 00 00 8c a1 12 00      00:51:10.264  READ DMA EXT
  25 00 00 00 8c a1 12 00      00:51:08.200  READ DMA EXT
  25 00 00 00 8c a1 12 00      00:51:06.001  READ DMA EXT
  25 00 00 00 8c a1 12 00      00:51:03.954  READ DMA EXT

So, we will reinstall pfsense soon but we aren't on site.

Is there a way to unlock this situation please ?


IPsec / Phase 2 haven't uniqid tag
« on: March 14, 2017, 09:55:07 am »

I upgraded from pfsense 2.1.5 to 2.3.2 and when i want to edit a phase 2, it is empty. The value of p2index= of the url is empty : https://xx.xx.xx.xx/vpn_ipsec_phase2.php?p2index=

In the config file, i haven't uniqid (and reqid) tags.

1. How can i set this uniqid easily ? What about reqid tag ?

2. If i add manually uniqadd with a random value, will it work ?

3. Can i restore the IPSEC part without reboot firewall or IPSEC tunnels ?

Thank you.

Installation and Upgrades / Upgrade - Lost outbound NAT
« on: January 03, 2017, 09:45:14 am »

I have upgraded from 2.3.2 to 2.3.2 P1. After the reboot, the section "Outbound NAT" was lost.

Before, the mode was in manual mode and after the upgrade, the mode was automatic with any value.

To fix it, i have restore the NAT section in the config file and now i have all my oubound nat values.

Do you have hear about this issue ? Do you know what might have caused this ?


General Questions / HA - Crash report - Need help to understand why
« on: October 04, 2016, 04:53:27 am »

I would like to know if you can analyse the crash report and help us to understand why the slave pfsense was crashed and why we had a downtime on our first pfsense and instability during 30 minutes period.

I explain, we have two pfsense configured in HA in the version 2.1.5 (I know this is an old version, we have a project to upgrade). Last week, we have a downtime of our production and so, our internet lines were down (fiber, VPN, VDSL) : the first pfsense had high load average : ~ 13 and the secondary pfsense was crashed with this crash report. We have shutdown the secondary and disable the SYNC (HA - pfsync) interface to bring back to the life the first pfsense.

Actually, these PFSENSE are virtualized with Proxmox and Intel e1000 network cards  (we would like to upgrade in physical with the newest version but I have tested it and we have a problem with IPSEC and FTP).

So, can you help us ? Do you need more informations ?



J'étais en version 2.1.5 où 2 tunnels IPSEC sont montés avec deux clients pour faire du FTP (passive).
J'ai migré sur la dernière version en 2.3 et depuis, il est impossible de faire du transfert FTP via IPSEC. Le client arrive à se logguer mais pas à lister et bien sûr à faire des transferts.
J'ai une règle IPSEC autorisant les ports 21 et la plage d'IP 50000 à 51000 vers le serveur FTP.

La connexion à ce FTP fonctionne en LAN et sur le WAN et testé avec FileZilla Server et vsftpd.
J'ai suivi ce guide aussi :

J'a essayé d'activer le ftpdebug, j'ai changé le cryptage de l'IPSEC en 3DES.

Je remarque qu'en mode actif, j'arrive à lister mais je souhaiterais rester en mode passive.

Aurez-vous une astuce pour faire refonctionner le FTP passive via IPSEC svp ?

Merci d'avance de votre aide.

IPsec / Migrate from 2.15 to 2.3 - FTP problem via IPSEC
« on: May 13, 2016, 05:10:08 am »

I migrated PFSENSE from 2.1.5 to 2.3
Now, clients who want to get or put FTP transfer via IPSEC fail. They arrive to login but can't transfer.
The tunnel is UP and route OK.

Is there an option that i missed ?
Must i add a rule ?

Thanks for your help.


I have two pfsense 2.1.5 in HA sync (virtualized)
I would like to reinstall one pfsense physically in the same version but i get panic in boot of the LiveCD and i spent several hours to get a solution but nothing, so i tested the latest version (2.3) and i can boot on the install pfsense. By the way, do you have a tip for me ? My server is a Dell R320 and my install device is USB (i choose option 3 - boot pfsense using USB) and i get : panic ifmedia_set - kdb enter panic and the system is frozen.

So my question, can i upgrade one pfsense from 2.1.5 to 2.3 and keep sync the primary pfsense with the slave with different versions ?

The objective is to upgrade one pfsense, test the latest version and without virtualization, check if all is OK and upgrade the other one.

Thanks for your answers.

OpenVPN / OpenVPN - password to open connection for the user
« on: April 26, 2016, 09:51:40 am »

Is there a way to configure a password to open the connection / tunnel for the user from the openvpn packages ?
Actually, the user installs the openvpn package and can launch the tunnel without type a password.


General Questions / Upgrade from 2.1.5 to 2.3 - Advice for IPSEC
« on: April 26, 2016, 04:08:39 am »

I have PFSENSE in 2.1.5.
Before to upgrade to the lastest version, i read changelogs and i would like an advice for IPSEC changes. I use several IPSEC to clients with one P1 and multiples P2, negotiation mode : main, NAT T disabled.

- Do you think can i upgrade without problems ?

- With existing tunnels, IKE version will be IKE v1 ?

- Moreover, i use CARP / virtual IPS, any problem about it to upgrade ?

- Have you any further comments in relation to this update ?


Pages: [1]