Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Hugovsky

Pages: [1] 2
1
2.4 Development Snapshots / [SOLVED]NTP not working
« on: January 19, 2018, 06:09:28 pm »
I think I have a problem with NTP service. Seems not to be working maybe arround 27th December onward. I tried everything I can remember and can't make it work. I've attached a pic of ntp status page. No special config except I've selected only 3 interfaces. But it was already running that way a long time ago. No errors in log. Any ideas?

Code: [Select]
Jan 20 00:07:53 ntpd 58466 Listening on routing socket on fd #34 for interface updates
Jan 20 00:07:53 ntpd 58466 Listen normally on 13 igb2.600 192.168.54.1:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 12 igb2.600 [fe80::ec4:7aff:fe6a:bc5a%15]:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 11 igb1.500 192.168.53.1:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 10 igb1.500 [fe80::ec4:7aff:fe6a:bc59%13]:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 9 igb1.400 192.168.52.1:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 8 igb1.400 [fe80::ec4:7aff:fe6a:bc59%12]:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 7 igb1.3 10.10.10.2:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 6 igb1.3 10.10.10.1:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 5 igb1.3 192.168.50.1:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 4 igb1.3 [fe80::ec4:7aff:fe6a:bc59%11]:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 3 igb1.120 10.1.2.1:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 2 igb1.120 [fe80::ec4:7aff:fe6a:bc59%9]:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 1 lo0 127.0.0.1:123
Jan 20 00:07:53 ntpd 58466 Listen normally on 0 lo0 [::1]:123
Jan 20 00:07:53 ntpd 58466 proto: precision = 0.190 usec (-22)
Jan 20 00:07:53 ntpd 58181 Command line: /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid
Jan 20 00:07:53 ntpd 58181 ntpd 4.2.8p10@1.3728-o Mon Apr 3 21:03:28 UTC 2017 (1): Starting

2
2.4 Development Snapshots / No packages no update
« on: October 09, 2017, 05:43:03 am »
Hi all. I have one pfsense in 2.4RC (2.4.0-RC (amd64) built on Sun Sep 03 18:29:30 CDT 2017 FreeBSD 11.0-RELEASE-p12) and another in 2.4.1 (2.4.1-DEVELOPMENT (amd64) built on Thu Sep 21 20:37:35 CDT 2017 FreeBSD 11.1-RELEASE-p1) and can't update packages or the image itself. It gives me an error with repositories. Am I missing something?

3
General Discussion / These are good news
« on: July 17, 2017, 04:44:00 am »

4
IDS/IPS / [SOLVED] Suricata not blocking
« on: April 26, 2017, 04:15:55 pm »
I'm using suricata in legacy mode and I can't make it block. Alerting is working but it doesn't block.

I'm using 2.4 latest snapshot with pfBlocker and freeradius. M/B supermicro A1SRi-2558 (c2558) with 16GB ram. I've tried uninstall and install suricata, reboot and everything I could remember.

suricata log:

Code: [Select]
26/4/2017 -- 22:00:46 - <Notice> -- This is Suricata version 3.2.1 RELEASE
26/4/2017 -- 22:00:46 - <Info> -- CPUs/cores online: 4
26/4/2017 -- 22:00:46 - <Info> -- HTTP memcap: 67108864
26/4/2017 -- 22:00:46 - <Notice> -- using flow hash instead of active packets
26/4/2017 -- 22:01:00 - <Info> -- 3 rule files processed. 13392 rules successfully loaded, 0 rules failed
26/4/2017 -- 22:01:00 - <Info> -- 13403 signatures processed. 23 are IP-only rules, 6352 are inspecting packet payload, 9128 inspect application layer, 103 are decoder event only
26/4/2017 -- 22:07:14 - <Info> -- Threshold config parsed: 0 rule(s) found
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb0 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc58 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb2 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5a to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb3 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5b to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface lo0 IPv6 address 0000:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface lo0 IPv6 address fe80:0000:0000:0000:0000:0000:0000:0001 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1_vlan120 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1_vlan120 IPv4 address 10.1.2.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb3_vlan300 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5b to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb3_vlan300 IPv4 address 10.1.3.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1_vlan3 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1_vlan3 IPv4 address 192.168.50.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1_vlan3 IPv4 address 10.10.10.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1_vlan400 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1_vlan400 IPv4 address 192.168.52.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1_vlan500 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1_vlan500 IPv4 address 192.168.53.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb1_vlan1 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc59 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb2_vlan600 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc5a to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb2_vlan600 IPv4 address 192.168.54.1 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb0_vlan100 IPv6 address fe80:0000:0000:0000:0ec4:7aff:fe6a:bc58 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf -> adding firewall interface igb0_vlan100 IPv4 address 94.61.130.159 to automatic interface IP Pass List.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf output device (regular) initialized: block.log
26/4/2017 -- 22:07:14 - <Info> -- Pass List /usr/local/etc/suricata/suricata_44765_igb0_vlan100/passlist parsed: 19 IP addresses loaded.
26/4/2017 -- 22:07:14 - <Info> -- Created firewall interface IP change monitor thread for auto-whitelisting of firewall interface IP addresses.
26/4/2017 -- 22:07:14 - <Info> -- alert-pf output initialized, pf-table=snort2c  block-ip=src  kill-state=on
26/4/2017 -- 22:07:14 - <Error> -- [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Unknown logger type: name=AlertPf
26/4/2017 -- 22:07:14 - <Info> -- fast output device (regular) initialized: alerts.log
26/4/2017 -- 22:07:14 - <Info> -- http-log output device (regular) initialized: http.log
26/4/2017 -- 22:07:14 - <Info> -- Using 1 live device(s).
26/4/2017 -- 22:07:14 - <Warning> -- [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Name of device should not be null
26/4/2017 -- 22:07:14 - <Info> -- using interface igb0_vlan100
26/4/2017 -- 22:07:14 - <Info> -- Running in 'auto' checksum mode. Detection of interface state will require 1000 packets.
26/4/2017 -- 22:07:14 - <Info> -- Found an MTU of 1500 for 'igb0_vlan100'
26/4/2017 -- 22:07:14 - <Info> -- Set snaplen to 1524 for 'igb0_vlan100'
26/4/2017 -- 22:07:14 - <Info> -- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <Info> -- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <Info> -- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <Info> -- using magic-file /usr/share/misc/magic
26/4/2017 -- 22:07:14 - <Info> -- RunModeIdsPcapAutoFp initialised
26/4/2017 -- 22:07:14 - <Notice> -- all 5 packet processing threads, 2 management threads initialized, engine started.
26/4/2017 -- 22:07:15 - <Info> -- No packets with invalid checksum, assuming checksum offloading is NOT used


What's wrong?

5
2.4 Development Snapshots / [SOLVED]IPSec problem
« on: February 27, 2017, 09:31:10 am »
I'm having some problems with ipsec in 2.4. With a clean install, I've created manually one site-to-site tunnel that was working previously, with 2.3.3. I can establish communication but can't ping and no traffic with old firewall rules. The only way I can ping remote is if I put the "all to all" generic rule in ipsec interface. But, if I do that, I get strange ips and protocols in states. Can't understand what's happening.

I've tried with the latest (today) beta. Hardware is A1SRi-2558 with 16GB connected thru fiber. No pppoe.

 

6
I'm having this error in logs:

radiusd    44984    [ttls] Invalid ACK received: 0

This is repeating +- every 20 sec.

I have only pfblocker and freeradius packages installed. Freeradius configured to use pfsense CA. IIt's a clean install with restored backup config from 2.3.3. All is working well.


2.4.0-BETA (amd64)
built on Wed Feb 22 17:46:59 CST 2017
FreeBSD 11.0-RELEASE-p7

C2758 board



7
IPsec / IPSec + OpenVPN client
« on: June 01, 2015, 03:44:39 pm »
Maybe I'm doing someyhing wrong. I can use IPSec and can connect to pfsense from outside. If I enable one OpenVPN client in pfsense, IPSec dosn't conect anymore. Can't both be used at the same time?

PFsense 2.2.2 with 4GB
Intel Nics

Code: [Select]
Jun 1 21:35:25 charon: 16[JOB] <4> deleting half open IKE_SA after timeout
Jun 1 21:35:08 charon: 11[JOB] <3> deleting half open IKE_SA after timeout
Jun 1 21:35:07 charon: 03[IKE] <4> looking for a route to xx.xx.xx.xx ...
Jun 1 21:35:07 charon: 03[IKE] <4> looking for a route to xx.xx.xx.xx ...
Jun 1 21:35:07 charon: 03[IKE] <4> old path is not available anymore, try to find another
Jun 1 21:35:07 charon: 03[IKE] <4> old path is not available anymore, try to find another
Jun 1 21:35:07 charon: 03[IKE] <3> looking for a route to xx.xx.xx.xx ...
Jun 1 21:35:07 charon: 03[IKE] <3> looking for a route to xx.xx.xx.xx ...
Jun 1 21:35:07 charon: 03[IKE] <3> old path is not available anymore, try to find another
Jun 1 21:35:07 charon: 03[IKE] <3> old path is not available anymore, try to find another
Jun 1 21:35:07 charon: 13[KNL] interface ovpnc1 activated
Jun 1 21:35:05 charon: 13[NET] <4> sending packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (180 bytes)
Jun 1 21:35:05 charon: 13[IKE] <4> received retransmit of request with ID 0, retransmitting response
Jun 1 21:35:05 charon: 13[IKE] <4> received retransmit of request with ID 0, retransmitting response
Jun 1 21:35:05 charon: 13[NET] <4> received packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (668 bytes)
Jun 1 21:35:01 charon: 12[NET] <4> sending packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (180 bytes)
Jun 1 21:35:01 charon: 12[IKE] <4> received retransmit of request with ID 0, retransmitting response
Jun 1 21:35:01 charon: 12[IKE] <4> received retransmit of request with ID 0, retransmitting response
Jun 1 21:35:01 charon: 12[NET] <4> received packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (668 bytes)
Jun 1 21:34:58 charon: 12[NET] <4> sending packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (180 bytes)
Jun 1 21:34:58 charon: 12[IKE] <4> received retransmit of request with ID 0, retransmitting response
Jun 1 21:34:58 charon: 12[IKE] <4> received retransmit of request with ID 0, retransmitting response
Jun 1 21:34:58 charon: 12[NET] <4> received packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (668 bytes)
Jun 1 21:34:55 charon: 12[NET] <4> sending packet: from xx.xx.xx.xx[500] to xx.xx.xx.xx[500] (180 bytes)
Jun 1 21:34:55 charon: 12[ENC] <4> generating ID_PROT response 0 [ SA V V V V V ]
Jun 1 21:34:55 charon: 12[IKE] <4> xx.xx.xx.xx is initiating a Main Mode IKE_SA


8
General Questions / remote syslog
« on: February 02, 2015, 03:14:03 pm »
I'm seeing this in my remote syslog server since upgrade to 2.2:

FILTERLOG : 148,16777216,,100000101,em0_vlan3,ip-option,pass,in,4,0x0,,1,43293,0,none,2,igmp,32,192.168.50.31,224.0.0.252,datalength=8

any ideas? it seems a default rule logging but I've disabled it in settings. However, it's only igmp.

9
2.2 Snapshot Feedback and Problems - RETIRED / IPSec questions
« on: December 04, 2014, 11:51:46 am »
I'm having problems with IPSec iphone clients not resolving internal names in the network.

This is the layout:

iphone-> IPSec-> firewall -> internal LAN.

I can access internet while connected to ipsec vpn, but can't connect to any machine in lan using names, only with ip.

Another thing I've noticed is that the ip of my client is always /32, even if the configuration says /29 or /24.

IPSec config is normal with mutual rsa + Xauth.


2.2-BETA (amd64)
built on Thu Dec 04 07:06:21 CST 2014
FreeBSD 10.1-RELEASE

10
2.2 Snapshot Feedback and Problems - RETIRED / NTP questions
« on: December 02, 2014, 06:14:21 pm »
Please bear with me if I say something stupid.

I was trying to check some things in ntp and I found this:

using ntpd command in my Mac, then doing "host 192.168.50.1", I can do lpeers, loppers or cv to my host. My network is like this:

modem -> pfsense -> lan (192.168.50.1)
                             -> vlan1 (10.1.2.1)
                             -> vlan2 (10.1.3.1)

If I have ntp service in pfsense configured to listen on lan, vlan1 and vlan2, this is what loppers outputs in the mac that is connected to lan:

ntpq> lopeers
     remote           local      st t when poll reach   delay   offset    disp
=================================================
 GPS_NMEA(0)     127.0.0.1        0 l    -   16    0    0.000    0.000 15937.5
+ntp1.rrze.uni-e 10.1.3.1         1 u   40   64    1   82.664   33.731 187.528
*i2t15.i2t.ehu.e 10.1.3.1         1 u   39   64    1   59.477   33.190 187.529
-ntp.ring.nlnog. 10.1.3.1         1 u   38   64    1   73.991   27.088 187.532
+ntp1.nl.uu.net  10.1.3.1         1 u   37   64    1   64.211   33.186 187.530
-rackety.udel.ed 10.1.3.1         1 u   36   64    1  132.910   32.761 187.529

If I listen only in lag and vlan1:

ntpq> lopeers
     remote           local      st t when poll reach   delay   offset    disp
==============================================================================
 GPS_NMEA(0)     127.0.0.1        0 l   10   16    1    0.000  272.716 7937.75
+ntp1.rrze.uni-e 10.1.2.1         1 u   20   64    3   81.842   30.799  62.951
*i2t15.i2t.ehu.e 10.1.2.1         1 u   22   64    3   54.324   27.567  62.929
+ntp.ring.nlnog. 10.1.2.1         1 u   20   64    3   74.269   24.541  62.939
+ntp1.nl.uu.net  10.1.2.1         1 u   17   64    3   67.272   31.834  62.952
-rackety.udel.ed 10.1.2.1         1 u   16   64    3  130.222   31.014  62.951

and finally only listening on lan:

ntpq> lopeers
     remote           local      st t when poll reach   delay   offset    disp
==============================================================================
 GPS_NMEA(0)     127.0.0.1        0 l    -   16    0    0.000    0.000 15937.5
+ntp1.rrze.uni-e 192.168.50.1     1 u    2   64    1   82.293   70.035 187.528
*i2t15.i2t.ehu.e 192.168.50.1     1 u    1   64    1   59.697   70.217 187.529
-ntp.ring.nlnog. 192.168.50.1     1 u    2   64    1   74.359   64.158 437.529
+ntp1.nl.uu.net  192.168.50.1     1 u    1   64    1   64.685   69.777 437.527
-rackety.udel.ed 192.168.50.1     1 u    2   64    1  128.318   67.617 937.523

Shouldn't ntp service listen only in the lan interface? Mac is on lan. Why is pfsense routing thru other interfaces? I've tried to play with filter to see if it was some rule but it seems not to make a difference.

2.2-BETA (amd64)
built on Tue Dec 02 08:17:30 CST 2014
FreeBSD 10.1-RELEASE

11
General Discussion / NSA
« on: December 30, 2013, 04:09:46 am »
Have you read this news?

What do you thing of pfsense? I know it's a diferent market but, could it happen to it also?

12
NAT / does this makes sense?
« on: July 06, 2012, 04:46:31 am »
Hi all. I need help with this config, if you can. I have 1 pfsense with 2 wan. I have another pfsense connected to lan's first pfsense. I want to be able to make dmz on the second pfsense from wan 2. Can you help me out?

13
This is my report of pfsense. I work in a school and we have 400+ daily connected. This is my setup:

pfSense 2.0-BETA5 (amd64) built on Thu Jan 27 01:29:01 EST 2011
Squid 2.7.9_4
squidguard 1.3_1 pkg v.1.6

3GB of ddr2 ram
Pentium(R) Dual-Core CPU E5300 @ 2.60GHz
3 intel 1000/pro desktop nics


Mods:

for squid:

in /boot/loader.conf
kern.ipc.nmbclusters="32768"
kern.maxfiles="131070"
kern.maxfilesperproc="32768"
net.inet.ip.portrange.last="65535"

in cache manager options in gui, used null for hard disk cache and alternate dns 127.0.0.1

in squid.inc(usr/local/pkg):
dns_children 20

for squidguard:
Haven't changed anything. Stock config. Increasing redirect children only makes it worse. I have 3. Seems enough.

for firewall in advanced:

net.inet.tcp.inflight.enable    Enable TCP Inflight mode    0

net.inet.tcp.tso    TCP Offload Engine    default (1)    
   
hw.bce.tso_enable    TCP Offload Engine - BCE    default ()    
   
kern.ipc.maxsockbuf       16777216    
   
net.inet.tcp.rfc1323       1    
   
net.inet.tcp.sendbuf_max       16777216    
   
net.inet.tcp.recvbuf_max       16777216    
   
net.inet.tcp.sendbuf_auto    Send buffer autotuning enabled by default    1    
   
net.inet.tcp.sendbuf_inc       16384    
   
net.inet.tcp.recvbuf_auto       1    
   
net.inet.tcp.recvbuf_inc       524288    
   
net.inet.tcp.hostcache.expire       1    
   
kern.ipc.somaxconn       2048    
   
net.inet.tcp.msl    default 30000    10000

I've followed this and this to make this changes.

My fibre optic is 60/20 mbit/s



14
Interface gives me this error after stalling under heavy load on fibre optic interface. I've searched solutions but they're too old or not working. I have to reboot to the interface starts to work again. any ideias?


Specs:

4 interfaces:

1- adsl 20/1 Mbits
1-optic fibre 100mbit/s
1- lan
1- vlan on lan


2.0-BETA4  (i386)
built on Wed Nov 3 02:54:06 EDT 2010
FreeBSD 8.1-RELEASE-p1

Intel(R) Core(TM)2 CPU 6420 @ 2.13GHz
1.5 GB ddr2
Sata disc 160 GB

Packages:

Lightsquid
OpenVPN Client Export Utility    Security
snort
squid
squidGuard
vnstat2

15
Firewalling / Strange logs...
« on: May 03, 2010, 05:30:14 am »
There's a thing I can't understand. I have rules to only allow traffic on ports 80,443 from lan to wan. Still, I have a lot of entries on the firewall log like those on the attached image. And I can't block them. Why are they passing thru the firewall?

Specs:
Version      1.2.3-RELEASE
built on Sun Dec 6 23:38:21 EST 2009
FreeBSD 7.2-RELEASE-p5 i386
Platform    pfSense
CPU Type    Intel(R) Pentium(R) 4 CPU 2.00GHz

packages:

Dashboard     
OpenVPN Status    1.5    
States Summary    0.5    
imspector    0.8-9    
phpSysInfo    2.5.4    
rate    0.9       
snort 2.8.5.3 pkg v. 1.24    
vnstat 1.6.3



Pages: [1] 2