Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - DanC

Pages: [1]
1
Feedback / Error 500
« on: September 18, 2017, 02:07:17 pm »
I was attempting to post on the Official Hardware forum, and I received this error.  I attempting the post this morning, and then again this afternoon.  The error happened both times.  I was attempting to attach four images to the post.

2
General Questions / pfSense Notes for New Users
« on: June 19, 2017, 04:03:05 pm »
Community members,

I've been scouring the forums for the past few months, and I've taken note of some of the most common questions that have been asked by new members.  Hopefully some new users can get some useful information from this post!  Any edits, additions, comments, etc by some veteran members would be most welcome.

To Start

  • Purchase the pfSense Book.  Itís a treasure trove of knowledge in a very intuitive package.  The answer to all your basic questions is in there


Firewall

  • WAN net is not the internet. It is only the network your WAN interface is on.
  • ďAnyĒ would allow access to the internet, along with anything else.
  • Firewall rules are evaluated from top to bottom on the interface where the traffic enters pfsense. First rule to trigger is the only one used. A ďpass anyĒ or "block any" rule will invalidate everything below it. This is not true for Floating rules which are Last Match unless you have the "Quick" option checked. Floating rules are evaluated before interface rules.
  • pfSense is a stateful firewall. A "state" is created to allow incoming traffic to return to the client that requested it. If you create new block rule that is not working, check your state table for existing states that would be allowing the traffic.
  • There is a hidden ďBlock ALLĒ rule at the bottom of all interfaces firewall rule lists. This is logged by default as the default deny rule. There is also a hidden dhcp rule to allow dhcp when enable dhcp server on an interface. 
  • After adding a new interface, make sure you add a firewall rule to allow traffic. New interfaces (Opt, VPN, etc) by default have no rules associated with them.


Hardware

  • If youíre building an appliance for your home, that Intel i7 you specced out is probably overkill.  There are much cheaper options, and a ton of forum threads with specs already made for your use case.
  • Donít put WiFi on your firewall. Spend a few dollars and get an access point. Or leverage your old wifi router as AP. An access point with vlan support will benefit you (if not now, it will in the future when you want to put different SSIDs on different vlans).
  • A router is not a switch.  Bridging interfaces is bad practice in most cases.  Very inexpensive managed and unmanaged switches are available!

Packages

  • Donít immediately install packages as soon as you boot up.  Get your network running properly first.  This will save you a bunch of troubleshooting headaches.

General Tips

  • If your settings are correct, itís probably not pfSense thatís causing your issue. Double check your settings!


Requesting Help

  • If you want to ask a question about settings on the forums, make sure you post the settings youíre using.  Screenshots go a long way.  Obfuscate your public IPs if applicable.  Give the people spending their time to help you as much information as possible.

3
Firewalling / VoIP only fixed by resetting state table
« on: February 24, 2017, 02:53:04 pm »
Hey community:

I have a problem that occurs quite frequently, but I'm unable to troubleshoot the root cause.  Maybe someone else can point me in the right direction.

I have 6 UniFi Pro phones, UniFi VoIP controller, Elastix PBX, SIP trunk from Flowroute, and pfSense for routing/firewall (All my variables).

Occasionally, I'll pick up a phone and get "All circuits are busy now" after dialing a number.  This goes away after resetting my state tables in pfSense.  I've tried other ways to resolve this by rebooting everything, updates, etc.

I do have Multi WAN, failover to a DSL line if our fiber connection goes down.  It might be possible it's breaking when that goes down.  My fiber provider has been doing some maintenance the last few weekends.  Let me know if there's any further info required.

Thanks in advance,

Dan

4
Firewalling / Least intrusive rules for Tenants
« on: February 03, 2017, 12:42:20 pm »
I have a /27 block routed to a /30 from my ISP.  I've broken up that /27 into 4x /29 blocks.  From there, I've assigned these to 4 tenants in my building.  (Hybrid NAT, no NAT on these subnets)

On each of these vlans, I've created a rule set that follows this mold:

X.X.X.136/29

Pass DNS
Pass ICMP echoreq to X.X.X.137
Reject all traffic to X.X.X.137
Pass all traffic to X.X.X.136/29
Reject all traffic to This Firewall
Reject all traffic LAN net
Reject all traffic to /27 block and /30 via alias.
Pass all traffic

I think these rules are okay - not sure if this is too Tin Foil Hat.  Maybe someone with more experience than me can review those.  This assumes the tenant is going to have their own router/firewall behind pfSense.

The big question I have is my WAN side.  What kind of rules should I have in place so I don't impact any services they may be running?  Are rules on WAN even necessary for this setup?  I'd hate for them to be attempting an openVPN connection and have my WAN block that from working.

Thanks so much for any advice.  If critical information is missing, I'll be glad to provide it.

Dan

5
Routing and Multi WAN / Routed Subnet - Need Advice
« on: September 01, 2016, 03:30:15 pm »
This is for supplying internet to a multi-tenant office building.  I am not a networking expert by any means, so be gentle!

I have a /30 IP Block from my ISP that's routed to a /27.  I'd like to break that /27 into multiple /30's.  I am not sure that this is possible, and if it is - I'm not sure my approach is the correct one (let alone best practice).

ISP Provides me with x.x.x.64/30 and y.y.y.128/27 routed to it.


Setup WAN IP Block on pfSense x.x.x.64/30

Create VLAN 101 - Set Static IP y.y.y.128/30

Create VLAN 102 - Set Static IP y.y.y.132/30

etc... y.y.y.156/30


Hybrid NAT - Disable NAT on WAN with source of all newly created /30 subnets.

Setup switch accordingly with these VLANs.

Firewall for each VLAN - Reject all to LAN, Allow all other traffic (all traffic should be behind another connected firewall of the Tenant's responsibility). 


So my question is - Can I actually break up the subnet like this, or will it not work as intended?

My first thought was to set the whole /27 block to one internal network, but I'd have no way to regulate who's using what IP without reservations.  If a tenant had to replace their gateway, they'd have no internet until I can grant access to their new MAC address - not exactly a good solution.  This process kills a bunch of IP addresses, so I'm not too keen on this either.  Anyone have any insight into what's the best solution?

Thanks in advance!

6
General Questions / Pass Public IPs to Tenants
« on: March 14, 2016, 01:46:01 pm »
Hello pfsense community; I hope there's some light at the end of this dark tunnel.  Here's my scenario:

Our company owns a 12 story building with a gigabit fiber connection.  We want to function as the building's ISP, essentially just reselling our connection.  We have a /27 CIDR block:

x.x.x.128 subnet
x.x.x.129 gateway
x.x.x.130 pfsense
x.x.x.131-157 useable (to assign in smaller blocks)

I have a server for pfsense (that's likely overkill) and several ubiquiti unifi switches.

My initial thought was to set up 12 VLANs and 1:1 NAT public IPs (VIPs) to each VLAN.

Public              Private (VLAN)       Tag
x.x.x.131         172.x.101.1          101   (Floor 1)
x.x.x.132         172.x.101.2          101   (Floor 1)
x.x.x.133         172.x.102.1          102   (Floor 2)
x.x.x.134         172.x.102.2          102   (Floor 2)
etc..

The issue I'm going to run into is if the tenants have their own router and VoIP or hosting behind it.  Our company is also in the building, and this scenario affects us too.

I'd rather route these Public IPs on the VLANs with no NAT.  I've read plenty of forum posts about this being the correct solution, but very little substance about how to execute this task.  If there's another approach to solving this issue, I'm eager to learn even if my whole approach is incorrect.

Thanks in advance

Pages: [1]