Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - cpk

Pages: [1]
I have a pfSense firewall with 2 WAN ports.  Our main WAN is a slow but reliable bonded T1.  Our other WAN is a fast but unreliable cable service.  Our default route using our main WAN as does all of our inbound traffic (SMTP, HTTPS, DNS, etc.). I use pfSense 2.4.2-RELEASE-p1 (amd64) running on Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz.  I'm using firewall rules with gateway groups to route standard user traffic (HTTP, HTTPS, and misc. others) to the faster WAN.

A recent cable update gives us 200Mbps (download) network.  Typical (Speakeasy) speed test over the firewall shows 50-75Mbit download speeds while the same test connected directly to the cable modem shows 200Mbit download speeds.

I found that if I have a firewall rule with "advanced options: gateway" set, the throughput speeds are significantly different.  The following tests were done with two machines and one firewall, and had only 1 rule changed.  The tests were run multiple times to be sure that the results were reproducible.

With a rule allowing traffic with no gateway specified, the test download/upload speeds were 960/820 Mbps.
With the same rule modified to specify a gateway (the same gateway that was used anyway, so this was redundant), the download/upload speeds changed to 390/40 Mbps.

Can anyone suggest why this happens or what I'm doing wrong that could be causing this discrepancy?

Routing and Multi WAN / Error Sending Email: Network is unreachable
« on: April 14, 2015, 02:54:13 pm »
Every so often, my email server complains that email can't be sent:
 ... server postfix/smtp ... dsn=4.4.1, status=deferred (connect to ... Network is unreachable)

When this happens, if I reboot my pfSense system and flush my email queue, the messages are delivered almost instantly.

I've searched this forum for similar problems, but I have not been able to find problems similar to mine.  Can someone give some advice on how to diagnose this problem?

Routing and Multi WAN / Slow traffic when gateway rule is configured.
« on: July 15, 2014, 02:56:56 pm »
I have the latest pfSense installed with two Internet connections (T1 & Cable).  Because our cable is unreliable, our default route is our T1.  To get better speed, I set up a Gateway Group named "Load_Balanced" that prefers the Cable gateway and includes the T1 gateway.  I added a Rule so that traffic destined to the Internet via ports 80 or 443 are routed through the Load_Balanced gateway.

This has worked well since January.  Recently (I can't tell when), the Internet connection slowed to a crawl, so I did some testing.  Here's what I found:

I'm testing network speed using a web browser and a utility from  I have the web server connected to a network switch on our Cable WAN network (along with our cable modem).  With no specific rules, I can connect to this server and get 80-90 Mbps download speed.  *BUT* when I add a rule that tells my traffic (by specific port destination or by source IP address) to use that network (by setting a gateway for that rule), my download speed drops to about 10 Mbps.

I'm looking for ideas on how to further troubleshoot this problem, and I'm looking for anyone else who's experienced significant slowdown of Internet speed after updating pfSense so we can compare configurations.

NAT / Adding another 1:1 NAT address doesn't work for me.
« on: February 22, 2012, 11:31:34 am »
I've configured inbound services on separate IP's, and all is working well.  The outside of my firewall is a single Ethernet adapter connected to my ISP's router.  On that adapter, I have the following virtual IP addresses:

.3, .4. .5, .6, .8, .9, .10, .15, .18

These are used for DNS servers, mail servers, web servers, etc.  All except the last two have worked fine for months.  Yesterday, I added .15 for a test web server without issues.  Today, I tried to add .18 for another test web server, and I can't get it to work.

I captured a network trace while testing a connection from the WAN network (.254) to the .18 web server (I've removed the actual IP address range):

11:28:25.564474 ARP, Request who-has (00:00:00:00:04:43 (oui Ethernet)) tell, length 46
11:28:25.826951 ARP, Request who-has (00:00:00:00:04:43 (oui Ethernet)) tell, length 46
11:28:26.793076 ARP, Request who-has (00:00:00:00:04:43 (oui Ethernet)) tell, length 46
11:28:27.793730 ARP, Request who-has (6f:6d:00:00:01:00 (oui Unknown)) tell, length 46
11:28:28.796194 ARP, Request who-has (6f:6d:00:00:01:00 (oui Unknown)) tell, length 46

From what I can tell, this shows me that firewall computer isn't responding to the IP address as if the card doesn't have that address assigned to it.

Could it be that I can't assign more than 8 addresses for the WAN port to listen on?
Does anyone have any suggestions for the troubleshooting next step?

I'm new here, so I'd also like to hear advice on what I should and shouldn't do if I've made mistakes.

I'm switching ISPs:

My existing network is a class C subnet with internally hosted DNS, email, web, etc. using a simple packet-filtering Cisco router. (Network A)

My new network is a class C subnet where I will move the hosted servers behind a pfSense firewall and use NAT. (Network B)

My goal is to have little or no downtime when switching the DNS entry for my web server.

My first thought was to add an address to the web server (multi-homed) so that it would appear to exist on both networks at the same time.  In this way, it would answer queries for both networks and could be used that way until DNS was updated.  The problem here is that only one default route can exist on the server...

If the default route is for Network A, traffic to the server from Network B has already been NATed, so replies from the server would be from a private IP address and wouldn't be valid when/if they reached the client.

If the default route is for Network B, traffic to the server from Network A would need to be delivered without being modified (whether it's delivered using ISP A or ISP B shouldn't matter).  The first problem I've encountered is that a reply from the server is a response to a packet that wasn't seen by pfSense, so it's blocked.  I've tried to fix this by using a firewall rule where "State Type" is "none" (as documented in the pfSense ... Definitive Guide...), but that didn't seem to work (traffic was still blocked as shown in my firewall log).

Two specific questions I have:
    Is this a reasonable way to avoid web server downtime?
    Am I correct that pfSense can be configured for this scenario?


Firewalling / Monitoring traffic on new installation
« on: September 08, 2010, 08:56:01 pm »
I recently installed my first pfSense and configured NAT and the Firewall.  I'm monitoring the firewall log to see what traffic is blocked, and I'd like to watch that to determine if the traffic is expected or not.  Has there been any discussion (I could not find any) of blocked traffic and specifics on log entries?  If so, can you point me in that direction?

For example, I see many of these:
   Sep 8 20:44:30    WAN    UDP
   Sep 8 20:42:52    WAN    UDP

Since many of the source IP addresses are AKAMAI, I wonder if this is traffic I should be accepting.


Pages: [1]