Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - JKnott

Pages: [1] 2
General Questions / Setting display columns
« on: February 19, 2018, 10:03:45 am »
When running netstat -r, I noticed that the IPv6 addresses have been truncated, apparently due to display limitations.  I assume this is because the terminal is configured to be 80 columns.  In Linux, it's possible to modify the setting isn termcap to control the terminal behaviour, but I don't see anything different in FreeBSD.  Is there any way to configure the ssh consoles to use more than 80 columns?

DHCP and DNS / Unbelievable!!!
« on: November 29, 2017, 06:42:05 am »
I know this has nothing to do with pfSense, but what I'm currently experiencing is beyond belief.  I'm staying in a Travelodge Hotel, in Ottawa, Ontario.  One thing I noticed was how bad the Wifi service is.  While the bandwidth is a tolerable 1 - 2 Mb, the connection was dropping frequently.  This morning I fired up Wireshark and saw 2 bizarre things.  The first, less critical, was a 5 minute DHCP lease time.  But much worse, renewals are being NAK'd.  So, every 5 minutes, my connection has to restart from discovery, with a source address, get the 5 minute lease and then have to start again 5 minutes later.  Someone is clearly incompetent!

If renewal worked, I could live with a 5 minute lease.  If the lease time was a more reasonable few hours, I could live without the renewals, but having both issues means extremely poor service.

BTW, the company responsible for this mess is called Liveport.  I'm going to give them a piece of my mind.

General Questions / IGMP & pfSense
« on: November 09, 2017, 10:03:07 am »
I was just looking at IGMP proxy on pfSense.  One thing I noticed is that IPv6 networks seem to be supported, according to available prefix size.  But IGMP is an IPv4 only protocol.  On IPv6, group management is handled by ICMP.  Does this mean that pfSense IPv6 ICMP group management on the IGMP page?  Or is there some other method?

Installation and Upgrades / Poor performance with 2.4.1
« on: October 30, 2017, 05:45:12 am »
Yesterday, after I updated to 2.4.1, I noticed web sites took a lot longer to load.  I ran and got only about 14 Mb down, when I normally get mid 70s.  Upload was unaffected at the normal about 11 Mb.  I rebooted both pfSense and cable modem and now speedtest download is normal, but the web sites are still slow to load.  For example, when I reload the page for this site in the Chrome browser, it normally happens so fast I have to watch closely to verify it actually reloaded.  Now it takes a few seconds.  Firefox is sluggish too.

Has anyone else noticed this?

OpenVPN / Connect to OpenVPN with openSUSE
« on: October 06, 2017, 04:59:47 pm »
I'm running openSUSE 42.3 and am trying to get it to connect to OpenVPN on my pfSense firewall, using the KDE network manager.  I've found bits of info for other distros, but can't seem to get it to work.  It does work with Windows.  Any suggestions?

tnx jk

General Questions / Ethernet frame size
« on: September 25, 2017, 11:38:20 am »
In another thread, there was some discussion of Ethernet frame size and the ability of non-VLAN equipment to pass VLAN frames.  There is an update to the 802.3 standard, in 2006, 802.3as about "Envelope expansion".  This was intended to accommodate the additions to Ethernet, such as VLAN tags, among others.

Here's some info:
Envelope Prefix and Suffix

As networks grew in complexity and features, the IEEE received requests for more tags to achieve new goals. The VLAN tag provided space for a VLAN ID and Class of Service (CoS) bits, but vendors and standards groups wanted to add extra tags to support new bridging features and other schemes.

To accommodate these requests, the 802.3 standards engineers defined an “envelope frame,” which adds an extra 482 bytes to the maximum frame size. The envelope frame was specified in the 802.3as supplement to the standard, adopted in 2006. In another change, the tag data was added to the data field to produce a MAC Client Data field. Because the MAC client data field includes the tagging fields, it may seem like the frame size definition has changed, but in fact this is just a way of referring to the combination of tag data and the data field for the purpose of defining the envelope frame.

The 802.3as supplement modified the standard to state that an Ethernet implementation should support at least one of three maximum MAC client data field sizes. The data field size continues to be defined as 46 to 1,500 bytes, but to that is added the tagging infor‐ mation to create the MAC client data field, resulting in the following MAC client data field sizes:

    1,500-byte “basic frames” (no tagging information)1,982-byte “envelope frames” (1,500-byte data field plus 482 bytes for all tags) 
    1,504-byte “Q-tagged frames” (1,500-byte data field plus 4-byte tag)

And, from
Last week the 802.3as task force decided on a length of 2,000 bytes as the new maximum envelope frame size, up from the current standard of a maximum of 1,518 bytes. The additional space would be used for header and trailer information.

The specification would warn that some standards-compliant implementations might not be able to handle anything longer than 1,518 bytes.

So, frames larger than 1518 bytes are part of the spec and have been since 2006.  Please note, this does not refer to jumbo frames, which can be 9K bytes or more, but are not IEEE spec.

General Discussion / "Fanboy" series - IPv6 and NATs - YouTube
« on: September 17, 2017, 01:45:45 pm »
A humorous argument for IPv6 and against NAT.  :D

IPv6 / ULA address only?
« on: August 25, 2017, 02:48:05 pm »
Is there any way to configure pfSense so that a network gets only ULA addresses?  I tried changing IPv6 Configuration Type from Tracking to SLAAC, but devices on the network still get global addresses, as well as ULA.

DHCP and DNS / DHCPv6 but no client address?
« on: July 17, 2017, 09:43:53 am »
Is it possible to enable the DHCPv6 server, without handing out client addresses?  My understanding is that with SLAAC, there is no need for a DHCPv6 server to provided addresses, but is often used for other purposes, such as NTP server address etc.  How is this done in pfSense?

tnx jk

IPv6 / Unique Local Addresses?
« on: July 03, 2017, 01:41:40 pm »
Is there any way to get pfSense to provide SLAAC addresses in the ULA FC00::/7 range, in addition to the usual prefix?

IPv6 / Local Network Protection for IPv6
« on: July 03, 2017, 11:21:28 am »
Since some people seem to think NAT on IPv6 is a good idea, I'm linking to this RFC to show why it's not.  NAT was created to get around the IPv4 address shortage, but causes other problems.  It should not be used on IPv6.

OpenVPN / OpenVPN client on Windows 10
« on: April 30, 2017, 04:01:44 pm »
I just installed the OpenVPN client on Windows 10 (64 bit).  While it installed OK, I don't see anything to indicate that it's running, other than when trying to start the GUI, I get a message that it's already running.  Should I see it's address in ipconfig?  Should it appear in the Network and Sharing Center?  Is there anything else that show's it's running?

tnx jk

Firewalling / Curious host names
« on: February 23, 2017, 07:56:03 am »
My ISP provides host names based on the cable modem and firewall/router MAC addresses.  I have host names for both IPv4 & IPv6.  However, I have noticed something curious.  The IPv4 host name contains the MAC for the NIC connected to the WAN, but the IPv6 name contains the LAN MAC.

Any idea why this might be happening?  DHCP is used for IPv4 and DHCPv6 for IPv6 and I have a /56 prefix.

IPsec / IPSec & Android devices
« on: January 31, 2017, 09:46:30 pm »
Is there documentation anywhere on setting up IPSec with Android devices?  In trying to set up a VPN, I seem to be finding conflicts between what's required on the pfSense end, compared to the Android end.

tnx jk

Pages: [1] 2