Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - curtisgrice

Pages: [1]
1
DHCP and DNS / BIND DNS not returning records.
« on: January 02, 2018, 12:05:42 pm »
Ok so I'm trying to use BIND for my DNS and it WAS working great but now its not... When querying a host FQDN is see the following in wireshark:

Code: [Select]
1 0.000000 192.168.1.240 192.168.1.1 DNS 79 Standard query 0xb0a3 A FreeNAS.rack.center
2 0.000565 192.168.1.1 192.168.1.240 DNS 137 Standard query response 0xb0a3 No such name A FreeNAS.rack.center SOA 192.168.1.1

Here is my zone file:
Code: [Select]
$TTL 120M
;
$ORIGIN rack.center.

; Database file rack.center.DB for rack.center zone.
; Do not edit this file!!!
; Zone version 2449940602
;
rack.center. IN  SOA 192.168.1.1. zonemaster.rack.center. (
2449940602 ; serial
1d ; refresh
2h ; retry
4w ; expire
1h ; default_ttl
)

;
; Zone Records
;
@ IN NS 192.168.1.1.
@ IN A 192.168.1.1
pfSense IN A  192.168.1.1
Switch IN A  192.168.99.2
FreeNAS IN A  192.168.1.5
UniFi IN A  192.168.1.3
Plex IN A  192.168.1.6
Transmission IN A  192.168.1.7
Minecraft IN A  192.168.1.20
VCSA IN A  192.168.99.99
ESXi01 IN A  192.168.99.101
VROMA IN A  192.168.99.100
DC01 IN A  192.168.1.5


;
;custom zone records
;
_ldap._tcp SRV 0 0 389 DC01
_kerberos._tcp.rack SRV 0 0 88 DC01
_ldap._tcp.dc._msdcs SRV 0 0 389 DC01
_kerberos._tcp.dc._msdcs SRV 0 0 88 DC01
_kerberos._tcp.dc._msdcs SRV 0 0 3268 DC01

And the log file of BIND  loading:
Code: [Select]
Jan 2 12:01:59 named 48149 command channel listening on 127.0.0.1#953
Jan 2 12:01:59 named 48149 setsockopt(28, TCP_FASTOPEN) failed with Protocol not available
Jan 2 12:01:59 named 48149 socket.c:5695: unexpected error:
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: EMPTY.AS112.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 8.B.D.0.1.0.0.2.IP6.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: B.E.F.IP6.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: A.E.F.IP6.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 9.E.F.IP6.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 8.E.F.IP6.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: D.F.IP6.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 255.255.255.255.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 113.0.203.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 100.51.198.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 2.0.192.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 254.169.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 127.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 0.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 127.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 126.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 125.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 124.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 123.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 122.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 121.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 120.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 119.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 118.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 117.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 116.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 115.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 114.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 113.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 112.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 111.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 110.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 109.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 108.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 107.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 106.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 105.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 104.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 103.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 102.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 101.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 100.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 99.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 98.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 97.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 96.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 95.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 94.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 93.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 92.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 91.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 90.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 89.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 88.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 87.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 86.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 85.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 84.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 83.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 82.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 81.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 80.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 79.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 78.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 77.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 76.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 75.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 74.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 73.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 72.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 71.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 70.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 69.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 68.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 67.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 66.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 65.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 64.100.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 168.192.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 31.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 30.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 29.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 28.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 27.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 26.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 25.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 24.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 23.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 22.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 21.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 20.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 19.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 18.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 17.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 16.172.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 automatic empty zone: view Internal: 10.IN-ADDR.ARPA
Jan 2 12:01:59 named 48149 set up managed keys zone for view Internal, file '2ea1842b445b0c81.mkeys'
Jan 2 12:01:59 named 48149 zone 'rack.center' allows unsigned updates from remote hosts, which is insecure
Jan 2 12:01:59 named 48149 sizing zone task pool based on 2 zones
Jan 2 12:01:59 named 48149 generating session key for dynamic DNS
Jan 2 12:01:59 named 48149 setsockopt(27, TCP_FASTOPEN) failed with Protocol not available
Jan 2 12:01:59 named 48149 socket.c:5695: unexpected error:
Jan 2 12:01:59 named 48149 listening on IPv4 interface igb1.91, 192.168.91.1#53
Jan 2 12:01:59 named 48149 setsockopt(26, TCP_FASTOPEN) failed with Protocol not available
Jan 2 12:01:59 named 48149 socket.c:5695: unexpected error:
Jan 2 12:01:59 named 48149 listening on IPv4 interface igb1.90, 192.168.90.1#53
Jan 2 12:01:59 named 48149 setsockopt(25, TCP_FASTOPEN) failed with Protocol not available
Jan 2 12:01:59 named 48149 socket.c:5695: unexpected error:
Jan 2 12:01:59 named 48149 listening on IPv4 interface igb1.70, 192.168.70.1#53
Jan 2 12:01:59 named 48149 setsockopt(24, TCP_FASTOPEN) failed with Protocol not available
Jan 2 12:01:59 named 48149 socket.c:5695: unexpected error:
Jan 2 12:01:59 named 48149 listening on IPv4 interface igb1.50, 192.168.50.1#53
Jan 2 12:01:59 named 48149 setsockopt(23, TCP_FASTOPEN) failed with Protocol not available
Jan 2 12:01:59 named 48149 socket.c:5695: unexpected error:
Jan 2 12:01:59 named 48149 listening on IPv4 interface igb1.99, 192.168.99.1#53
Jan 2 12:01:59 named 48149 setsockopt(22, TCP_FASTOPEN) failed with Protocol not available
Jan 2 12:01:59 named 48149 socket.c:5695: unexpected error:
Jan 2 12:01:59 named 48149 listening on IPv4 interface lo0, 127.0.0.1#53
Jan 2 12:01:59 named 48149 setsockopt(21, TCP_FASTOPEN) failed with Protocol not available
Jan 2 12:01:59 named 48149 socket.c:5695: unexpected error:
Jan 2 12:01:59 named 48149 listening on IPv4 interface igb1, 192.168.1.1#53
Jan 2 12:01:59 named 48149 using default UDP/IPv4 port range: [49152, 65535]
Jan 2 12:01:59 named 48149 unable to open '/usr/local/etc/namedb/bind.keys' using built-in keys
Jan 2 12:01:59 named 48149 loading configuration from '/etc/namedb/named.conf'
Jan 2 12:01:59 named 48149 ./config.c: option 'lmdb-mapsize' was not enabled at compile time (ignored)
Jan 2 12:01:59 named 48149 using up to 4096 sockets
Jan 2 12:01:59 named 48149 using 1 UDP listener per interface
Jan 2 12:01:59 named 48149 found 2 CPUs, using 2 worker threads
Jan 2 12:01:59 named 48149 ----------------------------------------------------
Jan 2 12:01:59 named 48149 available at https://www.isc.org/support
Jan 2 12:01:59 named 48149 corporation. Support and training for BIND 9 are
Jan 2 12:01:59 named 48149 Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jan 2 12:01:59 named 48149 BIND 9 is maintained by Internet Systems Consortium,
Jan 2 12:01:59 named 48149 ----------------------------------------------------
Jan 2 12:01:59 named 48149 running as: named -4 -c /etc/namedb/named.conf -u bind -t /cf/named/
Jan 2 12:01:59 named 48149 built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--sysconfdir=/usr/local/etc/namedb' '--disable-dnstap' '--enable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' '--without-idn' '--enable-ipv6' '--with-libjson' '--disable-largefile' '--without-lmdb' '--without-python' '--disable-querytrace' '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-threads' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--with-dlz-filesystem=yes' '--without-gost' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.0' 'build_alias=amd64-portbld-freebsd11.0' 'CC=cc' 'CFLAGS=-O2 -pipe -fstack-protector -isystem /usr/local/include -fno-strict-aliasing' 'LDFLAGS= -fstack-protector' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-isystem /usr/local/incl
Jan 2 12:01:59 named 48149 running on FreeBSD amd64 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6 #5 r313908+a5b33c9d1c4(RELENG_2_4): Tue Dec 12 13:20:18 CST 2017 root@buildbot2.netgate.com:/xbuilder/crossbuild-242/pfSense/tmp/obj/xbuilder/crossbuild-242/pfSense/tmp/FreeBSD-src/sys/pfSense
Jan 2 12:01:59 named 48149 starting BIND 9.11.2 <id:0a2b929>


I can't understand why it wont respond to a query for any of the A records. HELP!

2
DHCP and DNS / Mass DHCP edits
« on: January 01, 2018, 12:06:40 pm »
I want to start by saying I love pfSense and use it for home, home lab, work, work lab, the cat, the dog, my pants, etc... :D

I may be missing something but I cannot find a way to edit a large number of DHCP leases at the same time :o. I would like to be able to select (click then shift+click) and delete, add to static, add WOL, and Send WOL. I would also love to be have each subnet in its own tab mirroring the DHCP config page and be able to color code static leases like we do with firewalls. Seems our DHCP management could use some love.

Also a potential bug, I found if a device receives a lease then gets dropped onto a different VLAN, it still pulls the old old lease with the incorrect IP until the old lease is deleted. Ill have to do a little testing to verify this is pfSense and not the host doing this.

3
IPsec / Gateway monitors for IPsec
« on: July 03, 2017, 01:09:13 pm »
I have a client with a main site and three satellite offices. We have IPsec up and running from the satellites to the main office. I would like to have "gateway monitoring" for each VPN endpoint. Is there any way to monitor multiple IPs from one gateway?

I would love to have RRD graphs of quality from the main office to each location.

4
Packages / syslog-ng smtp destination
« on: March 29, 2017, 01:14:10 pm »
I am working through the guides at balabit.com and it seems the SMTP is not enabled. Can anyone verify this is the case? Or am I missing something?

I am on pfSense 2.3.2_p1 with syslog-ng 1.13.2 (syslog-ng-3.7.3_7).

My end goal is to email certain log entries from the firewall and Snort. We need and easy to setup (from internal base pfSense config) so no hacking at config files or custom/shoe horned packages.   :P

syslog-ng.confg
Code: [Select]
# This file is automatically generated by pfSense
# Do not edit manually !
@version:3.7
destination _DEFAULT { file("/var/syslog-ng/default.log"); };
destination d_smtp {
    smtp(
        host("mail.contoso.com")
        port(25)
        from("syslog-ng alert service" "pf-RTR@contoso.com")
        to("Admin" "Admin@contoso.com")
        subject("[ALERT] Important log message of $LEVEL condition received from $HOST/$PROGRAM!")
        body("Alert")
    );
};

log { source(_DEFAULT); destination(_DEFAULT); };
source _DEFAULT { internal(); syslog(transport(udp) port(5140) ip(10.50.30.5) ip(127.0.0.1)); };

5
IDS/IPS / Snort build options
« on: March 06, 2017, 12:57:46 pm »
We are looking for a way to get alerts from Snort to our RMM software. SNMP would be ideal. I know Snort can support this when built with the --with-snmp option. Is there any way I can see what the build options are for Snort? Sorry if this is an overly simple question. I have limited *nix/BSD experience.

6
IPsec / Transport mode comes up and GRE goes down.
« on: November 12, 2016, 01:27:34 pm »
I found an old thread with no resolution:
Quote
Hello.
I have a GRE tunnel between two sites set up and working fine. Using OSPFd to transmit routes between them. I set up IPSEC in transport mode using the public IP addresses between sites and instantly I can see the GRE tunnel go down. I check status > gateways and they are offline. Nothing in IPSEC log that would indicate a problem with the IPSEC tunnel itself. status > ipsec does have the yellow X "error" but appears to set up properly.

I am just wondering if there is a better way from a design perspective to do this, whether it be with pfsense or in some other fashion. I was looking into OpenVPN but I am unsure whether I can get OSPFd working over that tunnel either. If all else fails I will just do some redesign of IP addressing and use a summary route over IPSEC in tunnel mode, or with OpenVPN, but I would like to continue to use OSPFd if possible. Thoughts?
Report to moderator     Logged
Regards,

xtropx

I seem to be in the same boat. I would like to be able to use OSPF with networks connected via IPsec and GRE according to the pfSense book
Quote
IPsec in transport mode can use GRE for tunneling encrypted traffic in a way that allows for traditional routing or the use of routing protocols.
(Hope its ok to quote that here) However I can not make this work. the IPsec connects with no issues at all but as soon as it does I loose my GRE tunnel.

Both IPsec and GRE are using the same external IP address, both IPsec and GRE work but not at the same time!

7
Traffic Shaping / Queues not reloading when applying
« on: September 27, 2016, 09:28:23 am »
I have been tweaking our HFSC quite a bit as I learn more about it. However the queues do not seem to update when clicking the apply button. I have verified the settings are saved in the config.xml file and even tried /etc/rc.reload_all with no luck. I can verify stale settings via pfctl -s queue -v

The only thing I have not done (that I can think of) is reboot the router. :-[

Pages: [1]