Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - zMaliz

Pages: [1] 2
General Questions / Using Developer Shell - pfSsh.php
« on: March 06, 2018, 03:30:11 am »

I'm trying out using the developer shell and pfSsh.php.
The commands I'm running all seem to work as expected and I've successfully created aliases and NAT rules.

I've saved the commands into a text file 'cmds.txt' and have then tried to feed them into pfSsh.php as follows:

/usr/local/sbin/pfSsh.php < cmds.txt

This works fine and the entries are created, however I end up with lots of 'pfSense shell:' prompts scrolling past the screen.. pages and pages of them.
I've added exit; to the end of my commands but I still get the same.

Anyone know how to stop that ?


DHCP and DNS / DNS Resolver fails when IPsec VPN is connected
« on: January 02, 2018, 02:14:09 pm »
I have DNS Resolver installed and running.
The dashboard shoes my DNS server as

DNS Resolver is configured for All internal and external interfaces.
As far as I can tell DNS resolves correctly until my IPsec VPN connects.

The VPN is connecting me to the office which seems to work well. I have rules allowing several devices to route from the LAN to the office but all other devicess are blocked from the VPN.

On the IPsec rules I have allowed access to specific devices and all others are blocked.

Once the VPN connects then DNS fails to resolve.
Can anyone suggest what to check and how to resolve this.


IPsec / IPSEC VPN restrict access
« on: December 21, 2017, 11:59:26 am »
I'm looking at creating an IPSEC VPN between home and the office.

Ideally I'd like to restrict this so only 2/3 devices locally (home) use it and from the office they can only access those 2/3 devices.
Is this possible ?  Can someone point me in the right direction.


OpenVPN / Restart OpenVPN / re read host address - command line
« on: August 22, 2017, 10:02:37 am »

Does openVPN read the remote server hosts address from config.xml or is there another file it reads from ?

Is it possible to restart the openVPN either via PHP or the command line ?
If I script the update of the server hosts address in config.xml, when I restart openVPN will it use the new host address ?

Any issues with doing this ?


Traffic Monitoring / ntopng stopping
« on: August 02, 2017, 09:18:06 am »

I've noticed ntopng 0.8.8 intermittently keeps stopping.
If I restart it, it will run for a period and then the Dashboard reports it as stopped.

Can some one point me to the logs I need to be checking.
or is this a known issue ?


Routing and Multi WAN / Routing between interfaces.
« on: July 30, 2017, 08:15:18 am »
I've got a Qotom box which has 4 interfaces. 1 is used for my WAN connection, the other 3 are in different IP ranges and have various devices attached.
Port 2 LAN - 192.168.1.x /24
Port 3 Wifi - 10.10.10.x /24
Port 4 OtherLan - 172.16.10.x /24
From my PC I can ping devices within the Wifi 10.10.10.x range. But I can't access the only device in the 172.16.10.x range.
I have a LAN rule of:
Protocol IPv4 * Source: Port * Destination OtherLan net Port * Gateway *
The states count is showing values and the byte count is increasing.
In OtherLan rules I have:
Protocol IPv4 * Source: Port * Destination Port * Gateway *
Protocol IPv4 * Source: Port * Destination Port * Gateway *
The states and the byte count other show 0
I also have a rule at the botton of the list on OtherLan of:
Protocol IPv4 * Source: Port * Destination * Port * Gateway WAN
If I do a trace route from to I can see if hit my pfSense box, but then nothing.. In an SSH session on the pfSense box I can ping
Can some one advise what I need to do..

OpenVPN / Issue Setting up PIA OpenVPN
« on: July 08, 2017, 06:51:30 am »

I've followed PIA's guide to setting up OpenVPN on my pfSense 2.3.4
The VPN is up and connected, I've added the Outbound NAT rules, but no traffic seems to be routing via the VPN.
Checking my IP on line I see my static IP Address and no the PIA address.

I have 4 interfaces on my firewall, WAN, LAN, WIFI, NAS.
I only want WIFI to route via PIA so in Outbound NAT I've only duplicated those addresses and set them to PIA all others have been left as is.

My PC (LAN) and Phone (Wifi) are both showing my public IP online, how do I sort this..
I feel I'm missing something, but I'm not sure what.

No sure if it makes any difference, I have openVPN server running on my pfsense as my son connects to home using that.


IPsec / IPSEC Responder, should be initiator !
« on: May 15, 2017, 05:28:57 am »

pfSense : 2.3.2-RELEASE

I've got several IPSEC VPN's when viewed under Status / IPSEC show as 'IKEv1 responder'

Yet the IPSEC VPNs configuration has got Responder Only Unticked.

Why is it being reported as Responder Only ?
How do I force this to be the initiator ?

IPsec / IPSEC PSK Re Authentication Issue
« on: May 11, 2017, 03:24:45 am »

pfSense connecting to Draytek router.

We have an issue that the VPN goes down for between 2 - 15 minutes when PSK re authentication happens.
After this time period the VPN works normally until the next re authentication.
The pfSense is the initiator and has auto ping host configured.

Can anyone advise what could be causing this or what we should be investigating ?


DHCP and DNS / DNS Resolver returns different results to external DNS
« on: April 04, 2017, 11:05:14 am »

My domain is hosted with one provider and DNS is provided by the company I bought my domain name from.
This all works fine... Today I've updated the DNS entries.

From a local Linux PC if I use dig and specify googles DNS Address I get the correct results back for the DNS of my domain.
However if I specify my pfSense box as the DNS server, I get the old DNS entries for my domain.

I'm using DNS Resolver:
DNS server(s)

Any idea how to get this to resolve the correct details ?


IPsec / IPSec connection attempt isn't blocked.
« on: March 06, 2017, 02:20:52 pm »

Each evening I see an entry for in my IPSEC  logs.
It never gets connected but it shows up each night.

So I decided to add some rules to try and block it.

On WAN I added
BLOCK TCP v4 * from

On IPSEC I added
BLOCK TCP v4 * from

Yet I still see it trying to connect. Is there anyway I can block it ?


DHCP and DNS / Respond to DNS Broadcast request
« on: March 06, 2017, 07:25:25 am »

Should pfsense respond to a local DNS broadcast request ?
I've done a packet capture and I can see the request hit the pfSense box, but I don't see any reply:

This is whats recieved :

Code: [Select]
Frame 412: 72 bytes on wire (576 bits), 72 bytes captured (576 bits)
Ethernet II, Src: Fozeon_00:23:04 (00:12:23:00:23:04), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src:, Dst:
User Datagram Protocol, Src Port: 32816, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x0001
    Flags: 0x0100 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries type MX, class IN
            [Name Length: 12]
            [Label Count: 2]
            Type: MX (Mail eXchange) (15)
            Class: IN (0x0001)

The box is running DNS Resolver and not DNS Forwarder.

The portal front page shows:

DNS server(s)

How do I get the pfsense DNS to respond to local DNS broadcasts ?


Traffic Shaping / Is this limiter setup correctly ?
« on: January 03, 2017, 02:37:48 am »

I'm trying to limit an XboxOne to have 10MBit/s Down and 4Mbit/s up.
Does this look correct ?

Code: [Select]
00001:   4.000 Mbit/s    0 ms burst 0
q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
 sched 65537 type FIFO flags 0x1 256 buckets 0 active
    mask:  0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
00002:  10.000 Mbit/s    0 ms burst 0
q131074  50 sl. 0 flows (1 buckets) sched 65538 weight 0 lmax 0 pri 0 droptail
 sched 65538 type FIFO flags 0x1 256 buckets 0 active
    mask:  0x00 0xffffffff/0x0000 -> 0x00000000/0x0000

I've created an Alias containing the Xbox IP Address, then created 2 limiters SRC & DEST.

In SRC I have the bandwidth as 10 Mbit/s with the MASK as Source Addresses
In DEST I have the bandwidth as 4 Mbit/s with the MASK as Destination Addresses

I've added a new rule to my LAN with the Source as the alias I created and set In/Out Pipes as SRC & DEST.

Is that the right way round to limit it as I want ?


General Questions / PPPOE 64bit multiple cores ?
« on: January 02, 2017, 01:41:41 pm »

As per subject are there any plans to make the PPPOE process use multiple cores ?
Or is it better to use a modem -> router then pfSense ?

Currently I'm using modem -> pfSense PPPOE


General Questions / System Logs WAN & em0 ?
« on: December 29, 2016, 04:38:12 pm »
Looking at my system logs I'm seeing blocked entities with the interface shown as WAN, I also have some where the interface is em0

What is em0 ? I thought that was the WAN !

Dec 29 22:32:01   em0 igmp

Looking a bit closer, all em0 packets blocked are like the above.. I also have some as above from OPT1 which has my wireless access point connected.

What are these ?

Pages: [1] 2