Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - jtl

Pages: [1]
Development / Where to find source code of pfSense DHCP and DHCPv6 cleints
« on: February 01, 2018, 01:51:03 am »

I'm interested in the source code for the IPv4 and IPv6 DHCP clients (dhclient, dhcp6c) as used in pfSense for working on some changes.

Where can I obtain the source code for both?


DHCP and DNS / Possible to supersede prefix lifetime with dhcp6c?
« on: January 12, 2018, 05:55:27 pm »
I have a TELUS FTTH connection. I then terminate the Ethernet handoff from the ONT into my own switch as untagged VLAN 666, of which two other ports are untagged VLAN 666, one going to the Actiontec crappy router for IPTV boxes and another going to my pfSense router.

Problem is, it appears sometimes Telus does maintenance or something at night with the DHCP server at least once a month in my experience, which causes the IP source guard/Dynamic ACL binding at their edge switch to stop routing the IP address given to my pfSense router. Sometimes the connection comes back after 10 minutes or so (happened once when I was away from home) but it often doesn't come back until the DHCP lease is renewed which can take up to 2 hours (lease time is 4 hours). dpinger shows 100% loss for both the IPv4 and IPv6 interface.

If I manually release and renew the DHCP lease under Status->Interfaces the connection comes back instantly.

Similar to the issue in this forum thread, but last time it happened on December 25th 2017 at 21:29 PST I still had the same IPv4 and v6 IP upon renewal:

An idea I had to fix this problem is set the DHCP renewal time to a short value regardless of what the server sets. It's possible to do this for IPv4 with dhclient by adding
Code: [Select]
supersede dhcp-lease-time 1800; to the options. But I want to synchronize the DHCP renewal life time with both DHCP and DHCP6 to ensure a seamless and reliable connection as I host servers from home (And no, upgrading to a business connection wouldn't help as they still use DHCP, just registering the MAC address of your router in some clunky web UI)

I tried setting a manual prefix lifetime in a custom DHCP6 config file, but it just seems to be overridden by the sent server value.

Code: [Select]
id-assoc pd 0 {
prefix ::/56 1800 1800;
prefix-interface vtnet1 {

I tried looking for the source of dhcp6c on pfSense github so I can get at hacking it, but either I'm blind or it's not there.


Traffic Shaping / Shaping upload of DMZ network to give priority to LAN.
« on: November 25, 2017, 07:26:53 pm »

First I should explain some things.

Interfaces concerned are LAN, WAN, and DMZ interface (hereby referred to as DMZNET). Now DMZNET is a VLAN interface I use for hosting publicly available services from my server. Firewall rules are used to prevent hosts on the DMZ network from connecting out to other hosts on my LAN(s) and hosts on other networks are allowed to connect in. Due to ISP shenanigans I use an IPSec tunnel to a datacenter terminated on one of my servers connected to DMZNET (not my main router)

[REDACTED] is the datacenter host that IPSec tunnel terminates to.

I want to shape my WAN upload, so traffic from LAN->WAN gets priority over DMZNET->WAN traffic, and so LAN can borrow from the DMZNET queue when needed. I have a symmetrical connection and my ISP applies traffic shaping of their own in the download direction for their IPTV service so that's not as needed right now.

I don't need to shape individual applications to how the traffic wizard does it, just need to give outgoing LAN traffic priority over DMZNET.


Packages / BIND creating forward zone has an empty resulting zone config
« on: September 01, 2017, 10:10:11 pm »

(DNS name of my internal company has been changed to protect the innocent, etc.)

I'm trying to setup a forward zone in BIND [for] so I can have certain records point to internal IP's on my LAN and the rest would go out to the internet to the public nameservers.

The problem I'm having is after I fill in all the values and save, the resulting zone config doesn't get created and thus this doesn't work.

I apologize if full-page screenshots aren't the best way to show my configuration, but here goes.

(With regards to the views. I already have different BIND views created that correspond with different VLAN's whose internal DNS hosts I want to keep separate from each other) 


Hardware / Hardware for dedicated hypervisor running only pfSense
« on: August 06, 2017, 10:36:37 pm »

Thinking of upgrading my old circa 2010 core i3 pfSense box (I built it only recently but most of the parts were "free")

Reasons to upgrade:
a) AES-NI (for VPN and similar, even this old system can do over 100 mbps using OpenVPN though)
b) The motherboard I'm using (Intel DH55HC) only seems to like one particular stick of Corsair DDR3 1333 memory I "stole" from my current desktop, this is obviously a problem as now my desktop has only 1X4GB, instead of 2X4GB of memory.
c) Although I've tested with iperf3 and I can do a single connection and get 940mbps throughput WAN->LAN with local testing hardware, but not get that sum with multiple connections, although I only have 150/150 internet right now so it doesn't  matter. Just planning for the future as my ISP might have a gigabit plan eventually, and/or I might move to another location that has symmetrical gigabit available.

My current system is built in a Rosewill 4U case with a Noctua heatsink and fan. I'm thinking of "downgrading" to a 2U case and heatsink to save rack space, as I only have 1 boot SSD in there. So I would need a Micro ATX motherboard.

I'm thinking of getting a Sky/Kabylake Core i3 and getting a motherboard with VT-d so I can run pfSense in a hypervisor (Proxmox or ESXi) with my existing 4-port HP branded server NIC with PCIe passthrough for the pfSense VM. This is so I can take snapshots of my working setup and do testing easily without having to take the system down and reinstall, etc. I understand not all motherboards do PCIe passthrough well. Does anyone have experience with this?

I live in Canada, and only need suggestions for the CPU and motherboard, should I wait for AMD's Ryzen based APU's or go with an i3?


Packages / BIND override A record possible?
« on: July 09, 2017, 08:56:31 pm »

I'm looking on using BIND reverse policy zone to replace an IP address in a 'A' record resolved using my router (pfSense) BIND instance. The purpose of doing this, is I have a server on my network that is hosting services, and all it's incoming and outgoing traffic is tunneled through an IPSec tunnel in a datacenter close by for some DDoS resilience and avoiding ISP port blocks, etc. Anyways, said tunnel has a public IP of it's own and so I'm looking into how to use BIND reverse policy zone to replace said IP with the server's LAN IP in DNS queries, to avoid routing traffic from LAN to the server over the external tunnel, which frankly seems like a waste of bandwidth to me.

I currently just use 1:1 NAT on the tunnels public IP and make an exception for the server, but obviously it's not an ideal solution.

Is it possible using BIND to override any A record that resolves to a certain IP to another IP address? I'd like to avoid keeping two copies of my zone files if it all possible.


General Questions / IGMP Proxy, cannot do interface
« on: May 20, 2017, 07:23:08 pm »

I am running pfSense 2.3.3_1

With regards to IGMP Proxy, why is it not possible to set a interface? In my opinion it should be possible as Telus Actiontec routers (as an example) appear to do such a thing for their IGMP proxy in supporting IPTV. I manually tried editing the configuration file in /tmp and restarting the service, but it was unable to parse such a configuration.

Would it be possible to modify the IGMP Proxy to do such a configuration.

Code: [Select]
phyint em4 upstream ratelimit 0 threshold 1



Using pfSense 2.3.3_1. I have the BIND package installed as a DNS server for my LAN, using some BIND specific features, etc.

One issue I'm having is upon the LAN interface going down (doesn't happen often but it's still an issue nevertheless) the BIND server doesn't react properly to it and doesn't accept queries from clients, etc.

Here is the relevant output from the named logs.
Code: [Select]
Apr 30 13:32:42 named 99378 no longer listening on
Apr 30 13:32:44 named 99378 listening on IPv4 interface em3,
Apr 30 13:32:44 named 99378 could not listen on UDP socket: permission denied
Apr 30 13:32:44 named 99378 creating IPv4 interface em3 failed; interface ignored
Apr 30 13:32:44 named 99378 listening on IPv4 interface em3,
Apr 30 13:32:44 named 99378 could not listen on UDP socket: permission denied
Apr 30 13:32:44 named 99378 creating IPv4 interface em3 failed; interface ignored
Apr 30 13:32:44 named 99378 listening on IPv4 interface em3,
Apr 30 13:32:44 named 99378 could not listen on UDP socket: permission denied
Apr 30 13:32:44 named 99378 creating IPv4 interface em3 failed; interface ignored
Apr 30 13:32:44 named 99378 listening on IPv4 interface em3,
Apr 30 13:32:44 named 99378 could not listen on UDP socket: permission denied
Apr 30 13:32:44 named 99378 creating IPv4 interface em3 failed; interface ignored


2.4 Development Snapshots / tmux locale problem
« on: January 24, 2017, 11:20:24 pm »

Running the pfSense 2.4.0 snapshots based on FreeBSD 11. I like to have bash and tmux installed on the firewall for running persistent processes in the background. Under pfSense 2.3 it worked but under 2.4 I get the error "tmux: invalid LC_ALL, LC_CTYPE or LANG".

When running "declare -x  LC_ALL=en_US.UTF-8" I get "bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8): No such file or directory"

How do I fix this (as I think it is related to the problem)


IPv6 / IPv6 incoming not working.
« on: December 10, 2016, 04:00:04 pm »

New to IPv6. I have Telus internet. Recently got IPv6 working with my new pfSense box. I can use the IPv6 internet normally, browse to sites, ping things, but anything incoming seems to be blocked and I would like to allow ICMP incoming, as well as other hosted services.

I am testing from a remote DigitalOcean box with IPv6 and Nmap for port scanning. Just using netcat to listen to ports, etc.

Running pfSense 2.4.0.b.20161118.1539.

Here is results.

Here are my firewall rules for WAN and LAN

As I test I used
Code: [Select]
nc -6 -l 8088 to create a listening server on my OS X machine. When portscanning it on the remote server using Nmap and sniffing on the router itself using tcpdump I can see the packets being received by the router, but they never reach my machine. I have OSX's firewall disabled for testing.

Here's an example

Code: [Select]
[root@router ~]# tcpdump -i em4 port 8088
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em4, link-type EN10MB (Ethernet), capture size 262144 bytes
14:20:17.354647 IP6 [REDACTED TESTING BOX].49448 > [REDACTED OS X MACHINE].8088: Flags [S], seq 3266173327, win 1024, options [mss 1460], length 0
14:20:18.355437 IP6 [REDACTED TESTING BOX].49449 > [REDACTED OS X MACHINE].8088: Flags [S], seq 3266107790, win 1024, options [mss 1460], length 0
14:20:35.622367 IP6 [REDACTED TESTING BOX].39544 > [REDACTED OS X MACHINE].8088: Flags [S], seq 2563870279, win 1024, options [mss 1460], length 0
14:20:36.622538 IP6 [REDACTED TESTING BOX].39545 > [REDACTED OS X MACHINE].8088: Flags [S], seq 2563804742, win 1024, options [mss 1460], length 0
14:20:41.631231 IP6 [REDACTED TESTING BOX].51385 > [REDACTED OS X MACHINE].8088: Flags [S], seq 2305422004, win 1024, options [mss 1460], length 0
14:20:42.631624 IP6 [REDACTED TESTING BOX].51386 > [REDACTED OS X MACHINE].8088: Flags [S], seq 2305356469, win 1024, options [mss 1460], length 0

(Sorry for the somewhat abrupt and ad-hoc writeup of this, have a headache)


Pages: [1]