Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - athurdent

Pages: [1] 2 3 4
1
General Discussion / New Netgate software platforms sclr / tnsr
« on: December 22, 2017, 12:40:17 am »
So just out of curiosity, are these new sclr / tnsr platfroms based on FreeBSD/pf or Linux/iptables?

https://cdn2.hubspot.net/hubfs/1826203/Collateral/Brochures/Netgate_Brochure.pdf

2
Anybody else noticing problems with unbound, probably after those commits:

https://github.com/pfsense/pfsense/commit/38d110824c87ff60c6289c0432d55009586ceee4
https://github.com/pfsense/pfsense/commit/38d110824c87ff60c6289c0432d55009586ceee4

Rebooting takes longer than before and take ages to resume after showing "Setting up gateway monitors...done."
Starting unbound also takes really long now, stopping or restarting is fast.

Running those by hand is fast, but unbound also seems to have stopped logging directly after reboot.
It started logging again after the first time I started it by hand, did not log the initial stopping or starting after reboot
Code: [Select]
[2.4.0-BETA][root@vpn2]/root: ps aux | grep unb
unbound 47812   0.0  2.3  68700 22708  -  Is   10:40    0:00.23 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    36828   0.0  0.2  14700  2404  0  S+   10:44    0:00.00 grep unb
[2.4.0-BETA][root@vpn2]/root: /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf stop
ok
[2.4.0-BETA][root@vpn2]/root: /usr/local/sbin/unbound -c /var/unbound/unbound.conf
[2.4.0-BETA][root@vpn2]/root: ps aux | grep unb
unbound 37895   2.0  2.2  66652 22308  -  Ss   10:44    0:00.13 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    38271   0.0  0.2  14700  2404  0  S+   10:44    0:00.00 grep unb
[2.4.0-BETA][root@vpn2]/root: /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf stop
ok
[2.4.0-BETA][root@vpn2]/root: /usr/local/sbin/unbound -c /var/unbound/unbound.conf
[2.4.0-BETA][root@vpn2]/root:



5
2.4 Development Snapshots / KVM crashed
« on: March 16, 2017, 10:41:58 pm »
My failover KVM crashed last night (QNAP NAS with Virtualization station), snapshot from March 9th.

Code: [Select]
Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address = 0x30
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80cb910c
stack pointer         = 0x28:0xfffffe00003c5450
frame pointer         = 0x28:0xfffffe00003c5480
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = resume, IOPL = 0
current process = 9188 (sh)
version.txt06000025413062631621  7614 ustarrootwheelFreeBSD 11.0-RELEASE-p8 #70 cf308415918(RELENG_2_4): Thu Mar  9 15:59:46 CST 2017
    root@buildbot2.netgate.com:/builder/ce/tmp/obj/builder/ce/tmp/FreeBSD-src/sys/pfSense

I'll update it to a new snapshot now. Crash report has been submitted, IP ends in .143.1.27

6
2.4 Development Snapshots / Error setting Configuration Backup Count
« on: February 17, 2017, 09:07:31 am »
When setting the Backup Count to 0, I get the following error:

Code: [Select]
Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/config.lib.inc on line 757 Call Stack: 0.0001 233920 1. {main}() /usr/local/www/diag_confbak.php:0 0.3597 2148800 2. write_config() /usr/local/www/diag_confbak.php:41 2.1075 2492952 3. cleanup_backupcache() /etc/inc/config.lib.inc:481 2.1091 2498584 4. array_keys() /etc/inc/config.lib.inc:757 Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/config.lib.inc on line 757 Call Stack: 0.0001 233920 1. {main}() /usr/local/www/diag_confbak.php:0 0.3597 2148800 2. write_config() /usr/local/www/diag_confbak.php:41 2.1075 2492952 3. cleanup_backupcache() /etc/inc/config.lib.inc:481 2.1099 2498584 4. in_array() /etc/inc/config.lib.inc:757 Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/config.lib.inc on line 757 Call Stack: 0.0001 233920 1. {main}() /usr/local/www/diag_confbak.php:0 0.3597 2148800 2. write_config() /usr/local/www/diag_confbak.php:41 2.1075 2492952 3. cleanup_backupcache() /etc/inc/config.lib.inc:481 2.1109 2498528 4. array_keys() /etc/inc/config.lib.inc:757 Warning: in_array() expects parameter 2 to be array, null given in /etc/inc/config.lib.inc on line 757 Call Stack: 0.0001 233920 1. {main}() /usr/local/www/diag_confbak.php:0 0.3597 2148800 2. write_config() /usr/local/www/diag_confbak.php:41 2.1075 2492952 3. cleanup_backupcache() /etc/inc/config.lib.inc:481 2.1115 2498528 4. in_array() /etc/inc/config.lib.inc:757 Warning: array_keys() expects parameter 1 to be array, null given in /etc/inc/config.lib.inc on line 777 Call Stack: 0.0001 233920 1. {main}() /usr/local/www/diag_confbak.php:0 4.9383 2113096 2. cleanup_backupcache() /usr/local/www/diag_confbak.php:92 4.9390 2113832 3. get_backups() /etc/inc/config.lib.inc:697 4.9392 2113928 4. array_keys() /etc/inc/config.lib.inc:777 Warning: sort() expects parameter 1 to be array, null given in /etc/inc/config.lib.inc on line 779 Call Stack: 0.0001 233920 1. {main}() /usr/local/www/diag_confbak.php:0 4.9383 2113096 2. cleanup_backupcache() /usr/local/www/diag_confbak.php:92 4.9390 2113832 3. get_backups() /etc/inc/config.lib.inc:697 4.9398 2114112 4. sort() /etc/inc/config.lib.inc:779 Warning: array_reverse() expects parameter 1 to be array, null given in /etc/inc/config.lib.inc on line 781 Call Stack: 0.0001 233920 1. {main}() /usr/local/www/diag_confbak.php:0 4.9383 2113096 2. cleanup_backupcache() /usr/local/www/diag_confbak.php:92 4.9390 2113832 3. get_backups() /etc/inc/config.lib.inc:697 4.9403 2114112 4. array_reverse() /etc/inc/config.lib.inc:781 Warning: Invalid argument supplied for foreach() in /etc/inc/config.lib.inc on line 781 Call Stack: 0.0001 233920 1. {main}() /usr/local/www/diag_confbak.php:0 4.9383 2113096 2. cleanup_backupcache() /usr/local/www/diag_confbak.php:92 4.9390 2113832 3. get_backups() /etc/inc/config.lib.inc:697
This also seems to interfere with the Squid package at boot:

Code: [Select]
Crash report begins.  Anonymous machine information:

amd64
11.0-RELEASE-p7
FreeBSD 11.0-RELEASE-p7 #38 74fc727e9fd(RELENG_2_4): Fri Feb 17 00:26:24 CST 2017     root@buildbot2.netgate.com:/builder/ce/tmp/obj/builder/ce/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[17-Feb-2017 16:05:22 Europe/Berlin] PHP Warning:  array_keys() expects parameter 1 to be array, null given in /etc/inc/config.lib.inc on line 757
[17-Feb-2017 16:05:22 Europe/Berlin] PHP Stack trace:
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   1. {main}() /etc/rc.start_packages:0
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   2. sync_package() /etc/rc.start_packages:58
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   3. eval() /etc/inc/pkg-utils.inc:622
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   4. squid_resync() /etc/inc/pkg-utils.inc(622) : eval()'d code:1
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   5. squid_resync_antivirus() /usr/local/pkg/squid.inc:2002
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   6. squid_restart_antivirus() /usr/local/pkg/squid_antivirus.inc:383
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   7. squid_stop_antivirus() /usr/local/pkg/squid_antivirus.inc:797
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   8. squid_install_freshclam_cron() /usr/local/pkg/squid_antivirus.inc:833
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   9. install_cron_job() /usr/local/pkg/squid_antivirus.inc:90
[17-Feb-2017 16:05:22 Europe/Berlin] PHP  10. write_config() /etc/inc/services.inc:2876
[17-Feb-2017 16:05:22 Europe/Berlin] PHP  11. cleanup_backupcache() /etc/inc/config.lib.inc:481
[17-Feb-2017 16:05:22 Europe/Berlin] PHP  12. array_keys() /etc/inc/config.lib.inc:757
[17-Feb-2017 16:05:22 Europe/Berlin] PHP Warning:  in_array() expects parameter 2 to be array, null given in /etc/inc/config.lib.inc on line 757
[17-Feb-2017 16:05:22 Europe/Berlin] PHP Stack trace:
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   1. {main}() /etc/rc.start_packages:0
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   2. sync_package() /etc/rc.start_packages:58
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   3. eval() /etc/inc/pkg-utils.inc:622
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   4. squid_resync() /etc/inc/pkg-utils.inc(622) : eval()'d code:1
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   5. squid_resync_antivirus() /usr/local/pkg/squid.inc:2002
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   6. squid_restart_antivirus() /usr/local/pkg/squid_antivirus.inc:383
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   7. squid_stop_antivirus() /usr/local/pkg/squid_antivirus.inc:797
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   8. squid_install_freshclam_cron() /usr/local/pkg/squid_antivirus.inc:833
[17-Feb-2017 16:05:22 Europe/Berlin] PHP   9. install_cron_job() /usr/local/pkg/squid_antivirus.inc:90
[17-Feb-2017 16:05:22 Europe/Berlin] PHP  10. write_config() /etc/inc/services.inc:2876
[17-Feb-2017 16:05:22 Europe/Berlin] PHP  11. cleanup_backupcache() /etc/inc/config.lib.inc:481
[17-Feb-2017 16:05:22 Europe/Berlin] PHP  12. in_array() /etc/inc/config.lib.inc:757


Filename: /var/crash/minfree
2048

7
Deutsch / No XMLRPC Sync
« on: February 03, 2017, 10:15:22 am »
Kann mir jemand diese Option erklären? Je mehr ich darüber nachdenke, desto weniger verstehe ich den Sinn.
Wir syncen die Regel nicht automatisch auf Slaves, aber sie wird trotzdem auf Slaves überschrieben?

Quote
No XMLRPC Sync
Prevents the rule on Master from automatically syncing to other CARP members. This does NOT prevent the rule from being overwritten on Slave

8
Is it just my test system, or is it impossible to see the options for Translation -> "Other Subnet (enter below)" when trying to create a NAT rule using a different language?

9
Deutsch / 2.4 Übersetzer Thread
« on: February 01, 2017, 07:08:00 am »
Ich mache hier mal einen Thread für die Diskussion rund um die 2.4er Übersetzung ins Deutsche auf.
Wäre schön, wenn die anderen Übersetzer dazukommen und wir uns ggf. hier austauschen/koordinieren könnten. :)
Menüstruktur ist schon fast fertig, Dashboard auch schon ein wenig. Ich mache mich die nächsten Tage mal an die Firewalling Sektion.

10
2.4 Development Snapshots / Bug #7086: stale zfs file systems
« on: January 19, 2017, 11:29:41 pm »
Does this mean we need to reinstall if we are using ZFS?

https://redmine.pfsense.org/issues/7086#change-30756

Edit: updated my VM, now it says:

Code: [Select]
cannot mount 'zroot/tmp': filesystem already mounted
cannot mount 'zroot/var': 'canmount' property is set to 'off'

11
2.4 Development Snapshots / Super Micro C2758 crashes
« on: January 14, 2017, 07:57:37 am »
Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 06
fault virtual address   = 0x78
fault code      = supervisor read data, page not present
instruction pointer   = 0x20:0xffffffff80e33224
stack pointer           = 0x28:0xfffffe01ed0977e0
frame pointer           = 0x28:0xfffffe01ed097860
code segment      = base 0x0, limit 0xfffff, type 0x1b
         = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags   = interrupt enabled, resume, IOPL = 0
current process      = 12 (irq269: igb1:que 3)

I have uploaded the crash info, this is the second time it happened in the last 24 hours.
Uploading IP ends with .143.1.27

Edit: kern.ipc.nmbclusters="1000000" has been configured

12
2.4 Development Snapshots / OpenVPN 2.4 AES-NI speed
« on: January 13, 2017, 08:36:50 am »
Upgraded my Super Micro C2758 a few hours ago and ran some OpenVPN 2.4 speedtests.
I tried an UDP server with TLS Enc and Auth, DH ECDH Only, ECDH Curve default, AES-256-GCM, No LZO Compression. OpenVPN runs on 127.0.0.1 with Port-Forwards.
Using the latest Tunnelblick beta switched to OpenVPN 2.4 OpenSSL (also tried with my Windows 10 VM with the native OpenVPN client and an SMB transfer).
iperf3 server in LAN, MacBook Pro 2014 connected to my WAN Switch.
Tests were run with 3 streams with and afterwards without -R. I rebooted after turning AES-NI on or off.

With the above OpenVPN parameters I'm getting roughly 250 MBit when downloading from LAN and 200 MBit uploading to LAN. It does not make a difference if AES-NI is enabled or not, OpenVPN always uses 100% on one core.

Am I using the wrong config for AES-NI to work?

13
2.4 Development Snapshots / Traffic Shaper Wizard / ICMP queue problem
« on: January 12, 2017, 01:35:53 am »
Creating a fresh topic for this. :)
I never actually used the traffic shaper, always created everything by hand if needed. So I must be doing something wrong here.

Latest 2.4 snapshot as of now. Mostly vanilla Proxmox KVM created for testing pfSense 2.4 beta, 2 em interfaces.

em0 LAN
em1 WAN

Checked via viconfig, no ezshaper section in the config.

Used the Multi WAN / LAN Wizard and kept everything at default except for Upload (20MBit) / Download (400MBit) and chose ICMP High Prio.
After finishing the wizard I rebooted.

Verified the rules:

Code: [Select]
[2.4.0-BETA][root@pfSense-beta]/root: cat /tmp/rules.debug | grep outbound
match    on {  em1  }  proto icmp  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other ICMP outbound"


[2.4.0-BETA][root@pfSense-beta]/root: pfctl -vvsr | grep -A2 outbound
@70(0) match on em1 proto icmp all label "USER_RULE: m_Other ICMP outbound" queue qOthersHigh
  [ Evaluations: 378       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 30474 State Creations: 0     ]

Ping www.heise.de through the test VM:

Code: [Select]
[2.4.0-BETA][root@pfSense-beta]/root: tcpdump -nvvi em1 icmp and host www.heise.de
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
08:10:09.790054 IP (tos 0x0, ttl 63, id 31661, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.178.22 > 193.99.144.85: ICMP echo request, id 57153, seq 1, length 64
08:10:09.816643 IP (tos 0x0, ttl 246, id 19159, offset 0, flags [DF], proto ICMP (1), length 84)
    193.99.144.85 > 192.168.178.22: ICMP echo reply, id 57153, seq 1, length 64
08:10:10.791350 IP (tos 0x0, ttl 63, id 31737, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.178.22 > 193.99.144.85: ICMP echo request, id 57153, seq 2, length 64
08:10:10.814755 IP (tos 0x0, ttl 246, id 47076, offset 0, flags [DF], proto ICMP (1), length 84)
    193.99.144.85 > 192.168.178.22: ICMP echo reply, id 57153, seq 2, length 64
08:10:11.792482 IP (tos 0x0, ttl 63, id 31896, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.178.22 > 193.99.144.85: ICMP echo request, id 57153, seq 3, length 64
08:10:11.816634 IP (tos 0x0, ttl 246, id 17809, offset 0, flags [DF], proto ICMP (1), length 84)
    193.99.144.85 > 192.168.178.22: ICMP echo reply, id 57153, seq 3, length 64

Result:

Code: [Select]
[2.4.0-BETA][root@pfSense-beta]/root: pfctl -vvsr | grep -A2 outbound
@70(0) match on em1 proto icmp all label "USER_RULE: m_Other ICMP outbound" queue qOthersHigh
  [ Evaluations: 467       Packets: 1         Bytes: 84          States: 0     ]
  [ Inserted: pid 30474 State Creations: 0     ]
 
[2.4.0-BETA][root@pfSense-beta]/root: pfctl -vvsq
queue qACK on em1 priority 6 priq( red ecn )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue qDefault on em1 priority 3 priq( red ecn default )
  [ pkts:       1172  bytes:      80801  dropped pkts:     52 bytes:   4385 ]
  [ qlength:   0/ 50 ]
  [ measured:     3.1 packets/s, 1.49Kb/s ]
queue qOthersHigh on em1 priority 4 priq( red ecn )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue qOthersLow on em1 priority 2 priq( red ecn )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue qLink on em0 priority 2 qlimit 500 priq( red ecn default )
  [ pkts:       2134  bytes:    1249152  dropped pkts:      3 bytes:   4542 ]
  [ qlength:   0/500 ]
  [ measured:     4.6 packets/s, 12.87Kb/s ]
queue qACK on em0 priority 6 priq( red ecn )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue qOthersHigh on em0 priority 4 priq( red ecn )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue qOthersLow on em0 priority 3 priq( red ecn )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
qOthersHigh stays empty.

Creating a rule by hand prevents the ruleset from loading:

Code: [Select]
pass  in  quick  on $LAN inet proto icmp  from any to any icmp-type any tracker 1484205722 keep state  queue (qOthersHigh)  label "USER_RULE: ICMP q test"
Result:

There were error(s) loading the rules: /tmp/rules.debug:141: syntax error - The line in question reads [141]: pass in quick on $LAN inet proto icmp from any to any icmp-type any tracker 1484205722 keep state queue (qOthersHigh) label "USER_RULE: ICMP q test"
@ 2017-01-12 08:22:05

Again, I might be doing something wrong here, never used traffic shaping for a long time. :)


14
pfBlockerNG / Feature Request: DNSBL should use it's own Unbound instance
« on: September 30, 2016, 02:45:29 am »
Don't know if this has been suggested before (Sorry if it has, I searched the forum, but maybe not thoroughly enough) , but it would be great to have the DNSBL feature use it's own Unbound instance.

Benefits:

- great for people who want to setup a separate Interface/Subnet/WLAN just for Adblocking (like me)
- keep the main DNS resolver untouched/alive, in case anything goes wrong with pfBlocker's extra config

We could use the system Unbound config and just change the Port to something like 5353 or use an instance that just forwards it's requests to the main Unbound instance, also running on something like 5353.
To finally use the DNSBL resolver we could setup NAT from 53 to 5353 where needed.

Now flame me :)

15
General Discussion / pfSense Linux Port
« on: April 19, 2016, 02:42:32 am »

Pages: [1] 2 3 4