Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Michel-angelo

Pages: [1]
Hello, My SG-1000 microfirewall is usually configured as a router with its WAN port connected by DHCP to the LAN port of a modem-router. The modem-router connects to my ISP by PPPoE.

Today, I want to test replacing my usual modem-router by a Thomson Speedtouch ST510V6 modem, which is configured in bridge mode instead of being a router. So, instead of using DHCP on the SG-1000's WAN port, I use PPPoE and the Username and password given to me by my ISP.

As configured, the Thomson Speedtouch LAN port IP is, while its WEB GUI access is at IP

I can connect my Macbook computer to the Thomson Speedtouch WEB GUI by a direct ethernet cable at the IP address and configure it from there.

If I connect the Thomson Speedtouch to the WAN port of my SG-1000 by PPPoE, and then connect my mac computer to the LAN port of the SG-1000, the mac computer receives internet connection. However, it can no longer access the WEB GUI of the Thomson Speedtouch.

On the Terminal application of the mac, PING appears to be blocked by the SG-1000. If I issue the terminal command: "ping", the reply is:

Request timeout for icmp_seq xx
60 bytes from Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 2907   0 0000  3e  01 8707

Repeated for each ping attempt.

The sole change I did on the SG-1000 configuration was replacing DHCP by PPPoE (with Username and password) on the WAN configuration of the SG-1000.

What could I be doing wrong ? What should I do to access the WEB GUI of the Thomson speedtouch modem through the SG-1000 firewall ? TIA for any help.

Traffic Shaping / PRIQ Traffic Shaper - How to optimize ?
« on: December 14, 2017, 07:27:45 am »
Hello. Beginner in using pfSense, I have configured my SG-1000 to do traffic shaping with Priority Queuing (PRIQ).

The set-up is as simple as I could make it:

1 WAN and two LANS (home and guests), no phone over IP, no TV over IP, no peer to peer, no games. Hence the setup is basic also:

Modem ISP data:         Downstream   Upstream   
SNR Margin:            7.0         6.0   db
Line Attenuation:              63.5              31.5 db
Data Rate:            3424                    896 kbpss

Using the wizard: I use presently the ratio .86 for downstream and upstream (3424 x 0.86 = 3000). It works and the ADSL line from my ISP seems to be stable. But I have no way to know if this is the optimal setting and how to improve.
1 WAN, 2 LANS, PRIQ,   3000       770 kbps

No VoIP, No use for penalty box, No peer to peer, no games, no change to other applications.

I have tried adjusting download and upload speed for the WAN, using the same proportional reduction for both, and adjusted each day at .80, then .82, then .84, then .86, then .88, then .90 and so on. Each day, I performed speed tests and, more recently, made a screenshot of the queues. This did not help me determining how to optimise.

What should I be trying to optimize ?

Hello. I am new to pfSense and have recently purchased a SG-1000 microfirewall. I use it in my home as my primary firewall-router, hence it must not be allowed to stop working. So far, it is happily doing its work and I like it that way. However, this SG-1000 is also a learning tool I use to learn how to use pfSense (I have also purchased the book), mainly for firewalling, VLAN and traffic shaping. In my yesterday's second post of substance <>, I have created a guest network, intended for dumb IoT devices rather than clever guests, and try to prevent guests (or crazy IoT thingies) to ever think of touching the SG-1000 WebGUI. Dangerous stuff in uncertain hands like mine. All my other devices (Airport devices, Zyxel modem) have a nice reset button on the box. I have had use for them in many occasions where I had severely goofed (unintentionally). These reset buttons have saved by bacon many times.

I looked at the SG-1000 box and have not seen trace of a reset button.

Is there any ?

How do I use it ?

If there is none, what do I do if I lose access to the user interface ?

Thanks in advance.

Firewalling / Create a guest network with VLAN tag 1003
« on: October 25, 2017, 11:31:25 am »
Hello. This is part of my learning process since my recent purchase of a SG-1000 firewall. Please be patient with me !

At my home, as indicated on the attached schematic,

1 - A Zyxel modem-router located in the basement creates a first LAN on the address field, whose sole client is the SG-1000 pfSense firewall router.

2 - A SG-1000 pfSense firewall router also located in the basement is connected to it. Its WAN address is currently (it can change since it is obtained by DHCP from the Zyxel modem router). It delivers my Main Network on the address field, on my home ethernet backbone. Its current configuration is the default configuration (which mainly blocks all [inbound] packets on the WAN side [except of course those that are replies to outbound requests] and allow all [outbound] packets on the LAN side). Among other devices, three wifi devices are connected to this ethernet backbone:

2.1 A Time Capsule for computers' backups on the top floor, where the main computers are located;

2.2 An Aiport Extreme base station on the 1st floor which is a living area;

2.3 An Airport Express base station on the ground floor which is where the TV set resides.

All three wifi devices are configured the same and deliver (a roaming arrangement) the above Main Network under the name of "Internet de Bianca" (same password).

Now, I want to add to my Main Network a second network reserved for guests (Guests Network). the Guest Network would distribute access to internet to guests but would provide no access whatsoever to any element of the Main Network (no access to connected computers, which includes no access to printer scanner, no access to configuration of wifi devices, no access to configuration of SG-1000 main router, no access to configuration of Zyxel external modem router). The Guest Network would be accessible on the home ethernet backbone.

Since I have one and only one home ethernet backbone, I would like the Guest Network to be characterized by VLAN tagging, some thing I believe the pfSense router is able to do.

To distribute the Guest Network to users, I would like to use a Guest wifi network, separate from Internet de Bianca. I would call it "Invites de Bianca" and both devices would use the same password for guests. Both devices (Airport Extreme and Airport Express) are capable of distributing a guest network as long as they are created by VLAN tagging using the VLAN tag 1003.

I read that on Darko Krisik's techblog at <> and I want to do the same.

The SG-1000 pfSense router is presently configured with the default configuration with two interfaces only:



I believe, based on Darko Krizic's blog, that I need to do the following;

1 - Add a second assignable LAN interface by

Interfaces > assignments > VLANs

To create a third interface called INVITES

Click + to add an interface. Then on the assignment window:

Parent interface: Select the LAN interface

VLAN tag: 1003

VLAN priority: 7 (lowest possible priority)

Description: LAN_Invites_de_Bianca

Click: Save

2 - Assign this second LAN interface to INVITES

Interfaces > Interfaces assignment > Available networks ports > Add

The interface has been added, it is called by pfSense OPT1 by default. I change the name to INVITES for guests

The interfaces menu changes automagically:

Interfaces / OPT1 => Interfaces / INVITES 

Click: Enable interface

IPv4 configuration type: Static IPv4

IPv6 configuration type: None

IPv4 Address / 24

I call the main network / 24

I call the guest network / 24

IPv4 upstream gateway: None (because this is a local area network)

Click: Save

Apply changes

3 - Create the new DHCP server that the INVITES network needs

Services > DHCP server > INVITES

Enable DHCP server on INVITES interface

Range: from to

Click Save

4 - Have a look at rules on the LAN interface (that is to be able to copy them)

Firewall > Rules > LAN

First rule is anti-lockout rule

Second rule for IPv4

Action : Pass

Interface: LAN

Address family: IPv4

Protocol: Any

Source: LAN net

Destination: Any

Third rule for IPv6

Action : Pass

Interface: LAN

Address family: IPv6

Protocol: Any

Source: LAN net

Destination: Any

5 - Add to the INVITES interface a rule similar to the default LAN rule, to allow access to the internet, at least in the IPv4 address family (addressing IPv6 could be another layer of complexity)

Firewall > Rules > INVITES

One and only one rule:

Action: Pass

Interface: INVITES

Address family: IPv4

Protocol: Any

Source: INVITES net 

Destination: Any



6 - Backup configuration

7 - Test

It continues to work on its original LAN Internet de Bianca

I then configured the Airport Extreme and the Airport Express as bridges and added the guest network.

I tried it on the guest network "Invites de Bianca". IT WORKED !!! (thanks to Darko Krizik)

Now what do my tests report:

When I connect my mac to the guest network Invites de Bianca, I can access to:

The internet at large (so it appears);
The configuration interface of my SG-1000 pfSense router;
The configuration interface of my Zyxel modem router;

But I do not find access (according to my attempts) to:
My printer, my scanner (located on the main network;
The configuration interfaces of my Apple wifi devices;
Other computers on my network.

Can anyone explain (this is a learning experiment) the following:

1 - My unique rule on the new INVITES interface states (among others): "Protocol: Any; Source: INVITES net; Destination: Any". I believed "destination: Any" would allow packets originating on the INVITES side (INVITES net) to go to my main network and to any of its guests (such as my printer). Why is my belief wrong ?

2 - I thought I would need two rules on my INVITES interface: The last rule would block any and all traffic originating from INVITES; the first rule would specifically allow any and all traffic originating from INVITES to the interface that is the internet connection (the WAN interface). Why is it that I do not seem to need to create the block-all last rule on the INVITES interface ?

3 - I wanted to block access to the SG-1000 pfSense firewall router interface. How can I do that ?

4 - I wanted to block access to the Zyxel modem router interface. How can I do that ?

Many thanks in advance.

General Discussion / Add snapshots to a post on the pfSense forum
« on: October 25, 2017, 11:16:44 am »
I can see that it is quite mandatory to add pictures like snapshots of the webGUI when posting a question of a solution. What is the recommend method for doing that ?

Here is an example: I have just done a drawing of my network as was required by a pfSense grizzled veteran. I reduced it to a jpeg 969 x 960 px image. in the insertion point below, I use the button "insert image"

I then attach the file using "Attachments and other options" to this post.

What should I have done for the image to appear in the post ? TIA

Hello. I sent this to Netgate Sales:


I just bought and received yesterday a SG-1000 device. It worked out of the box. I configured it as standard (mainly adding a password). It still worked. I saved the configuration this morning. I did the update this morning. It still worked. I saved the configuration. My internet access works.

Now looking carefully at the GUI, I found the following note [a note to me !]


Filter reload

There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table bogonsv6: Canot allocate memory - the line in question reads [18]: table &lt;bogonsv6&gt; persist file &quot;/etc/bogonsv6&quot;
@2017-08-23 11:20:29

This results from my updating the firmware, of that I am quite certain.

What do I need to understand from that ? Should I be worried ?

What can I do to correct whatever is wrong ?

What can you do to help me ? TIA


The reply from Netgate sales was:


Yes, there is a known bug on SG-1000 regarding table size error logs -

A work around appears to be to increase System->Advanced-> Firewall Maximum Table Entries.

Keeping in mind SG-1000 has only 512Mb of RAM the firewall maximum Table Entries could be set to 500K.

You have only community support, for detailed help about your issue please visit or purchase support -


This is a bug, a bug ! How could Netgate believe they can escape the obligation to correct when they do mistakes ?

Nevertheless, I changed, at the stated location, the value written "200000" (the default value) into "500000" (should it be 512000 ?). I have no idea if this works or not and how to redo the update, since the SG-1000 states that it is now up to date. BTW, the SG-1000, presently, works. Should I revert to my earlier firmware backup (before firmware update) ?

And Netgate sales then had an after thought:


By the way - it is not an issue  for systems with RAM equal or higher than 512Mb


What do I do ? Do I need to increase the RAM ? Can I do that ? How ?


Hello. I just purchased and received a SG-1000 router, after a preliminary question, related to traffic shaping, on this forum:
Can I hope too improve on my 2 Mb/s download with pfSense traffic shaping ?

In my home network, a Zyxel modem-router delivers LAN1 on the address field. Then the WAN port of an Airport Extreme access point is connected to it and, with its router activated (double NAT), delivers LAN2 on the address field. This is my home LAN. The airport Extreme also provides a guest network by VLAN tagging.

I unplugged my airport Extreme, plugged in its stead the SG-1000 out of the box, and it immediately worked, delivering (only this step), the main network (not yet the guest).

In view of the double NAT, the WAN is a private network, so I believed that I would need to untick the Block private networks from entering via WAN. In view of the fact the box was ticked by default ("block") and yet it worked, I left it that way and I havec nevertheless internet access on my LAN2.

What is the option "Block private networks" supposed to do ?

If it blocks access to the WebGUI to private addresses situated on the WAN side, is access to the webGUI denied to public addresses but nevertheless authorized to public addresses ?

How do I block access to the WebGUI from anything located on the WAN side ? TIA

Hello. I am not (yet) a pfSense user and consider to be, but I feel humbled by the average skill level out here. I apologise in advance for the unsatisfactory aspect of the description below.

In view of my slow bandwidth at my home (about 2 Mb/S down, 0.7 Mb/s up), I want to explore the possibility of throttling the bandwidth of most bandwidth users in my home, because from time to time, my computers get sick at not receiving the info they need from servers to survive (and they get unable to conduct a screen sharing session with Apple Assistance). I wonder if using a pfSense router (like the little red SG-1000) and use on it some traffic shaping tricks would help.

Or maybe I am being insane.

The main issues clogging my macs that I have identified (at home, we have 2 macs, 2 iPhones, one iPad and many Dropbox shared folders) are:

1 - Automatic wifi updates of my wife's iPhone pressuring my ADSL line just when the Apple servers delivering the updater are overloaded with tons of demands from other luckier connected iPhones (Sadly, I cannot suggest her out of that "no-hassle" habit if I want to preserve my happy marriage);

2 - iTunes automatic downloads of stuff I buy from any of my machines (iPad or iPhone) or of podcasts or other stuff;

3 - iTunes manual updates for iPhone & iPad Apps, and for iPhone and iPad iOS updates;

4 - App store automatic downloads of just about everything with automatic install, for mac OS security updates, mac OS updates and mac Apps;

5 - iCloud sync of iCloud data, which total volume I reduced to trickle (Data volume of less that 0.5 GB in the Apple servers);

6 - Dropbox (data volume totaling about 11 GB), which I use a lot and is installed on two accounts each on my MacBook (Abeille webmaster and me) and iMac (my wife and me), where bandwith is adjustable and which I limited on each account to : Down: 10 kb/s; Up 5 kb/s;

7 - Mail IMAP accounts (I still receive from crazy friendly friends who live close to their ADSL provider massive 30 MB dumps of photos which block everything when they come to pass);

8 - Others, undoubtedly.

My questions to pfSense wise and unwise people are:

Can pfSense traffic shaping help me to overcome the above issues ?

If I purchase the SG-1000 device, red, with its one year subscription to whatever training there is to it from Netgate and keep on sustaining my vow of never using linux terminal commands (too hard for me), can a newbie like me cope with the effort ?


Hello. I want to use a SG-1000 microfirewall router in my home, configured as a router serving two or three separate VLAN (main, guest with VLAN tag 1003, IoT) with firewall on. FWIW I use a Mac and Airport Extreme and Time Capsule Wifi access points. I live in France where, unlike the US, electricity is delivered in 220 Volts at 50 cycles/second. Can I buy a SG-1000 router fit for that environment from <> ? Otherwise, do you have a recommendation for me ? TIA

Pages: [1]