Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - repomanz

Pages: [1]
Routing and Multi WAN / gateway tier priority backwards?
« on: December 30, 2017, 08:18:40 pm »
Hi folks - maybe i'm reading this wrong in the help pages.  What I understand is that in a gateway group, the interface connection has priority values.  Meaning, if i have interfaces that are defined as tier 1 within the gateway group that they should take priority over interfaces within the same gateway group that are defined as tier 2.

Not sure why but my tier 1 interfaces seem to be taking lower priority than the tier 2.  Meaning, the amount of traffic coming into and out of my tier 2 defined interfaces is much greater than the tier 1 interfaces.  I have checked logs and such and my tier 1 interfaces are not going down. 



General Discussion / pfsense 2.4.2 upnp bug?
« on: December 04, 2017, 08:14:32 pm »
Hi everyone.

I have UPNP enabled but have two IP and ports defined in the configuration for access control to upnp.  However, I see that another client on the network has a upnp session open (and is not in the access rule).  Is this a bug?


IDS/IPS / suricata 4.0.02 > 4.0.1 failure
« on: November 29, 2017, 07:14:15 pm »
Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-pkg-suricata from 4.0.0_2 to 4.0.1...
[1/1] Extracting pfSense-pkg-suricata-4.0.1: .......... done
Removing suricata components...
Menu items... done.
Services... done.
Loading package instructions...
pfSense-pkg-suricata-4.0.0_2: missing file /usr/local/share/licenses/pfSense-pkg-suricata-4.0.0_2/APACHE20
pfSense-pkg-suricata-4.0.0_2: missing file /usr/local/share/licenses/pfSense-pkg-suricata-4.0.0_2/LICENSE
pfSense-pkg-suricata-4.0.0_2: missing file /usr/local/share/licenses/pfSense-pkg-suricata-4.0.0_2/
pkg-static: Fail to rename /var/db/suricata/sidmods/.disablesid-sample.conf.HUI3RJW1OOGt -> /var/db/suricata/sidmods/disablesid-sample.conf:No such file or directory

General Questions / xboxone / strict nat and VPN
« on: November 10, 2017, 04:02:03 pm »
Hey everyone.

I'm beating my head against the wall here as I don't understand why xboxone NAT is not working when i try to VPN some clients (not the xbox). 

Key point here:  I have a fully functional xbox one with open NAT based on the guide linked in this forum.  XboxOne is working, works well.   However the moment I attempt to VPN any traffic to my internal clients I complete break the NAT for xbox one.

Outbound rules (in order):

1) xbox static outbound rule is #1 in the list and is bound to WAN
2) LAN 1 subnet
3) LAN 2 subnet
4) openvpn interface #1
5) openvpn interface #2
6) openvpn interface #3
7) openvpn interface #4
8) openvpn interface #5

LAN 1 network is routed out through vpn client gateway group (openvpn interface #1 - #5)
LAN 2 network (where xbox lives) is routed out through WAN

All clients perform as they should.  I get a VPN address for clients in LAN 1.  Clients in LAN 2 get my WAN IP.   However with this configuration the NAT type is now broken. 

What can i check for here to see if additional configurations are required?  It's clear i'm missing a configuration with the VPN, interfaces or not fully understand how VPN and NAT work together.


OpenVPN / Correct outbound NAT configuration
« on: November 09, 2017, 07:37:42 pm »
Hi everyone.  I need some clarification on openvpn clients and outbound NAT.

I have 5 openvpn clients running and each client has it's own interface.  I have each of the 5 openvpn interfaces grouped into 1 single vpn gateway group. 

vpn group = vpn1, , vpn2, vpn3, vpn4, vpn5

1) When I'm dealing with outbound NAT do i need to create a unique entry for each interface (vpn1, vpn2, ....) or can I just select the OPENVPN option?
2) below table is what i have currently, would i need to create a outbound NAT rule for each interface for the ISAKMP and the WAN rule specific to the vpn or openvpn interface choice?

Interface   Source   Source Port   Destination   Destination Port   NAT Address   NAT Port   Static Port   Description   Actions
WAN   *   *   500   WAN address   *      Auto created rule for ISAKMP - localhost to WAN    
WAN   *   *   *   WAN address   *      Auto created rule - localhost to WAN    
WAN   *   *   500   WAN address   *      Auto created rule for ISAKMP - LAN to WAN    
WAN   *   *   *   WAN address   *      Auto created rule - LAN to WAN    

General Questions / networking between interfaces
« on: November 08, 2017, 08:18:18 pm »
Hi everyone.  Quick question about pfsense / networking.

I have:

WAN (dhcp ip)
LAN1 (gateway
LAN2 (gateway

DHCP server on each LAN interface.

I have assets in LAN1 that my LAN2 clients need to get to.  Do i need to create an allow rule in LAN1 and LAN2 so the LAN2 clients are routed LAN1 network?

DHCP and DNS / DNS server on different interface subnet
« on: November 06, 2017, 04:57:37 pm »
Hi everyone.

Quick layout of my setup

1) i'm using dnsresolver within pfsense
2) general settings i have google dns servers entered
3) I have 3 interfaces (WAN, LAN, LAN2)
4) I have 2 dhcp scopes (LAN, LAN2).  Each scope has the local DNS server assigned which resides on LAN one network

When entering the dns server IP residing on LAN for LAN2 dhcp server scope, the clients residing on LAN2 network stop functioning.   What is the best practice and appropriate LAN rules that I require for LAN2?  I attempted to create LAN2 rule > IP address of dns server on LAN (port 53) but that didn't work.


Installation and Upgrades / 2.4.1: local DNS not working
« on: November 05, 2017, 11:33:47 am »
Hi everyone.

i'm sure i have something misconfigured somewhere.

1) under general settings, i have the local DNS server set (10.180.x.x)
2) in dnsresolver, i have static mappings for a couple linux servers.  I also have dhcp and static ips being registered in dnsresolver.  dnssec is checked
3) in dhcp server, the dns value is blank (should default to #1 right)
4) in dhcp server i have a few static leases defined

However, my clients don't appear to be routing their DNS requests to the 10.180.x.x address above.   I've renewed their leases, flushed dns, bounced etc.  I also noticed that unbound restarts every few minutes (is that normal?)

Hoping i have something misconfigured here.  Thoughts?


General Questions / vpn gateway group / health
« on: November 01, 2017, 06:19:18 pm »
Hi Everyone.

Been enjoying pfsense quite a bit.  Have a new question now.

I have a 5 openvpn client sessions connected to my VPN provider. These connections are individual interfaces that are bound into a gateway group for lan rules. I have the health checks enabled in the gateway group as well.   What I am finding is that a client within the network get's bound to an underperforming openvpn client session. I manually start that connection and the issue goes away. I'd enjoy getting out of the manual side of that process.

Are there any cron job scripts or other utilities that can measure the health of the connection and if bad restart that specific openvpn client interface? Something like a speed test through the interface and if it falls under x performance restart the interface.


OpenVPN / PIA / OpenVPN warnings
« on: October 23, 2017, 02:23:39 pm »
Hey folks,

I have PIA configured using the strong encryption (4096) but i get these warnings in the logs:

Oct 23 13:51:45   openvpn   71654   WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1542'
Oct 23 13:51:45   openvpn   71654   WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Oct 23 13:51:45   openvpn   71654   WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Oct 23 13:51:45   openvpn   71654   WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'

Am i mis-configured here? Traffic is going through VPN however.


pfBlockerNG / pfblockerNG dnsbl issue
« on: October 19, 2017, 02:41:14 pm »
Hi folks,

Post 2.4 upgrade (and latest pfblockerng package) I'm having a problem with this error below:

/usr/local/www/pfblockerng/pfblockerng.php: The command '/sbin/ifconfig 'igb1' delete ''' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'

For now i have dnsbl turned off but would like to get enabledsoon.

Thoughts on how to fix?


IDS/IPS / disable sid sidmgmt error in system logs
« on: October 19, 2017, 02:38:01 pm »
Hi folks,

running pfsense 2.4 and the latest suricata package (via package manager).  After upgrading I'm getting this error in the system logs:

suricata_check_for_rule_updates.php: [Suricata] Error - unable to open 'disable_sid_file' "disablesid.conf" specified for LAN

did i lose a configuration file during upgrade? Is there somewhere I can find this file?


pfBlockerNG / dnsbl geoblocking unselected country
« on: September 11, 2017, 09:30:38 pm »
Hi folks.

I have geoblocking enabled but noticing it's blocking this IP address (US based IP):

However I do not have US selected in the geoblocking sections (top 20, NA, etc). 

denied list:
Sep 11 21:18:43   LAN   pfB_Top_v4    (1770009096)   TCP-S    xboxone       US   Country

Is there something I can do within pfblockering to resolve?

General Questions / pfsense dns options (for my requirements)
« on: August 28, 2017, 12:23:07 pm »
Hi folks,

I'm new to pfsense but I'm up and running now and has been quite cool to implement this so far. However I need to do some tuning in my configuration that suits my needs and i'm not sure what the best practice is here so turning to the pfsense team & community for guidance around my dns needs.

information about my configuration so far:
* I am using google dns (under general settings)
* I have dhcp addresses being leased out by pfsense
* In my dhcp server properties, i do not have any dns ips entered thus using google dns servers
* I have a my entire network being tunneled over to my VPN provider
* I am currently using dns resolver, dns forwarder is not enabled
* I have pfblockerng enabled with geoip, ip4 and ip6 black lists defined
* I static dhcp mappings defined

However i need some guidance around these items (as a holistic solution):
1. need to block specific websites (like adult) for certain clients within the LAN
2. would like to ad block the entire internal network
3. need to resolve static ip dns within the lan

Solutions I've tried but they don't seem to work correctly:
*I've added the pihole IP in the dhcp server definition. This works well for blocking ads across the lan but then my clients lose dns information on the static dhcp mappings defined in pfsense. Additionally pihole doesn't let me block adult themed websites for specific clients
*I have tried pfblockerng dnsbl but when browsing websites with ads the client browser doesn't seem to like the domains being black listed and leaves a terrible looking page (broken links and such).
*I haven't tried this yet but I thought about building another pihole for these specific clients that need to be blocked by using opendns or norton. I would then use the dns value in these clients static dhcp mapping.

All of these above seem to be pretty rookie/kludgy. Is there a better solution with pfsense and other packages? Trying to find a clean solution that meets the 3 requirements above. In my home router, asus rt68u these requirements were easily done so just trying to figure out how to do it within pfsense.



Pages: [1]