Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - vinistois

Pages: [1]
DHCP and DNS / PFsense DNS vs Zentyal vs WS
« on: Yesterday at 01:13:32 pm »
I use two pfsense machines in HA with multi-WAN and it is rock solid with almost zero downtime in many months.

Currently using Zentyal inside the network for DNS, LDAP, and DC.  Its primary purpose is resolving internal DNS entries via their FQDN. This is essential, as we have an Ovirt cluster which relies heavily on DNS. If DNS is not reachable, it comes crashing down. For that reason I have two instances of Zentyal, one backing up the other and both being active DNS servers issued to hosts via their DHCP entries in PFsense.  I run one in Hyper-V on WS2016 and one in an Ovirt VM.

Now, Zentyal is causing many headaches. DNS entries are a pain to manage, even when it's working properly. Then there was this issue. Several hours of troubleshooting, and it still doesn't work properly. Can't manage it using RSAT like you're supposed to, LDAP is a tossup, sometimes works, sometimes doesn't, on and on...

I'm considering two options:

  • ditch Zentyal and do DC/DNS/LDAP through windows server 2016. Expensive because I would want a second server as backup DC and only have one bare metal box for this purpose.
  • move DNS to PFsense, ditch the DC altogether and use LDAP as a service from Jumpcloud.

Option 2 seems easiest to manage.  But..

  • Is the BIND package the preferred way to accomplish internal DNS resolution with automatic DHCP entries, or is Unbound?
  • Are there any issues with DNS, Bind or otherwise, with PFsense in HA?
  • Any reason I'm not thinking of that using pfsense as DNS for internal use is not a good idea?


DHCP and DNS / DNS refuses to update
« on: March 08, 2018, 02:21:28 pm »
PFsense local ---->  OpenVPN tunnel ----> PFsense remote

PFsense local has domain override setup in DNS resolver pointing to the DNS server at PFsense remote.  Works great and resolves all remote hosts.

Host at remote end used to be at  Changed it to   Updated entries in remote DNS server.  Updated static entry in remote DHCP.

resolving the hostname on the remote end resolves the correct new IP.

resolving the hostname on the local end resolves the old IP.

restarted DNS service on both ends.  Rebooted firewall on both ends.  No avail...

"Register DHCP static mappings in the DNS Resolver" is not checked on either end.

Where is PFsense local pulling this old IP from?

Result of DNS lookup from local end:  ( and are the DNS servers at the remote end)

Result   Record type   A
Name server   Query time   0 msec   24 msec   24 msec   21 msec

Routing and Multi WAN / WAN ISP insists on DHCP for static IPs
« on: February 06, 2018, 04:33:06 pm »
I have an ISP that is providing us with a static /29.  Telus Fiber.  To setup the IP, they insist we set our interface to DHCP, then call them and tell them the MAC address of our interface, at which point they register our static IP, and have us refresh the DHCP to pull it.  If I then set it up as a static IP with the correct gateway, it works.

After 24hrs, the gateway shows offline and I can no longer ping out from the WAN IP.  If I switch it back to DHCP, PFSense makes a new gateway with _DHCP appended to the WAN interface name. Looking at Gateway status, the original Static gateway now shows ONLINE, but the new one Pfsense made shows PENDING.

The new, automatically created gateway isn't assigned to any of my gateway groups. I can rule a network to the "Telus_Only" gateway group, and the clients pull public IPs that show as Telus IPs.  So it's working....

So I guess if telus doesn't see a DHCP request every day from my gateway, they deactivate my static IP.

I have 2 other WANs with other providers and they do not work this way, I configure the static IP and they stay online.  My next step is to setup a second pfSense box with sync, so I want to make sure it's setup correctly before moving forward.


OpenVPN / OpenVPN Config for Usenetserver VPN for one host only
« on: October 07, 2017, 12:02:24 am »
I want to share my working config for using Usenetserver's VPN service via OpenVPN.  Also I set it up to only send one host in my network through the VPN, leaving the rest through my regular WAN.

I spent a couple days trying to figure this out, because Usenetserver does not provide a guide for PFsense. All the info I found online was outdated or was just missing certain information.   Finally got it working well so I thought I should share in case anyone else is looking to recreate this. 

1. Create the certificate

SYSTEM -> Cert Manager -> CAs tab -> + Add

Descriptive name: Whatever "USNVPN"
Method: Import an existing Certificate Authority

Certificate data: Paste in the box the contents of this file
Certificate Private Key: leave blank
Serial for next certificate: 1


2. Create the VPN client

VPN -> OpenVPM -> Clients tab, +Add


Server mode: Peep to Peer (ssl/tls)
Protocol: UDP IPV4
Device mode: TUN layer 3
Interface: WAN
Local port:
Server host or address: Pick a nearby server's ip address from this list (you have to be logged into your account to view this page)
Server port: 1194
Proxy host or address
Proxy port
Proxy Authentication: none
Description: whatever you want

User Authentication Settings

Username:  (this is what held me up forever... you have to add to your username)
password: same password you use to access the website

Cryptographic Settings

TLS Configuration: Unchecked (do not use tls key)
Peer Certificate Authority: Select the CA you named in step 1.
Peer Certificate Revocation list: no
Client Certificate: webconfigurator default (server, yes, in use)
Encryption Algorithm: aes-256-CBC
Enable NCP: no
NCP Algorithms: defaults
Auth digest algorithm: sha256
Auth digest algorithm: no

Tunnel Settings

IPv4 Tunnel Network:
IPv6 Tunnel Network:
IPv4 Remote network(s):
IPv6 Remote network(s):
Limit outgoing bandwidth:
Compression: Adaptive LZO Compression
Topology: Subnet - one ip address per client
Type of service: no
Don't pull routes: YES
Don't add/remove routes: no

Advanced Configuration

Code: [Select]
remote-cert-tls server;
verb 3;
auth SHA256;
cipher AES-256-CBC;
auth-retry nointeract;

UDP Fast I/O: no
Send/Receive Buffer: default
Verbosity level: 3


3. Interface Assignment

Interfaces --> Assignments --> click usenetVPN (or whatever you named it in step 2)



Status --> OpenVPN

Should say status "up".  If it doesn't, click the log button top right next to the question mark.  Scroll to the bottom and try to decode what the error is.   If all is well you will see lots of "VERIFY EKU OK" and other such positive messages

If you're not up at this step, stop, some setting is wrong.

5. VPN Gateway

System --> Routing --> Gateways --> +Add

Interface: USENETVPN (or whatever you named it)
family: IPV4
Name: Some name USENETVPN_Gateway
Gateway: dynamic
Monitor IP: (worked, but maybe this should be a usenetserver ip address... not entirely sure)
Description: whatever description


6.  Outbound NAT

This part differs from some other guides because I only want one IP address going out the VPN.

Firewall--> Nat --> Outbound

Click manual outbound nat rule generation, click save, click apply.

ADD at top of list

Interface: USENETVPN (or whatever the interface is named)\
Protocol: any
Source: Network /  Ip address of the machine you want to VPN / 32 (the /32 will limit it only to this client)
Destination: ANY
Leave the rest default


7. Firewall Rules

Firewall --> Rules --> LAN interface

Add new on top

Action: Pass
Interface: LAN
Family: IPV4
Protocol: TCP/UDP
Source: Single host, enter in the ip of the machine you want to VPN
Destination: any

enable advanced options

Gateway:  Select the Gateway you setup in step 5


That should be it.  Go to the target machine and you should have internet access and you should appear to be somewhere else.  Go to google and type in what is my IP and it will tell you.  Go to a different client, and it should still be on your normal WAN IP.

Hope this saves someone some searching!

Routing and Multi WAN / Critique my Multi-WAN HA plan
« on: October 04, 2017, 03:35:01 pm »
My goal is layer 1, 2, and 3 redundancy into the rack for a persistent connection to AWS VPC and from a remote office.  I need to be able to do a transparent failover when losing any one piece of gear

- 2 power sources, both w/ online UPS

- 2 ISPs on different medium with 3 Static IPs each

- 3 5018A-FNT4 systems (2 in rack and one remote), with 2 port GBE cards in the rack units

- 2 Ubiquity US-48 Switches

- 2 application servers in rack with dual PSU and dual NIC, each running 4 windows VMs with essential services (redundant, only need one to operate)

- 1 storage server in rack with dual PSU and dual NIC (running windows server 2016)

- management interfaces on a separate nic+vlan with a dedicated thin client locally (eventually would like my own vpn into this)

Everything is racked up, waiting on the statics from the ISPs.   I would appreciate a sanity check on the config!

specific questions:

- openVPN, IPSec, or Tinc, or ?? for the tunnels

- Do I need to trunk the two switches to each other?  Or bridge them through Pfsense?  Or Both?    Wired both for now but not configured.   If one switch goes down, I am ok with losing anything that only has 1 nic (office workstations, ip cameras, etc)

- Anything I may have completely screwed up on?


Pages: [1]