Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - CDuv

Pages: [1] 2
OpenVPN / [Solved] Certificate for OpenVPN: why is it "server: No"?
« on: November 04, 2016, 06:14:18 am »
The certificate I am importing are tagged "Server: No" by pfSense and OpenVPN warns about possible issues :

Warning: The selected server certificate was not created as an SSL Server certificate and may not work as expected

The certificate was generated the exact same way I create certificates for my HTTPS websites (used by Nginx or Apache).

What is causing this "Server: No" label?

My 2.3.2-RELEASE-p1 appliance (Lanner FW-7551: Atom C2758 with 8GB of RAM) is crashing at least once per hour.

It reboots itself and resumes network access automatically.

The crash report is as follows:
Crash report begins.  Anonymous machine information:

FreeBSD 10.3-RELEASE-p9 #1 5fc1b19(RELENG_2_3_2): Tue Sep 27 12:26:06 CDT 2016     root@ce23-amd64-builder:/builder/pfsense-232/tmp/obj/builder/pfsense-232/tmp/FreeBSD-src/sys/pfSense

Crash report details:

Filename: /var/crash/bounds

Filename: /var/crash/info.0
Dump header from device /dev/label/swap0
  Architecture: amd64
  Architecture Version: 1
  Dump Length: 80896B (0 MB)
  Blocksize: 512
  Dumptime: Wed Nov  2 13:21:44 2016
  Magic: FreeBSD Text Dump
  Version String: FreeBSD 10.3-RELEASE-p9 #1 5fc1b19(RELENG_2_3_2): Tue Sep 27 12:26:06 CDT 2016
  Panic String: sbflush_internal: cc 4294965256 || mb 0 || mbcnt 0
  Dump Parity: 916287357
  Bounds: 0
  Dump Status: good

Full crash report.

Googling led me to Issue #4689 and freebsd-current mailing list but theses are old/resolved issues.

I have:
  • 2.3.2-RELEASE-p1 (amd64) - built on Tue Sep 27 12:13:07 CDT 2016 - FreeBSD 10.3-RELEASE-p9
  • 3 LANs (where 2 are VLAN interfaces)
  • 3 WANs with loadbalancing
  • Some (few) NATs rules
  • Some firewall rules
  • 6 services
    • dhcpd (enabled on 2 interfaces)
    • dpinger
    • ntpd
    • openvpn
    • sshd
    • unbound

Edit: Added hardware brand and model

Quand je regarde les prix du store pfSense officiel et que j'y rajoute 20% et les frais de port FedEx, je trouve les prix des revendeurs français ( bien élevés (+100€ sur un SG-4860).

Donc ma question : quel intérêt a ne pas acheter sur le store pfSense officiel (à part le SAV des pièces) ?
Peut-être avoir d'autres choix que les modèles officiels ?

I am looking to buy a reliable hardware server for pfSense but fail to determine which requirements/model I need.

Here are my use:
  • About 100 users
  • Multi-WAN (load-balancing) scenario with 3 connection of 500Mbps each
  • Router redundancy: I would need extra Ethernet port and 2 servers
  • OpenVPN server: roaming and point-to-point
  • Snort or Suricata IDS
  • Captive Portal
  • Squid (possibly, not sure yet)

According to, I should aim to
  • Multiple cores at > 2.0GHz are required (because of 3x500Mbps WAN bandwidth)
  • More CPU (because of VPN and Captive Portal)

I am not yet sure if Squid would be activated or not, but I guess I would need some storage (SSD).

It looks like I should aim for at least SG-4860 (because of 2.4 Ghz quad core CPU and 8GB or RAM) and buy a mSATA SSD later.

Do you agree with that? Would the SG-2440 suffice?

My v2.3.1 setup was running just fine (4.5 years now, started with v2.0.1) until August 2016 where I upgraded to v2.3.2.

Since then I got multiple crashes (pfSense detects it, reboots, and offers to send it to developers) especially 3 in the last 24h.
At first I thought that Snort was causing too much load but problem still occurs with Snort disabled.

Once pfSense did not rebooted and stopped answering pings, this was displayed on physical terminal:

4em1: discard frame w/o packet header

Here are the running services:
  • darkstat (but disabled)
  • dhcpd
  • dpinger
  • ftp-proxy (but disabled)
  • ntpd
  • openvpn
  • sshd
  • unbound

What metric could I check to see if problem is load-related?

Here is last crash report.

Setup is:
Version: 2.3.2-RELEASE (i386) built on Tue Jul 19 13:09:39 CDT 2016 FreeBSD 10.3-RELEASE-p5
CPU: Intel(R) Pentium(R) 4 CPU 2.80GHz 2 CPUs: 1 package(s) x 1 core(s) x 2 HTT threads
RAM: 3935 MiB


Hardware / Get current (and observed max?) Active Connections ?
« on: August 26, 2016, 03:56:24 am »
I am currently using a Dell server to run pfSense (v2.3) and considering buying an "official/specific" server for pfSense (2 actually: for CARP redundancy).

Is there a way to know the "Active Connections" count of my current setup (and any other useful "limitating" metric)? By knowing this I could determine which server I need.


OpenVPN / OpenVPN server with multiple public IP addresses [Resolved]
« on: July 11, 2016, 04:32:30 pm »

I want my OpenVPN (for mobile clients, not site-to-site) setup to work with any of my public IP addresses but it does not.

I have a WAN for which my ISP gave me 1+8 public IP addresses (1 legacy + 8 others bought later).
They were all added into an host alias and used in a "Outgoing NAT" rule with "Round Robin with Sticky Address" so that outgoing traffic uses all theses addresses : this works fine (eg. for outgoing surf).

I have configured a very simple OpenVPN server.
As my setup is multi-WAN (with load balancing), I also added a NAT rule "map external port 1194 to self's port 1194" for all my WANs.

Problem is that clients (official OpenVPN client v2.3.11) fails to connect to server (with error: TCP: connect to [AF_INET] failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)) when using an address other than the first of the "host alias".

I am starting to believe that the outgoing Round Robin NAT rule causes problem with the server's response to client's connection query.
I tried configuring the OpenVPN server to use TCP instead of UDP (thinking that TCP would be better for session-handling) : no luck.

What could have I missed?
How can I debug my setup and check how the OpenVPN responses are routed to the clients?

Note : I am running pfSense v2.3.1.

Since v2.3 I've realized some lists in the GUI (such as firewall rules) are width-restraint and uses horizontal scroll.
Horizontal scroll is a good thing when not wanting to break UI interface, but restraining to fixed (small) width is not adapted to large displays: space is lost.

In the following screenshot (from a 1920px wide display) we can see the horizontal scroll bars are there although there is still space for a wider table:

Added to the "drag-n-drop" feature (to re-order rules): I cannot scroll without the scroll bar, which, on tables with many items, is not visible...

Is there a way to change this behavior? Do not use scroll bars (and break the interface on very wide rows) or use larger width.

NAT / [Solved] Using IP Aliases as NAT destination rule?
« on: June 03, 2016, 04:41:31 am »
In a multi-WAN context I have to make sure some destinations are only accessed via certain WAN interfaces because the destination is some pre-production webserver, special backoffice website or internal-use-only FTP operated by third parties that use a whitelist-system to allow access.

Until now I used firewall rules (from:LAN to:the_destination_ip proto:HTTP/FTP/...) with Gateway Advanced Option set to route that traffic through a given WAN.

I than have destination:WAN 1:1 mapping (to be honest it's a destination_address:destination_port:WAN mapping).

Recently I obtained more IP addresses (a /29 block) for my WAN_C interface and configured pfSense's NAT outgoing to use them (via round robin).

Because theses third parties only know my original WAN_C IP address and it will takes time for them to allow my new /29 block (if they can: many only accept one IP address) I have to make sure outgoing traffic to theses destinations are not round robined.
My first approch was to create/clone the firewall rules as NAT outgoing rules, but considering there is about 90 firewall rules, I wanted to factorize everything and thought about the IP aliases.

If I create an IP alias with each destinations inside, I could then create a single NAT outgoing rule that translate traffic from "LAN" to destination "this_alias" using WAN_C IP address as translator. Placing that rule before my round robin one.

Problem: NAT outgoing rule does not accept aliases as destination (nor source btw).
Is there a workaround?



I have a three-WAN setup with load-balancing: outgoing traffic (from local to Internet) uses any of the available WAN (WAN_A, WAN_B and WAN_C).
One of my ISP (say WAN_C) can provide me with a "/29"-block IPv4 public addresses (8 IPs), that would allow me to "advert myself" under more IP address than now.

Can I configure pfSense so that :
  • Outgoing traffic is still load-balanced over my 3 WANs (according to load/usage) ?
  • Traffic that the load-balancer made go through WAN_C is load balanced over theses 9 public IPs (the original WAN_C public address + the 8 new addresses) ?
  • I can accept/block/forward incoming traffic (from Internet to local, excluding already established outgoing traffic) that come on WAN_C interface on a per destination IP basis? Reject some IP addresses, forward others, etc.
  • Treat incoming traffic for any of the 9 WAN_C's public IPs as a whole/the same (kind of default behavior)? I could then contact my hosted services on any of the WAN_C public IP addresses

  • I am using pfSense v2.2.5
  • The 3 pfSense WAN interfaces are static IP
  • I host some (few) services on my LAN (with NAT+firewalle rules)
  • I plan on enabling pfSense OpenVPN server


Traffic Shaping / Simulate a slower Internet connection using Limiters
« on: December 21, 2015, 12:24:49 pm »
I would like to pretend that one of my (I do multi-WAN) 100/100Mbits/s Internet connection is a 60/20Mbits/s.
Goal is to determine if could migrate to something slower (and cheaper) or not, so I'm willing to restrict the whole Internet connection to 60/20M for some days and see if users complains or not.

According to documentation, it can be handled by Limiters.

I have created two limiter :
  • "link20up":
    Bandwidth: 20Mbits/s (schedule=none)
    Mask: none
    No advanced options
  • "link60down":
    Bandwidth: 60Mbits/s (schedule=none)
    Mask: none
    No advanced options
And applied limiters changes.

I have created a rule on my WAN_A interface :
  • Protocol: any
  • Source: any
  • Destination: any
  • In/Out: link60down / link20up
Place that rule on top of WAN_A rules and applied rules changes.

I started a SFTP transfer using FileZilla and both FileZilla progress bar and "Status: Traffic Graph" page confirms the Limiter does not works (I can still upload to 40MBits/sec).
I did reset all the states (via "Diagnostics: Reset state" page): Still the same issue.

What have I done wrong?
Thanks for any lead.

I am using v2.2.5-RELEASE (i386).


I'm thinking about installing a second pfSense box and use CARP to have an hardware redundancy for my (multi-WAN) Internet access.

One of my Internet connection directly provides the public IP I use on the Internet : (that's the IP configured on the WAN interface) and they say I have to use the gateway at

Being a "/30" network (namely: there are only 2 practical IP addresses, which are all already used: one by their gateway ( and the other by my actual (no CARP configured) pfSense box (

Looking at CARP documentation it seems CARP setups requires pfSense each boxes to have an IP on the WAN side (id. and on the documentation).
I understand they are required for each box to be able to access Internet on their own (should they, in "CARP" context, be active or not) but do they have to be on the same network as the virtual IP of the WAN side (id.

Would the following setup works?:

WAN VirtualIP: ("CARP" type)
WAN gateway: (the gateway configured for the WAN interface)

pfSense1 WAN IP: (using as gateway)
pfSense2 WAN IP: (using as gateway)

I know there are multiple topic about how pfSense can handle CARP-based hardware redundancy (eg. Is CARP hardware redundancy possible with 1 WAN IP? and others I can't remember).

But when the question about mixing different hardware occurs, the answers is: "as long as they have the same number and order of interface, everything is good"

In my case I have a working multi-WAN pfSense setup with 2 physical network cards where one (em0) is for the LAN side and the second (em1) is split via VLANs for the WAN side
  • WAN1 = VLAN 3 on em1
  • WAN2 = VLAN 4 on em1
  • WAN3 = VLAN 6 on em1

I would like to backup my pfSense with a spare box I have, but it only has one physical network card. I was going for using the "VLAN-trick" again and configure it as follows:
  • LAN = VLAN 1 on em0
  • WAN1 = VLAN 3 on em0
  • WAN2 = VLAN 4 on em0
  • WAN3 = VLAN 6 on em0

But I don't know if the pfSync protocol will propagate from master box to backup box the NIC interface configuration (the content of tabs "Interface assignments" and "VLANs" of "Interfaces" administration GUI): thus asking the backup box to use "em1" which it don't have.

Since version 2.1 whenever apinger detects a gateway goes down I get an e-mail for each routing group the gateway is member of.

Say GW_WAN1 is in the following routing group:
  • GW_LB

I get 4 e-mails each containing a single line:
  • MONITOR: GW_WAN1 is down, removing from routing group GW_LB
  • MONITOR: GW_WAN1 is down, removing from routing group GW_LB_WAN1_WAN2
  • MONITOR: GW_WAN1 is down, removing from routing group GW_WAN1_FO_WAN2
  • MONITOR: GW_WAN1 is down, removing from routing group GW_WAN3_FO_WAN1

This wasn't the case in version 2.0: I had a single e-mail per downed interface (the message was stating that the interface was removed from all routing group, but without telling which they were.
Is there a setting somewhere to make apinger returns to this behavior?

Note: the close topic Warning messages had the same issue.

NAT / Redirect traffic from Virtual IP's port 53 to LAN's port 53?
« on: June 19, 2014, 04:08:26 am »
My pfSense box uses IP and I have a virtual IP (menu Firewall: Virtual IP Address) of type "IP alias" (on Interface "LAN") that also makes him available via

I'm using Unbound DNS as a DNS server (instead of DNS forwarder) but this package don't supports my Virtual IP: DNS server only listen on and thus ignores any DNS client that tries to contact it via

I'm wondering I can use the following NAT rule to map VirtualIP:53 to LAN:53?

If    Proto    Src. addr    Src. ports    Dest. addr    Dest. ports    NAT IP        NAT Ports
LAN   TCP      *            *      53 (DNS)  53 (DNS)

Pages: [1] 2