Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - tlum

Pages: [1] 2
1
How would you configure an interface for the native/untagged VLAN in a trunk? Each vendor seem to have their own way to go about it... Cisco, for example, defaults it to ID 1, but you can change that on some products.

I think people get confused because native/untagged has no ID, so most devices have some way of assigning their own logical ID so that you can reference something that by it's very nature has no intrinsic reference.

Also, some switches can tag untagged trunk traffic, so if you're down stream from that you'd use the switches default ID. So yes, I could probably get a good managed switch to make this a moot question, but I am interested in how you would do it with pfSense.

TIA

2
NAT / Outbound SIP traffic: How to
« on: February 16, 2017, 09:17:53 pm »
What is the correct way to configure NAT and FW for outbound SIP from a SIP server?

Right now I have no problem with the call setup. When the server performs the call setup the outbound SIP traffic establishes a UDP state which allows the SIP replies from the remote server... then the RTP stream starts up and the lack of continued UDP traffic allows the UDP state to expire, so when the remote servers attempt to tear the calls the packets end up in the fail logs. Due to the dynamic nature of the source port you can't set a static forward rule. The call gets torn down anyway 30 seconds after the RTP stream ends... assuming that remote server was trying to say BYE. There are cases where it might be trying to say something else, at which point bad things start to happen. I've just gotten fed up with it only working 98% of the time.

3
I'm trying to do PXE boot across pfSense and it's not working. The TFTP request makes it to the server okay, but pfSense rejects the return traffic. The thing is, the TFTP server is just replying to the original source port (2070), but the complaint is an active ICMP Destination Unreachable, Port Unreachable.

What may be important is the TFTP server is not replying from the original destination port (69). The xinetd service listens on port 69 (TFTP), however, I believe that when it accepts the inbound request, it starts the in.TFTP service, which binds to a random port. So the conversation is like this:

Code: [Select]
69 <- 2070
46539 -> 2070

As long as both machines are on the same segment everyone is happy and the transfer succeeds - clients reply to the last source port they saw, not 69 - but across pfSense acknowledgements don't come back... and I presume that's because it's checking the source port. I'm using CentOS so that TFTP server is
Code: [Select]
tftp-hpa 0.49, with remap, with tcpwrappers
So, I'm not using NAT here; all these segments are routable, so I can't see why I'd need TFTP-Proxy. Nor, do I see how I can disable it since once a line has been selected in the combo box it's impossible to deselect the last one. And, while it's not selected on any of the adapters in question, I see evidence of it rewriting traffic in the network traces.

So, I see what is happening, but I don't really know how any of this is really supposed to work.

4
General Questions / CIFS: Pathetic performance across pfSense
« on: September 14, 2015, 03:01:29 pm »
I am experiencing significant performance problems with CIFS traffic traversing pfSense. Meanwhile iSCSI traffic has no issue, nor does CIFS traffic on the same subnet.

This is a CIFS performance example on the same subnet:

Code: [Select]
(root@vm4srvp01:/mnt/win/Images)# dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 1.11347 seconds, 58.9 MB/s
(root@vm4srvp01:/mnt/win/Images)# dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 1.11088 seconds, 59.0 MB/s
(root@vm4srvp01:/mnt/win/Images)# dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 1.13448 seconds, 57.8 MB/s


This is an iSCSI performance example on the same subnet:

Code: [Select]
(root@vm4srvp01:/vmware)# dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 0.937938 seconds, 69.9 MB/s
(root@vm4srvp01:/vmware)# dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 0.929954 seconds, 70.5 MB/s
(root@vm4srvp01:/vmware)# dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 0.931392 seconds, 70.4 MB/s


This is an iSCSI performance example traversing pfSense:

Code: [Select]
(root@my1mdbp01:/mnt/db)$ dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 0.863001 s, 75.9 MB/s
(root@my1mdbp01:/mnt/db)$ dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 0.752081 s, 87.1 MB/s
(root@my1mdbp01:/mnt/db)$ dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 0.720176 s, 91.0 MB/s


This is an example of the CIFS issue when traversing pfSense:

Code: [Select]
(root@my1mdbp01:/mnt/win/Images)$ dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 55.074 s, 1.2 MB/s
(root@my1mdbp01:/mnt/win/Images)$ dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 55.0722 s, 1.2 MB/s
(root@my1mdbp01:/mnt/win/Images)$ dd bs=64k count=1000 if=/dev/zero of=test conv=fdatasync
1000+0 records in
1000+0 records out
65536000 bytes (66 MB) copied, 55.0715 s, 1.2 MB/s

So, this appears to be a protocol problem, and not an infrastructure issue, since there is no bandwidth limitation. This issue was first noted on two different Windows 7 clients, before being testing on the Linux box, so this issue is not specific to a particular OS or flavor. About the only thing in common is the pfSense box.

Any clue what might be causing this?


5
General Questions / Fatal trap 12: page fault while in kernel mode
« on: December 22, 2014, 12:42:37 pm »
I've started getting a periodic crash, about once a week, though it varies. This box has been quite stable for years, but started this behavior after an update this past summer, though correlation does not equal causation. It's hard to peg the exact date and version since it happens so infrequently. From what I can see it looks like it's happening during packet inspection in pf.

This seems the same as an issue posted in "2.0-RC Snapshot Feedback and Problems" https://forum.pfsense.org/index.php?topic=21743.40;wap2 That was four years ago and it's not clear what ever became of it.

So today I became aggravated enough to drop everything I'm doing and concentrate on ending this forever. Unfortunately, I don't know of a way reproduce it on demand, but I suspect that it could be traffic related based on what circumstantial evidence I do have. And yes, this probably is a FreeBSD issue, however I would counter that pfSense is distro based and chooses the OS distro that it's packaged with and tested against, so I would think it's in our mutual best interest to understand and resolve it.

Although I have not come across any recent complaints, can anyone verify this as a current problem? Are the pfSense developers aware of this or related issues? Are there any suggestions for capturing additional information on this? -TIA-

Code: [Select]
FreeBSD 8.3-RELEASE-p16 #0: Mon Aug 25 08:25:41 EDT 2014
    root@pf2_1_1_i386.pfsense.org:/usr/obj.i386/usr/pfSensesrc/src/sys/pfSense_SMP.8

Code: [Select]
db:0:kdb.enter.default>  bt
Tracing pid 12 tid 100055 td 0xc702db80
rn_match(c1520d4c,c9671300,ed797904,c7c4d200,ed79785c,...) at rn_match+0x11
pfr_match_addr(c94689b0,c80a581a,2,16,ed797844,...) at pfr_match_addr+0xe0
pf_test_tcp(ed797920,ed79791c,1,c7c4d200,c8107900,...) at pf_test_tcp+0xb05
pf_test(1,c70d4400,ed797aec,0,0,...) at pf_test+0x2596
pf_check_in(0,ed797aec,c70d4400,1,0,...) at pf_check_in+0x46
pfil_run_hooks(c156e620,ed797b3c,c70d4400,1,0,...) at pfil_run_hooks+0x93
ip_input(c8107900,c8107900,10,c0ac8dc9,c1569a10,...) at ip_input+0x35a
netisr_dispatch_src(1,0,c8107900,ed797bac,c0b6838f,...) at netisr_dispatch_src+0x71
netisr_dispatch(1,c8107900,5,c70d4400) at netisr_dispatch+0x20
ether_demux(c70d4400,c8107900,3,0,3,...) at ether_demux+0x19f
ether_input(c70d4400,c8107900,c7c4d804,c7acc800) at ether_input+0x174
ether_demux(c7acc800,c8107900,3,0,3,...) at ether_demux+0x65
ether_input(c7031400,c8107900,c155b180,ed797c3c,c6d94000,...) at ether_input+0x174
em_rxeof(0,0,c70143c0,c702a880,ed797cc0,...) at em_rxeof+0x206
em_msix_rx(c7026300,c702db80,0,109,98bc0483,...) at em_msix_rx+0x3f
intr_event_execute_handlers(c6d92560,c702a880,c0f955af,529,c702a8f0,...) at intr_event_execute_handlers+0xd4
ithread_loop(c7001b20,ed797d28,2a90d8a7,0,c7001b20,...) at ithread_loop+0x66
fork_exit(c0a7a4e0,c7001b20,ed797d28) at fork_exit+0x87
fork_trampoline() at fork_trampoline+0x8
--- trap 0, eip = 0, esp = 0xed797d60, ebp = 0 ---

6
Packages / Documentation for Mod_Security 0.3?
« on: February 11, 2014, 10:22:02 pm »
I've just inadvertently reinstalled mod_security 0.3 over 0.2 and it is completely different. Is there any documentation on it? I have not been able to figure out how to map the different host headers to all my different back end servers. It all used to be in the virtual host tab, but no more.

This is a backup of the 0.2 config:

      <service>
         <name>apache_mod_security</name>
         <rcfile>apache_mod_security.sh</rcfile>
         <executable>httpd</executable>
         <description><![CDATA[HTTP Daemon with mod_security]]></description>
      </service>
      <apachemodsecuritysettings>
         <config>
            <globalsiteadminemail>server.ops@MyInternal.net</globalsiteadminemail>
            <hostname>fw1.MyInternal.net</hostname>
            <globalbindtoipaddr>74.0.0.1</globalbindtoipaddr>
            <globalbindtoport>80</globalbindtoport>
            <mod_mem_cache>on</mod_mem_cache>
            <mod_mem_cache_size>100</mod_mem_cache_size>
            <mod_disk_cache/>
            <mod_disk_cache_size/>
            <secreadstatelimit/>
            <secrequestbodyinmemorylimit/>
            <secrequestbodylimit/>
            <enablemodsecurity>on</enablemodsecurity>
            <secauditengine>On</secauditengine>
            <errordocument/>
            <modsecuritycustom>SecFilter phpMyAdmin</modsecuritycustom>
         </config>
      </apachemodsecuritysettings>
      <apachemodsecurity>
         <config>
            <sitename>MySite</sitename>
            <siteemail>server.ops@MyInternal.net</siteemail>
            <siteurl>HTTP</siteurl>
            <ipaddress/>
            <port/>
            <certificatefile/>
            <certificatekeyfile/>
            <certificatechainfile/>
            <preserveproxyhostname>on</preserveproxyhostname>
            <primarysitehostname>www.PublicSite.com</primarysitehostname>
            <row>
               <webserveripaddr>www.MyInternal.net</webserveripaddr>
               <additionalsitehostnames/>
            </row>
         </config>
      </apachemodsecurity>

What would the equivalent be in the new version?

7
Firewalling / Prevent mod_security from exposing web GUI?
« on: February 11, 2014, 10:04:50 pm »
I've got a bit of a mess here. Have been using mod_security for a while now, apparently 0.2. After the last update it would not start. Tried everything, no go. Finally, armed with a backup I just removed it and reinstalled it. Well, apparently 0.3 installed. So its completely different and I have not gotten that to work yet but my real problem is, the Web GUI is exposed on the WAN!

Apparently, port 80 needs to be open on the port that mod_security will listen on, but then that exposes the Web GUI. How do I absolutely, beyond a shadow of a doubt, prevent some problem with mod_security from ever, ever, exposing the Web GUI. This is a HUGE problem!!!. This needs to be intrinsically safe!

8
Firewalling / Functionally equivalent iptables configuration in pfSense?
« on: December 18, 2013, 07:45:43 pm »
How might one implement functionally equivalent rules in pfSense? Is the layer 7 stuff possible?... I'm not familiar enough outside linux.

-A INPUT -i eth0 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:mypbx.domain.tld" --algo bm -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -j DROP
-A INPUT -i eth0 -p udp --dport {RTP_Start_port}:{RTP_End_port} -j ACCEPT

9
General Questions / NTP Confusion
« on: February 11, 2013, 05:49:46 pm »
This ought to be pretty simple...

I have 4 NTP server names in System-> General Setup.

On Services-> NTP one of the internal subnets is selected - the intention is for pfSense to serve NTP to that subnet.

On Status->NTP all 4 servers are "Unreach/Pending".

Packet trace on WAN interface shows all NTP requests going to the public servers with the source address of the selected private subnet... so obviously that isn't going to work. I'm sure this makes sense in some warped reality,  but i don't get it. Meanwhile, the rest of the NTP traffic from various other subnets is finding its way out the WAN interface with an actual WAN source address (its been NATed).

So, how do you actually configure NTP on a pfSense box? I want to server NTP to selected subnets. Also, pfSense needs to act as a client to keep its self synced, but should not under any circumstances start serving NTP on a public interface.

10
Packages / mod_security unbelivably slow
« on: September 15, 2012, 07:20:41 pm »
So, new issue now. mod_security is up and running, however, there is a consistent 10 second delay between receiving packets and passing them out to the backend server. Going back out there is zero delay.

Timing is kind of suspect since its a very consistent 10 seconds. Any ides why?


Also, I've tried to activate the debug log but I can't get it to log anything. Have found the syntax:

SecFilterDebugLevel 9
SecDebugLogLevel 9

but neither works.

11
Packages / mod_security: rules and forwards?
« on: September 15, 2012, 12:37:50 pm »
This should be easy. I'm trying to use mod_security to proxy http traffic to back-end servers.

What I'm never clear on is how to configure the firewall rules and NAT port forwards, especially when the service resides on the firewall its self. For example what would the rule look like that passes traffic in to the proxy? Is there anything required in order for the proxy to reach the back-end server?

12
DHCP and DNS / DNS Forwarder: Port Shut?
« on: June 21, 2012, 07:42:27 pm »
I'm trying to start using the DNS Forwarder in pfSense. My internal DNS servers - which also answer recursive external queries - are on one internal subnet. Its kind of annoying to have to go in and set up rules on all the other subnets to pass traffic to the DNS servers. I was hoping to let pfSense magically proxy that traffic. However, all the DNS queries return ICMP - udp port 53 unreachable which usually means the port is shut.

So jumping to conclusions I would guess the forwarder is behind the firewall filters and each subnet is going to need filter rules to allow DNS traffic to pfSense so the DNS Forwarder will work?
Is there any documentation on the setup of DNS Forwarder? From what I've seen it makes it sound like you just enable the check box and it just magically works but I'm finding that not to be the case.
So DNS Forwarder is not going to help me because I have to set up rules on every subnet anyway so I might as well not use it?

13
I am installing a new server. I have applied a merged backup from an existing, working, install. The configuration in practically the same with a few exceptions:

The new server is using Link Aggregation (wasn't supported in v1 when the original server was built)
The new server has the virtual IPs defined as IP Alias where the original server had them defined as Proxy ARP.

This is a moderately complex configuration. It handles two public /29 blocks so there are two WAN interfaces. It also handles 6 LAN interfaces. Each WAN interface has a public IP defined and the remaining 4 IPs are defined as a virtual IP on each WAN interface.

What does not work are the cases where there is a NAT rule that sets the "NAT Address" to the IP of an Alias.

Network trace shows that the UDP traffic in translated and exits correctly. However, the UDP reply is only seen on the WAN interface, it never makes it across to the LAN side. There is no indication in the log that the packets were rejected by a filter or failed to match a filter.

Could this be related to the difference in the Alias type? Is a different configuration needed when changing to IP Alias from ARP Proxy?

14
Installation and Upgrades / Restore not working
« on: May 29, 2012, 10:19:22 pm »
I have loaded new install on new hardware. Ran a backup from the existing server and tried to restore to the new install.

For example I tried to restore only the DHCP server section. Nothing restores and the log has the mesage: /diag_backup.php: XML error: no dhcpd object found!

I have checked the backup file and there is no doubt that the dhcpd section is there

Code: [Select]
  <dhcpd>
    <lan>
      <range>
        <from>192.168.2.1</from>
        <to>192.168.2.127</to>
      </range>
      <defaultleasetime/>
      <maxleasetime/>
      <netmask/>
      <failover_peerip/>
      <gateway/>
      <enable/>
      <ddnsdomain/>
      <next-server/>
      .
      .
      .

what do you suppose the problem is?

15
Firewalling / Dynamic rule triggers?
« on: May 08, 2012, 07:02:14 pm »
Is it possible to create dynamic rule triggers in the pfSense GUI? This is common when a state is established when a static rule is satisfied additional ports port rules are established dynamically. This is common for T/FTP proxies where traffic satisfying a pass rule on the control channel dynamically sets up ingress rules for the data channel.

In this case I want to dynamically establish RTP ingress triggered by traffic satisfying a static SIP rule. I know how to do this in pf using anchors and then dynamically adding rules to the anchor, but I don't want to mess with pfSense internal. Should I be looking at writing my own plugin to do this?

Pages: [1] 2