Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - miken32

Pages: [1] 2 3 4 5
1
NAT / Re: Intermittent NAT failures
« on: February 19, 2018, 04:40:47 pm »
Ha, never noticed that. I was looking at the state table page!

Turns out I solved this by modifying a firewall rule on an unrelated VLAN interface. Checked the state table and noticed states related to OPT1 traffic were showing up on OPT2. Changed the firewall rule on OPT2 from source "any" to source "OPT2 network" and the problem was fixed. Doesn't explain why that traffic was coming out the wrong interface though...

2
NAT / Re: Intermittent NAT failures
« on: February 16, 2018, 05:30:40 pm »
How many states? I am unsure what the behavior is if there is not an available ephemeral source port for the outbound translation. You might need a pool of outbound NAT addresses if that is the case.

If you are truly seeing something intermittent there, that would be something I would certainly look at, especially if it only occurs during periods of high-traffic. That would take tens of thousands of simultaneous connections all to the same destination protocol:host:port however and seems unlikely.

Have you done anything like setting static source ports, reducing the available ephemeral source ports or maybe something else with outbound NAT?

I've not touched outbound NAT rules, I expect it to just work! We're dealing with many thousands of states; I can't seem to find a count anywhere in the UI, but as I said we're looking at pretty high traffic volumes. We'll give the additional NAT addresses a try and see how it works.

3
NAT / Re: Intermittent NAT failures
« on: February 15, 2018, 05:10:28 pm »
Outbound NAT rules are automatic, so everything should be going through NAT. Firewall rules are a simple allow all. em1 in the trace is my WAN port and the 10.10.0.0/20 network is on the LAN side. We're only seeing this on installs with a lot of traffic (e.g. consistently hitting 300-500 Mbps.)

4
Found another Thread with a user experiencing the same type of issue:

https://forum.pfsense.org/index.php?topic=122409.msg676047#msg676047

So say you have DHCP servers on LAN and OPT1, with domains in the DHCP server set as lan.internal and opt1.internal, and the domain in general settings is pfsense.internal. Your problem is that DHCP clients are being registered on the pfSense's internal DNS as pc1.pfsense.internal instead of pc1.lan.internal?

(Important to note that the domain in DHCP is only intended for searches. So if you run `ping foo` you're going to ping either foo.lan.internal or foo.opt1.internal. It's working fine, you're just looking for it to do more than it currently is.)

5
NAT / Intermittent NAT failures
« on: February 08, 2018, 03:20:53 pm »
We're seeing a number of pfSense installs over various versions (2.2.x and 2.3.x) intermittently failing to NAT packets. This happens almost exclusively with UDP streams, but occasionally with ICMP or TCP. Outbound NAT rules are automatic, there's nothing in the log files, and these internal users have other TCP and UDP conversations being NATed properly at the same time.

We're scheduling maintenance windows to try an upgrade to 2.4 to see if the problem is still present there.

Anyone seen anything similar?

https://pastebin.com/e5sCn7PS

6
Post a bounty / Re: Temperature Fahrenheit /Celsius Option and Alarms
« on: December 18, 2017, 11:33:52 am »
And since this is the bounty forum, if any of the original requesters want to step up, it would be accepted gratefully.

https://www.paypal.me/miken32

or if you're Canadian, email money transfer works better; my username at eire.ca.

I did the work before you arrived and nobody ever responded to me. I suspect the less than friendly responses to the original request put people off.

I wouldn't call it "less than friendly" just someone pointing out the likely reason that this work wasn't done as part of the original product (i.e. nobody uses Fahrenheit except Americans; though it's also used in Belize and Bahamas as well as a few other small island nations.)


I think it is a fairly common (though certainly not universal) pattern on this board. Random people show up and make requests, someone does the work and then the OP is never heard from again. I'm not in it for the money anyway, else I wouldn't have posted my code on Github. Just wanted to contribute to the project that helps me earn a living. If someone finds enough value in it to reward me personally, so much the better!

7
Post a bounty / Re: Temperature Fahrenheit /Celsius Option and Alarms
« on: December 15, 2017, 12:30:41 pm »
Looks awesome, sir!  Hope they merge the PR.

Until then, here's how to apply it. The changed files are saved with an "orig" suffix:

curl https://patch-diff.githubusercontent.com/raw/pfsense/pfsense/pull/3891.diff | patch -b -d / -p 2 -u

8
Post a bounty / Re: Temperature Fahrenheit /Celsius Option and Alarms
« on: December 13, 2017, 02:38:57 pm »
And since this is the bounty forum, if any of the original requesters want to step up, it would be accepted gratefully.

https://www.paypal.me/miken32

or if you're Canadian, email money transfer works better; my username at eire.ca.

9
Post a bounty / Re: Temperature Fahrenheit /Celsius Option and Alarms
« on: December 13, 2017, 02:30:27 pm »
https://github.com/pfsense/pfsense/pull/3891

This patch adds a preference to the thermal sensors widget, which is also read by the system information widget.

Notification is the job of a network monitoring system, not pfSense. (Your pfSense can't email you about high temperatures if its CPU is a puddle of molten slag!)


Looks awesome, sir!  Hope they merge the PR.

Was curious, maybe a quick Find & Replace:
* getCelciusValue() --> getCelsiusValue()
* celc --> cels

LOL I was paying too much attention to spelling Fahrenheit correctly that I messed up the easy one!

10
Post a bounty / Re: Temperature Fahrenheit /Celsius Option and Alarms
« on: December 12, 2017, 03:53:29 pm »
https://github.com/pfsense/pfsense/pull/3891

This patch adds a preference to the thermal sensors widget, which is also read by the system information widget.

Notification is the job of a network monitoring system, not pfSense. (Your pfSense can't email you about high temperatures if its CPU is a puddle of molten slag!)

11
DHCP and DNS / Re: Using BIND to enforce Google SafeSearch...
« on: December 08, 2017, 12:11:24 pm »

The zone file looks a bit like this:

$TTL 128
;
$ORIGIN rpz-google.

; Database file rpz-google.DB for rpz-google zone.

rpz-google.      IN  SOA localhost.         root.localhost. (
                2474766874 ; serial
                1d ; refresh
                2h ; retry
                4w ; expire
                1h ; default_ttl
                )

;
; Zone Records
; Google SafeSearch
@        IN NS  localhost.
google.com              CNAME   forcesafesearch.google.com.
www.google.com      CNAME   forcesafesearch.google.com.
google.com.uk         CNAME   forcesafesearch.google.com.
www.google.co.uk    CNAME   forcesafesearch.google.com.

; pattern repeats for the other 191 domains...



If you're working with a reponse policy zone, you can use an asterisk for wildcard. *.google.com, etc.

12
Installation and Upgrades / Re: Upgraded to Development - Switch to Stable
« on: February 28, 2017, 12:54:59 pm »
Just since this comes up fairly high in the relevant searches on this subject, and never got a resolution:

cmb is correct in that you have only to change the track and run the update. When you check for updates it will still show an experimental release number as an available update. Run this update and then reboot. Once it comes back, it will show an update available that will be the release version.

This was my experience going from a 2.3.3 pre-release anyway.

13
IPv6 / Re: Sharing IPv6 subnet
« on: October 19, 2016, 12:39:40 pm »
What you're looking for is an option in the ISP router to do prefix delegation. Hopefully the ISP router can delegate an IPv6 prefix to each of your pfSense systems via DHCPv6-PD. You'd receive the /64 delegated from the ISP router, then apply it to one of your networks. If you want, you could probably even delegate /60's so you each get 16 /64's to use as you wish.

Ok, that's what I was thinking. I wasn't sure if the pfSense could request a /64 and the modem would keep track of things; I guess I'll just wait until I get the modem set up and play around. Thanks for all the feedback everyone!

14
IPv6 / Re: Sharing IPv6 subnet
« on: October 17, 2016, 04:48:46 pm »
You'll need a router of some sort to do that.  You can then have 3 pfSense systems connected to the router.

The ISP modem is a router. That doesn't address how I can get 3 different IPv6 subnets behind (i.e. on the LAN side of) my pfSenses.

15
IPv6 / Re: Sharing IPv6 subnet
« on: October 17, 2016, 03:22:43 pm »
It's a multi-tenant situation. I know I can subnet a /56, but given that I don't control the /56 I want to know if the pfSenses can somehow take care of splitting it up. I know there are some options for prefix delegation, but not sure if that can work for what I want.

Pages: [1] 2 3 4 5