Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - GruensFroeschli

Pages: [1] 2 3 4 5 ... 383
Firewalling / Re: Invert match doesn't work
« on: March 26, 2018, 04:21:30 am »
The internet is mostly the inverse of RFC1918:
All subnets which are not private.
There are some other special cases like RFC3927 (169.254/16)
Take a look at

When you create a rule with as destination "WAN net" then it means exactly that:
The network between you and your ISP.
Generally not what you want.

When you mean "the internet", you usually mean "any".

Firewalling / Re: Invert match doesn't work
« on: March 25, 2018, 03:32:57 pm »
In the rules I have (see attachment), with the last rule, I grant the guests to access anything anywhere, so at that point, I throw out the default rule that everything is blocked. IMHO it would be better, when there is a default rule that block you to go anywhere, not to through this away at the last rule.

Huh??  Any firewall out there the default is always deny.. Unless your talking some off the shelf router designed for users on 1 flat network and pretty much all it does is NAT.

Out of the box this is how pfsense will act for the 1st network "lan" buy creating a any any rule.  But if you create new networks you would have to put in the rules you want.  But the internet is made up of lots of networks..As stated pretty much any IP that does not fall to rfc1918 is internet.. Other than some other special networks and the few that have not been assigned, etc.  But in general if not rfc1918 space its the "internet"

There are many protocols on the internet not just tcp, udp and icmp..  You never know what exactly a client behind pfsense will need to go and do.. So if you want to allow internet its general you create a any any rule.  You can always limit that how you see fit.

How exactly would you create dest that was "internet"??  It really could be anything.

Maybe it's stupid qeustion, but to me it would seem logical that if I would create a pass rule from Guest net to WAN net, it would give internet access to the guests. Than one rule would be enough, as everything else will be blocked by the default rule.

The guest net is the network attached to the guest interface.
The WAN net is the network attached to the WAN interface.
--> Not the internet.

Firewalling / Re: Invert match doesn't work
« on: March 23, 2018, 06:44:03 am »
Create an alias.
Add the subnets
Call the alias RFC1918

« on: March 21, 2018, 01:47:20 am »
If you really think you're getting 7Mbps, then you don't understand how the loadbalancer works.

It balances connections, not bandwidth.
The max you will ever get is 4Mbps.

The overall bandwidth, when you have lots of connections open and multiple clients connecting, may approach 7.5Mbps.

Firewalling / Re: Invert match doesn't work
« on: March 14, 2018, 08:20:43 am »
I don't see any inverted rules in your screenshot.

Deutsch / Re: Regeln und Ziel Interface
« on: March 07, 2018, 03:07:44 am »
Die einfachere Lösung:
Erzeug eine Regel die Traffic nach !LAN-subnet zulässt.

Wenn du mehrere lokale Netze hast:
Erzeug ein alias welches alle deine Netze enthält.
Wenn du eh nur private Adressen lokal verwendest kannst du auch ein RFC1918 alias erzeugen welches: 10/8, 172.16/12 und 192.168/16 enthält.
Das gast Netz darf dann auf !RFC1918 zugreifen.
In diesem Fall die Regel welche Zugriff auf die pfSense selbst (dns, dhcp, etc.) zulässt nicht vergessen.

really hacky:

You should be able to change the tcpdump arguments for it to look for the frames you're interested in.

How hacky can it be?

General Questions / Re: url blocking
« on: February 22, 2018, 05:35:04 am »
I personally have been using the dns resolver/forwarder blackholeing in combination with a dns NAT rule to force all DNS requests to be resolved locally.

Routing and Multi WAN / Re: What is "Default" gateway?
« on: February 12, 2018, 08:35:26 am »
You might want to rephrase this...

Are you using as the monitor of your default interface?
Setting an IP as monitor pins it to the interface for which it is set as monitor.

If you want to be able to use as monitor IP from behind the pfSense, use another IP as monitor.

Hardware / Re: Energy-efficient hardware with PCI slots?
« on: January 29, 2018, 03:11:48 pm »
What are you trying to do?
If you're looking to route only 100Mbit you might probably be well off with a VLAN capable switch and trunking multiple virtual interfaces over a single (or multiple) trunk(s).

Wireless / Re: EAPOL Key Timeout
« on: January 18, 2018, 01:53:06 am »
I tend to agree with johnpoz.

If you want to continue to debug this:
Log in via SSH, kill the hostapd process and start it again by hand.
Add -ddd as argument, to get more debug output.

I do know that with multiple virtual interfaces, in certain combination the EAPOL frames are sent on the wrong interface.

Wireless / Re: EAPOL Key Timeout
« on: January 17, 2018, 07:39:55 am »
Since you're on _wlan3, are you using multiple virtual BSSIDs?
Which frequency are you using?
Are you on a DFS channel?

Wireless / Re: EAPOL Key Timeout
« on: January 17, 2018, 07:39:12 am »
Obfuscating MAC addresses?

Pages: [1] 2 3 4 5 ... 383