Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - valnar

Pages: [1] 2 3 4 5 ... 26
1
Thank you!  I have the same problem.  Somebody please fix this.

2
Hardware / Re: PC Engines apu2 experiences
« on: February 14, 2018, 05:37:28 am »
I just went to 4.0.11 and it's working fine.  I didn't see anything listed in the bios's after 4.0.11 that was relevant to APU2 boards.

I also noticed that PC Engines recommends the 4.0x track here:
http://pcengines.ch/howto.htm#bios

3
Hardware / Re: PC Engines apu2 experiences
« on: February 13, 2018, 05:44:22 am »
I guess I should have read outside of the PCEngines website!  Thanks for that info.

OK, so has everyone successfully run 4.6.6 or should I just go to 4.0.11?

4
Hardware / Re: PC Engines apu2 experiences
« on: February 12, 2018, 06:10:31 pm »
Wow, I'm running 4.07.  Any reason to go higher for pfSense?  What's the recommended BIOS?

5
General Questions / Re: Feature Request - Open Connect Server
« on: February 05, 2018, 04:08:44 pm »
Unless there is fear of litigation from Cisco, I would think this would be a high priority for the devs to make it a package.  Being able to use AnyConnect is probably one of the main reasons people would migrate to pfSense from ASA's, or at least one of them.

6
General Questions / Search firewall logs by rule names?
« on: January 27, 2018, 07:36:56 am »
Is it possible to add a feature that lets you search firewall logs by the rule name? If you have a lot of logs, that would be more useful than guessing the IP's and ports, especially if they are unknown.

Also, being able to easily add parameters using simple definitions (like CheckPoint does or Cisco ASA) to include multiple IP's, ports or other search terms would help.

7
Cache/Proxy / Re: HAProxy or STunnel for HTTPS proxy?
« on: January 26, 2018, 05:23:11 pm »
I just got it to work in a slightly different way.  I can probably delete my NAT rule as you surmised so I'll play with it a bit, but I wonder if it's more secure keeping the NAT as it has to follow a traditional port-forward-nat rule first.


Basically the gist of it is I point it to my internal pfSense LAN IP and I assume STunnel does the rest.

**Stunnel rule**
Listen on 192.168.1.1  (internal IP of pfSense firewall LAN)
Listen on port 3456
Redirect to 192.168.1.15  (Camera software box)
Redirects on port 81

**NAT rule**
Interface   WAN
Protocol   TCP
Dest Address   WAN Address
Dest Ports   3456
NAT IP   192.168.1.1
NAT Ports   3456


**NAT created FW rule**
Protocol   IPv4 TCP
Source   *
Destination   192.168.1.1
Port   3456

8
Cache/Proxy / Re: HAProxy or STunnel for HTTPS proxy?
« on: January 26, 2018, 04:06:45 pm »
The basic NAT/port-forward rule I used previously which is probably wrong since STunnel (I assume) is supposed to intercept it.  I don't understand where STunnel inserts itself into the mix though.  I tried a couple different things with my ports 3456 (ext) and 81 (int).

**NAT rule**
Interface   WAN
Protocol   TCP
Dest Address   WAN Address
Dest Ports   3456
NAT IP   192.168.1.15
NAT Ports   81


**NAT created FW rule**
Protocol   IPv4 TCP
Source   *
Destination   192.168.1.15
Port   81


9
Cache/Proxy / Re: HAProxy or STunnel for HTTPS proxy?
« on: January 25, 2018, 07:21:00 pm »
Is that right?  Listen on ANY IP?  That doesn't sound right. So anything that hits my firewall on that port gets redirected to that specific internal server?

Edit: It's not working anyway, or I don't have the firewall rule set right.

10
Cache/Proxy / Re: HAProxy or STunnel for HTTPS proxy?
« on: January 24, 2018, 06:54:58 pm »
Well stunnel doesn't work at all, or I can't figure it out since there are no instructions anywhere.  I don't see how I can put in a variable for the listening IP, which would be the WAN IP of the firewall.

I'll give HAProxy a try.  Thanks.

11
Packages / Just want pfSense to shutdown when UPS goes to battery
« on: January 24, 2018, 03:54:15 pm »
I'm a little confused on whether I should use apcupsd or nut.  My pfSense firewall is on an APU2 box.

Basically I have an APC SmartUPS 1000 and its USB cable is already connected to a Windows server.  I also have the Network Management Card 2 installed in it.  All I really need is for pfSense to shut itself down when the power gets low enough on battery.  My other computers have different methods of dealing with it, so I don't need pfSense to be a traffic director (although after this, I tackle my Ubuntu box, so maybe I DO want pfSense to have smarts in this area??).

I assume there is a network mechanism I can use to have pfSense poll the state of the UPS?

I looked at apcupsd and couldn't figure out the correct combination of parameters to make it work.  I used this, but I don't know if its working:

Enable - Check
UPS name: My UPS
UPS Cable: ether
UPS Type: pcnet
Device: 10.xxx.xxx.6:apc:password
Net Server: On
NIS IP: 127.0.0.1
NIS Port: 3551

Status
Code: [Select]
Status information from apcupsd
Running: apcaccess -h 127.0.0.1:3551

APC      : 001,018,0466
DATE     : 2018-01-24 16:32:04 -0500 
HOSTNAME : <removed>
VERSION  : 3.14.14 (31 May 2016) freebsd
UPSNAME  : Basement UPS
CABLE    : Ethernet Link
DRIVER   : PCNET UPS Driver
UPSMODE  : Stand Alone
STARTTIME: 2018-01-24 16:31:08 -0500 
STATUS   : COMMLOST
MBATTCHG : 5 Percent
MINTIMEL : 3 Minutes
MAXTIME  : 0 Seconds
NUMXFERS : 0
TONBATT  : 0 Seconds
CUMONBATT: 0 Seconds
XOFFBATT : N/A
STATFLAG : 0x05000100
END APC  : 2018-01-24 16:52:03 -0500

Which package is for me?  I couldn't find the instructions after a cursory look.  Thanks.

12
Cache/Proxy / HAProxy or STunnel for HTTPS proxy?
« on: January 24, 2018, 03:17:40 pm »
Long time pfSense user, short time package user.

I have Blue Iris which runs the webcams in my house and the app has the ability (baked in) to use STunnel locally on the same Windows box for encryption.  The app normally only uses HTTP but this provides a HTTPS proxy to it.  However, from what I can see of STunnel, it's pretty rudimentary.

I hit a thread that said pfSense can do this instead and that sounds like a better idea.  I wasn't sure if STunnel is still the package I want or it HAProxy did some of it.  Ideally it would at least do the same as STunnel on that Windows box, but bonus points if I can wrap a 2nd layer of security around it like a certificate.

Can anyone point me in the right direction?




13
OpenVPN / Re: OpenVPN is choppy
« on: December 20, 2017, 03:38:14 pm »
My sanitized client config

Code: [Select]
dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxxxx.dyndns.org 443 udp
lport 0
verify-x509-name "OpenVPN-cert" name
auth-user-pass
pkcs12 xxxxx-udp-443-me.p12
tls-auth xxxxx-udp-443-me-tls.key 1
remote-cert-tls server

14
OpenVPN / OpenVPN is choppy
« on: December 20, 2017, 03:29:30 pm »
I know this is going to be an open-ended complaint with little hard data, but...

I setup an OpenVPN server on my home pfSense firewall.  This is replacing a Cisco 1921 router where I previously setup AnyConnect, its distant cousin, to get into my home network.  It was on an ASA 5505 before that.

It seems the VPN experience over OpenVPN is choppy, for lack of a better term.  It's not smooth. VNC & RDP to my home computers are halt and go with micro stutters...just erratic.  It's almost like a bad connection but it's not.  I don't see any obvious problems with my VPN setup but its behavior reminds me of an MSS or MTU fragmentation issue.  I lowered the MTU on my TAP adapter (Windows 7) to 1440 and it doesn't seem to matter.  I might lower it more, but before I spend too much time troubleshooting, is this a common problem?  Is there an easy fix to make the VPN experience smoother?  Perhaps something I can edit in my OpenVPN config file that was generated?  I'm running the latest recommended package of OpenVPN GUI for Windows.

'Note that this doesn't happen with any other VPN past or present.  Whether it's AnyConnect, Cisco's older IPSEC VPN Client, L2TP or whatever.

Any advice?

15
Official pfSense Hardware / Re: SG-2440 2.4.1 ZFS Install
« on: October 26, 2017, 12:10:08 pm »
I think this is similar to my issue. The new defaults with ZFS seem to use more (idle) CPU than before.  I haven't had time to test that theory yet with UFS.

https://forum.pfsense.org/index.php?topic=138477

Pages: [1] 2 3 4 5 ... 26