Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - bpb21

Pages: [1]
SNMP / Re: Modules, which does what?
« on: March 08, 2018, 01:52:02 pm »
Did you find out what the different modules do?  Or is that in another post somewhere?

SNMP / Re: Monitor interface status with SNMP and Nagios
« on: March 08, 2018, 01:49:52 pm »
Have you done anything with the SNMP modules in the latest pfSense?
Just curious, and thanks for your post!

SNMP modules
Host Resources

OpenVPN / Re: OpenVPN service not working with PfSesne 2.4?!
« on: December 03, 2017, 09:14:12 pm »
Oh - system logs.  I kept getting the same errors over and over.  I'd completely remove an OpenVPN server, all certificates, and try again from scratch.  And I'd keep getting the same message over and over in the system logs.  (The definition of insanity?)

Dec 3 18:48:09   openvpn   34472   Exiting due to fatal error
Dec 3 18:48:09   openvpn   34472   Cannot load certificate file /var/etc/openvpn/server1.cert
Dec 3 18:48:09   openvpn   34472   OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Dec 3 18:48:09   openvpn   34472   OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Dec 3 18:48:09   openvpn   34472   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 3 18:48:09   openvpn   34296   library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Dec 3 18:48:09   openvpn   34296   OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
Dec 3 18:21:31   openvpn   48163   Exiting due to fatal error
Dec 3 18:21:31   openvpn   48163   Cannot load certificate file /var/etc/openvpn/server1.cert
Dec 3 18:21:31   openvpn   48163   OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Dec 3 18:21:31   openvpn   48163   OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Dec 3 18:21:31   openvpn   48163   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 3 18:21:31   openvpn   48127   library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Dec 3 18:21:31   openvpn   48127   OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
Dec 3 18:20:14   openvpn   65340   Exiting due to fatal error
Dec 3 18:20:14   openvpn   65340   Cannot load certificate file /var/etc/openvpn/server1.cert
Dec 3 18:20:14   openvpn   65340   OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Dec 3 18:20:14   openvpn   65340   OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Dec 3 18:20:14   openvpn   65340   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 3 18:20:14   openvpn   65096   library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Dec 3 18:20:14   openvpn   65096   OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
Dec 3 18:19:38   openvpn   29240   Exiting due to fatal error
Dec 3 18:19:38   openvpn   29240   Cannot load certificate file /var/etc/openvpn/server1.cert
Dec 3 18:19:38   openvpn   29240   OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Dec 3 18:19:38   openvpn   29240   OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Dec 3 18:19:38   openvpn   29240   NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

OpenVPN / Re: OpenVPN service not working with PfSesne 2.4?!
« on: December 03, 2017, 09:08:17 pm »
I have this exact issue, with this exact error message about Cannot load certificate file /var/etc/openvpn/server1.cert in pfSense 2.4.2 and the really bizarre thing: it was working fine previously.  I don't mean on a previous pfSense build; I mean until I tried it remotely today.

Ever since it stopped working, I've tried to completely clear out all certificates and recreate the OVPN server.  But I end up with the same error.

Any ideas what this might be about?  I run about five pfSense servers in different locations (not connected to each other) and I've noticed while two are working, three are not.  (I blame two of the non-working ones on external factors.)

Very confused...

I've got pfSense configured and running on Pentium(R) Dual-Core CPU E5300 @ 2.60GHz 2 CPUs: 1 package(s) x 2 core(s) hardware, using the onboard NIC for the WAN connection and an add-in PCI NIC for the LAN.  Everything is configured like I want it, except I want to add a DMZ physical interface.  So, I tried installing a PCI-e NIC card (the only empty expansion slot on the motherboard) and the pfSense configuration essentially reset itself to the initial setup - the NICs reverted to being unconfigured.

I just removed the PCI-e NIC card and restored from a backup I had done prior to this.

I had the same thing happen on similar hardware at a different site.

My question is: is this normal when adding in another physical NIC to a pfSense installation?  I would have expected the settings to remain the same and to just have one new and unconfigured physical NIC in the menu (both webgui and terminal).  Instead, the addition of another NIC seems to reset the entire config.  Is that normal behavior when adding another NIC - specifically a NIC that won't be an additional WAN connection?

If so, if I were to install the NIC card, then configure just enough so I could revert to the good backup of the pfSense system just prior to installing the NIC, would that produce the desired result?  (The desired result is the exact same configuration, plus one new and unconfigured network interface in pfSense.)

Please excuse my basic question; I've been reading on the forums and such about the bsnmpd implementation in pfSense.  If I'm understanding correctly, the MIBs/OIDs returned from snmpwalk are in part dependent upon what hardware you've got pfSense installed on.  Is that correct?
Example: when I run snmpwalk on a pfSense install I get a lot of SNMPv2-SMI::enterprises values, which I presume I'd need the MIBs from the hardware manufacturer to decipher.
So there's only so much generic data you can get from pfSense via SNMP without knowing the MIBs/OIDs of the hardware it's installed on, right?
Or is it more to do with the version of FreeBSD pfSense is running/compiled with, as per

aha!  Got it!  In addition to those two links in my initial post, getting OpenVPN to start and connect at CentOS 7 system start was nigh impossible, but for this!

"It seems this is a known bug/limitation in the design of the Systemd framework in combination with OpenVPN. "

Once again, without derailing this topic, thanks for nothing Systemd!  And, I've figured it out.  Whew!  Hope these links are helpful to someone else.

OpenVPN / CentOS 7 client to VPN on pfSense firewall for network monitoring
« on: December 06, 2016, 05:18:07 pm »
Here's my situation; I've been way overthinking this and I'm stumped at the moment.

I've got one network with a pfSense firewall/DHCP/DNS box handling it.  Behind this pfSense box there are multiple access points.  I'd like to monitor these using SNMP/Nagios (covered elsewhere).  This will be network 1.

I've got a totally separate network, also managed/firewalled by pfSense, whereon resides my CentOS 7 headless server on which I've configured Nagios.  Let's say this is network 2.

There are other clients/users on both networks.  I don't want them to intermingle.

What I need is for the CentOS 7 server, on network 2, to be able to have an always on VPN connection to network 1, to be able to securely query the access points on network 1.  I don't want this connection to allow any other traffic from network 1 to network 2, but if the CentOS 7 server is the only client then I can handle that via firewall rules.

But, how should I go about setting up an appropriate VPN?  I've got an OpenVPN server set up on pfSense on network 1 to allow me to remote connect in from a different machine on network 2 and manage the access points.  However, I'd like this CentOS 7 server to be able to automatically query their status.

I could join the two pfSense firewalls, I suppose.  But, I don't want always on site to site connectivity between both networks; just that one CentOS 7 server on network 2 and the pfSense network 1.

I'm not sure that made any sense, reading back over it.  But, one client on a physically separate network always VPN'd to a different network.  Best options?

I'm reading up, but I'm going round and round and confusing myself in the process!  Any pointers are helpful!

I've also read over here and here and several forum posts brain is curning through all this.

Well, now I do.  Turns out it's a lot easier with a "real" hostname rather than trying to use one of the free dynamic DNS names.  (That's probably obvious.)

Anyway, I've finally got it!  Thank you for your help; I probably would still be floundering around with this without it!

That's been helpful setting me on the right track.  However, I'm not there yet.

From at home, I can set up https://nextcloud.testing.123 and connect locally - quite speedily since it doesn't leave the internal network.  But, I don't have a wildcard DNS so that doesn't work externally.  I did a port redirect to route all HTTPS to that particular internal IP address and with that (and forcing that server to only serve https, just in case) I can get to https://testing.123/nextcloud from the outside world.

But, that's two different urls for the sync clients = same problem as before.

I know I'm still not understanding the host/domain redirects.  But...yeah, I'm not understanding those.  (Using DNS Forwarder, BTW.)

If I get to the pfSense webconfigurator at https://testing.123:[custom port], then wouldn't a domain redirect for testing.123 to the nextcloud server's IP no longer allow me to get to the pfSense webconfigurator?

Arguably I shouldn't have that enabled from outside the firewall in the first place, but I had to set up and test an OpenVPN connection externally.  Maybe that's it...more testing ahead!  But thanks for your advice; it's put me on the right track to actually understanding this stuff.

I hope that description is clear!  I've poured over this question, off and on, for several weeks and I'm rather stumped.  Please pardon my basic level of understanding.

Scenario: my pfSense setup has a static, external IP (let's say for example) on the WAN interface and my domain, testing.123, points to  I'm hosting a website on my network behind pfSense, on machine (again, fictitious, local IP), and I have a NAT rule in pfSense to forward all incoming http requests to port 80 on  This setup works great - from anywhere else in the world.  Going to testing.123 in your browser takes you right to the website.

Trying to access testing.123 website from a computer on the same network, let's say my laptop at, doesn't work.  (I've reset my pfSense web interface to a non-standard port, so it wouldn't be looking for the web interface instead of the website.)  That's probably obvious to all of you DNS experts reading this (who I hope are reading this!).  If I go to in a browser at home, the site will load but it's pretty slow.  It runs quite speedily when accessed from an external IP.

Now, let's say I wanted to host something like ownCloud (or Nextcloud) at home, and be able to access it both at home and away from my home network.  I have that on with a NAT rule forwarding https to and it works fine when I'm not at home, but when on the home network the domain can't be resolved.  I'd have to change testing.123 to in the client every time I change locations.

Is this a situation where I need some redirect rules on the LAN side of the firewall or is this a DNS issue? 

With my basic cable modem as the only firewall between these servers and the internet at large, I just pointed the domain name records at my static IP and everything worked fine, at home or away.  With a basic pfSense setup in the middle, I'm no longer able to get to these sites.  I know if my basic home modem/router combo can do it, pfSense can do it.  But what am I missing?

A few more details, as I know that's not much to go on.  I've got one WAN interface, configured with the static IP, and one LAN interface which assigns DCHP addresses.  The webserver has a static IP.  NAT incoming connections to port 80 redirected to and the only plugin I've installed is pfBlocker.  The rest is just the out of the box configuration of pfSense 2.3.2.

Any tips/pointers in the right direction are appreciated!

Installation and Upgrades / Re: "BTX halted" error with 2.2.2
« on: November 15, 2015, 12:34:46 pm »
I am also having the same error, both with a live CD and a USB stick, where "BTX halted".  I can't get to the boot settings, and have disabled everything not needed in the BIOS.

I also have an ASUS system:
AMD Athlon 62 X2 Dual Core Processor
Speed 2000MHz
Count 2
BIOS 0112 07/21/2006

So, it's most likely something between ASUS and pfSense.  What, remains to be seen.  I'm going to try 2.1.5 instead of the current 2.2.5 (giving me the errors) and see if that works with the earlier version.

Seems it's obviously something changed in pfSense between 2.1.5 and 2.2.5 that's conflicting.

It's broken allright.

In transparent proxy case, at least two port directives are needed:
http_port intercept
http_port ADDR:3128

where ADDR is LAN interface address.

Of course, that's not enough - something needs to intercept and redirect traffic to squid.
Luckily, that's clickable, and generated rdr works just fine.
Just make sure you click on correct interface(s) on Services->Proxy Server. (Use loopback as proxy interface if using transparent proxy)


I've just installed pfSense 2.2.4 with squid3, squidguard, and lightsquid.  This all worked fine under pfSense 2.1 but not so much under 2.2.4 so THANK YOU for your help.  Just a couple of questions: "that's clickable, and generated rdr works just fine."  Sorry but, what's clickable?

Are you saying you should select "loopback" for Transparent Proxy Interface(s) instead of LAN?

I still can't get lightsquid to work, even with these changes.  But, I'll take all the help I can get with this!

Pages: [1]