Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Derelict

Pages: [1] 2 3 4 5 ... 651
General Questions / Re: Bootloop after black out
« on: Today at 06:11:22 am »
Looks like you tickled pfsync somehow. Are you sure you don't have a sync interface configured (whether it's being used or not) ?

Anyway, known and is fixed in 2.4.3.

Traffic Shaping / Re: LAGGs + Traffic shaper HFSC + VLANs
« on: Today at 06:08:44 am »
altq is not supported directly on a laggX interface. Assign a VLAN and altq on that.

IPv6 / Re: Setup Dual Stack with NAT on v4
« on: Today at 05:45:13 am »
A /48 is the minimum allocation for such a thing. If someone in a datacenter asks for it, they should immediately get it. Maybe he's subdividing it into /56s over VPN. There are only 256 of those. There is zero reason for the ISP to care. A "X-Small" ISP allocation is a /32, or 64K /48s.

Again, if it is "here's a /64 for your VPS web server. Have fun," then it is the wrong product for the use case.

There is zero reason not to do it.

It is only 64K interfaces.

Firewalling / Re: Need multiple pptp connection passthrough 2.4.2
« on: Yesterday at 11:18:02 pm »
To the same IP address? No.

PPTP should be abandoned for a secure VPN technology. In fact it should have been abandoned years ago.

IPsec / Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« on: Yesterday at 10:16:12 pm »
Then why would your P2s be the same on multiple sites if those networks are not reachable on that tunnel?

PTP SSL/TLS with a tunnel network larger than a /30 puts the server side into server mode.

This means that you have to have remote networks on the server configuration to get the traffic into OpenVPN then you also have to have Client-Specific overrides with the remote networks set to tell OpenVPN which client to send the traffic to. Even if there is only one.

You might try setting the tunnel network to /30 ands see if things start to make more sense. Especially if there will only ever be one client.

NAT / Re: NAT rule is not working
« on: Yesterday at 08:13:11 pm »
Exhaustive list of other things to check here.

When it works from the same subnet but not from others it is almost always either the local firewall on the target or the default gateway of the target is wrong.

NAT / Re: Cisco BT Signal Booster behind pfSense
« on: Yesterday at 03:45:51 am »
You should not have to do anything to use any cell booster behind pfSense in its default configuration. If you have messed about with the default outbound NAT static port on port 500 or something, maybe you might have to undo that.

They generally initiate an OUTBOUND IPsec connection to the cell provider. Nothing should be required on the firewall. No special rules, no special port forwards, etc.

They generally require a good GPS signal and can take a LONG TIME to sync up.

The best we can try to do if it is not working is interpret the specific instructions or guidance they provided. You would need to post that.

Port mapping rule for UDP/4500 on WAN interface ->
You do not need this for an outbound connection.

Manual outbound NAT configured - only a rule for * -> WAN address configured for the subnet
Why manual? Automatic will capture that.

Currently an additional rule for UDP/any going to WAN interface
Zero idea what that means. Post the rule.

I realize those were posted a while ago by someone else but you stated you did the same thing.

NAT / Re: Intermittent NAT failures
« on: February 15, 2018, 10:11:49 pm »
How many states? I am unsure what the behavior is if there is not an available ephemeral source port for the outbound translation. You might need a pool of outbound NAT addresses if that is the case.

If you are truly seeing something intermittent there, that would be something I would certainly look at, especially if it only occurs during periods of high-traffic. That would take tens of thousands of simultaneous connections all to the same destination protocol:host:port however and seems unlikely.

Have you done anything like setting static source ports, reducing the available ephemeral source ports or maybe something else with outbound NAT?

Then only one or none should be connected to wired I would think.

If they expect functioning STP on home networks they're in for a long, hard ride.

Why wireless and wired on the sonos? Shouldn't it be one or the other?

The easiest way to prevent layer 2 loops would be to not make the loop in the first place.

Hardware / Re: pfSense on Dell R710
« on: February 14, 2018, 02:04:56 am »
It should run like a scalded ape on an R710. Unless you are caching, hard drive speed is pretty much irrelevant. Even if you are caching it is pretty much irrelevant.

I have never had any issues with the broadcom drivers. They seem fine. In fact, a few years ago, pfSense sold some used Dells. Can't remember the model but pretty sure they had bce NICs. Have personal experience running on some old IBM 1Us with zero issues. bce NICs there too.

Nothing wrong with a drive mirror for an install such as this. Though on that hardware you would be a candidate to try leaving the controller in JBOD and running a ZFS mirror if you put 8GB+ into it.

Install it and try it. Don't cost nothin'.

Virtualization installations and techniques / Re: Azure Firewall Setup
« on: February 13, 2018, 10:21:29 pm »
In azure I have to virtual subnets and
Looks like that LAN interface is to me.

Hardware / Re: WAN port gets reassigned to add-on NIC
« on: February 13, 2018, 10:19:10 pm »
Good to hear.

Always nice to have more router ports.

Virtualization installations and techniques / Re: Azure Firewall Setup
« on: February 13, 2018, 09:08:26 pm »
Did you try it like I suggested with an interface on the LAN subnet + NAT instead of those publics?

Azure has zero way of knowing it needs to route those inside publics to the pfSense WAN. If it is going to be possible, that needs to happen.

Pages: [1] 2 3 4 5 ... 651