Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mewsense

Pages: [1] 2 3 4 5

My SG-1000 only has two interfaces, so how would this work in practise? Would I have to create a VLAN for the transit network?

All working now, I needed a static route to the LAB network on the SG-1000 router. Thanks for looking everyone!!

Draw a picture of how you have this set up and talk about your ultimate goals. 

OK. :)

Here's the network diagram.

I want pfSense on beryllium to allow traffic both ways between LAN and LAB networks unhindered. It seems that machines in LAB network can't reach some machines in LAN, but machines in LAN can reach all machines in LAB. Here are the results from a machine on each network.

Cannot ping, (timed out)
Can ping,,,,,

Can ping everywhere fine

Here are the firewall rules on beryllium.localdomain

Hi everyone, thanks for reading, I still have an issue where no servers on the LAB domain can access the internet. I can't ping the LAN interface of my Netgate WAN router from the LAB network, but I can ping it from the LAN network. Any ideas?

NO that is NOT the correct way to do it!!!  Create a route to use not a default gateway - arrrgghhh..

OK, ok! :)

I've done this now and all good from to!

I can also now ping from to!!

I do however, have one small issue. I can't ping the netgate router ( from my LAB network. Any ideas on why?

You converted your WAN to LAB interface?

You have to disable all outbound NAT.

No I converted LAN to LAB interface and converted WAN to LAN interface. Here are my NAT outbound rules:

A-ha!! :)

I added the second gateway into my machine and I can now ping from Feel like we're making some progress!

However, I can't ping from

What is odd is that I can ping the machine from the LAN interface on pfSense:

Here are the settings for machine I do have Private Internet Access VPN client installed but it's not running. I also have the Hyper-V service on this machine but not currently using it. It is joined to domain duck.loc where machine is the domain controller so quite important it can connect to it! :)

The default gateway is my Netgate device to go to the internet (

Here's the tracert

Getting strange.

I have a VM on the Hyper-V host called neon.localdomain with IP

I can ping that from machine, but machine cannot ping the Hyper-V host interface or my desktop


Floating rules are above, none configured. Sorry yeah should have mentioned Hyper-V but it really shouldn't factor.

On machine I can ping pfSense interface fine.
On machine I cannot ping physical machine (my desktop) (Request timed out).
On machine I cannot ping pfSense interface (Request timed out).


Here's my Hyper-V switches in case it's relevant:

To add some more info as we cross-posted... :) thanks v. much BTW for your time!

Machine is a Hyper-V VM hosted by a machine called fluorine on IP 10.0.0..9. Connected to a vSwitch called Lab.
pfSense is a Hyper-V VM also hosted on fluorine with two vSwitches one is LAN and connected to the physical NIC and the other is a vSwitch connected to LAB.

Machine is a physical Windows 10 box.

The Hyper-V host and the desktop are connected via a gigabit hub.


Also add that there are no floating rules and I can ping both machines from within pfSense itself in the Diagnostics menu just fine. The devices can also ping the pfSense interface as well with no issues.

Here's some more info. Machine in network

On machine in network

your lab is actually your lan interface ;)  Notice the anti lock out rule on it.

But your rules are fine - did you set gateway on the machines correctly.  Software firewall running on devices in the other network blocking ping from different subnet, etc..
So when pfSense first configured the LAN interface was WAN so I renamed it and added a rule to allow traffic through. The LAB interface was the LAN interface, so I renamed that too.

There are no software firewalls on the machines in the other subnets. I tested this by pinging machines within the same subnet and they worked fine, and also checked that Windows Firewall is off on all profiles.

I tried to set up a static route but I got an error saying that the IP address was on the same subnet or something to that effect.

I have two interfaces: LAN & LAB. I want machines on LAB to connect to machines on LAN and vice versa. I do not have a WAN interface as that is provided by another router in network

LAN interface is
LAB interface is

I cannot ping a machine in network from network or vice versa. What have I done wrong?



Firewall rules

What's the netmask you get assigned by your ISP and what's the last octet from not-your-IP in the logs?

netmask is /32 (0xffffffff)
last octects that I've seen of not-my-ip address are: 168,170,171,172,174,175, etc. I don't see any 255s

Pages: [1] 2 3 4 5