Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - viragomann

Pages: [1] 2 3 4 5 ... 185
NAT / Re: NAT Reflection, SSL, and Calibre
« on: Yesterday at 02:43:13 pm »
If your SSL certificates common name is an FQDN and you've set the DNS override correctly, so that the FQDN is resolved to the internal server IP, it should work this way.

However, "NAT reflection + proxy" should also be a solution for you.

NAT / Re: NAT works incorrectly with several OpenVPN clients
« on: Yesterday at 11:52:15 am »
All right here. You have no NAT rule for any of these source addresses.
There's only a NAT rule for the source

So if you want NAT to work for other sources add a rule for it or change the source in the existing rule to any.

In order machines from his LAN respond to my pings, I was to configure NAT. By default, Windows machines do not respond for packets, came from networks, other than LAN.
Allowing such access can be set in the Windows firewall.

If all your traffic goes through the vpn there will be set the "Redirect gateway" option in the server settings. If your brother doesn't need this for other purposes, he should remove the check and enter his LAN network in the "Local Network/s" box.

If he need that option, you can prevent that by adding the no-pull option and a route to the remote LAN to your client config.

I don't understand your setup.

On switch
vlan 1 -
gateway -
ip route
Currently can reach the internet

What is the gateway - An upstream gateway?
However, the default route is set to, the pfSense vlan1 IP.

Is pfSense the upstream gateway or another device, now? If it is pfSense, it has to have an IP in each vlan and do not need static routes at all.

With only one hardware NIC you will need at least a VLAN-capable switch. So you can define VLANs for WAN and LAN between pfSense and the switch and the switch will separate the networks again. But I'm in doubt you have one on stock.

pfSense can only filter traffic between interfaces.

ping and traceroute maybe do well. ICMP is a stateless protocol. The problems with that come if you establish a stateful connection.

So I'd try one of the suggestions.

Another possible workaround is to set up an transit network between the pfSense and the VPN server, if you don't move the vpn server to pfSense.
Maybe you can set up the transit network as additional VLAN on the existing LAN interfaces. Then add a static route to pfSense which points to the VLAN IP of the Ubuntu server.

OpenVPN / Re: VPN Routing Not on Edge
« on: March 16, 2018, 03:29:38 pm »
The output doesn't show any route. It only shows network settings of the interfaces.

I'm not familiar with Android, so cannot give hints. However, the OpenVPN client should log the connection establishing. There you will get details if adding the routes succeed or not.

OpenVPN / Re: VPN Routing Not on Edge
« on: March 16, 2018, 12:30:25 pm »
Can you access the LAN devices from pfSense itself? e.g. ping.

You also want to route internet traffic over the vpn? So have you checked "Redirect gateway" in the OpenVPN server settings?

What das the routes on the client looks like?

If the VPN endpoint is within the LAN, a static route on the edge router cannot resolve the routing issue.
You rahter need static routes on each LAN device pointing to the Ubuntu server.

Why do you not run the OpenVPN server on pfSense?

OpenVPN / Re: VPN Routing Not on Edge
« on: March 16, 2018, 12:00:36 pm »
Have you switched the outbound NAT mode to hybrid or manual?
If you haven't you can add rules though, but with no effect.

OpenVPN / Re: HELP: Firewall Settings for Remote Networks over VPN
« on: March 16, 2018, 04:30:32 am »
No, NAT has nothing to do with OpenVPN. It's just a router function. It translates the source address in outgoing packets to the routers interface address. That should simplify the inter-network communication between the devices, but it isn't desired in every environment.
In this case the interface is the virtual VPN interface. There's no way to control that on the OpenVPN server.

OpenVPN / Re: HELP: Firewall Settings for Remote Networks over VPN
« on: March 15, 2018, 04:30:22 pm »
Disable S-NAT on the clients.
I guess the clients are a sort of consumer routers. These often do S-NAT on outgoing interfaces by default.

OpenVPN / Re: VPN Routing Not on Edge
« on: March 15, 2018, 04:15:23 pm »
If the VPN is only for your own purposes add an S-NAT rule (outbound NAT), which translates the source address of outgoing packets to the interface address.

Deutsch / Re: Garantierte Bandbreite
« on: March 15, 2018, 09:37:17 am »
Ich gehe davon aus, dass die höchste Prio dafür sorgt, dass die gesetzte Bandbreite auch zur Verfügung gestellt wird, sofern vorhanden.
Natürlich wäre das in deinem Fall in Kombination mit dem Traffic Shaper einzusetzen.

Pages: [1] 2 3 4 5 ... 185