Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - whitewidow

Pages: [1] 2
Traffic Shaping / Re: playing with fq_codel in 2.4
« on: March 07, 2018, 10:16:21 pm »
I figured I'd share my config as I spent some time today with little to do at work on converting over to fq_codel setup for my pfSense setup. I have a 1Gig Verizon FIOS line coming in which is rated at 940 down and 880 up. I have a pretty straight forward setup going as I only split up into 3 queues and basically high prioritize my games and VOIP to high and lower all my p2p / plex download traffic to everything else.

I have the Shell Command to create the proper queue setup:

I have an upload and download limiters with 3 buckets at 880Mb/s and 940Mb/s respectively. In those queues, I have a high, default and low at a 75, 25, 5 weight.

Source and Destination in the config gets a little squirrelly for me as I want to make sure I have a clear break in my upload and download traffic so I didn't select either there as I handle that in the rules config.

I have a series of match floating rules with logging setup so I can validate. All shaping is selected on my WAN interface:

My rules examples are a bit big so I linked them a little different:

Default queue

Low priority rule

For floating rules and pipes, the in and out are switched as noted in the help text. I did check that in my speed test as I can see the speeds are exactly what I expected. I noticed much better performance when compared with the other schedules stock in pfSense.

My speedtest results made me happy:

Edit 1: I seem to have a slight problem with matching my internal (Private) IPs properly. I've gotta do a little more testing to figure out why they aren't matching. My WAN rules work perfect though so it's a start. I just want to make sure I can get internal stuff matched as well.

From what I remember about limiters I thought that the Mask need to be set depending if the traffic is in bound or outbound.

I have my Upload mask set to "source address" and download to "destination address" for the limiter and each queue nested under.

Is this correct? Seems it works and I see traffic passing. I didn't with it set to "none"

Im having the same issue with a usb connected LTE Modem as a WWAN interface on all my netgate appliances. Im thinking USB devices can not be used for traffic shaping  :'(

Routing and Multi WAN / Re: IP Monitor offline on USB LTE modem gateway
« on: November 22, 2016, 04:00:41 pm »
Can anyone please help me?

Routing and Multi WAN / Re: IP Monitor offline on USB LTE modem gateway
« on: October 24, 2016, 10:45:50 pm »
Im still having this issue, also it seems the USB modem is not recognized as a WAN interface, no dns servers for this interface under status > interfaces. USB interface does not show up in traffic shaping either.

How do I get pfsense to treat this a WAN interface?

Routing and Multi WAN / IP Monitor offline on USB LTE modem gateway
« on: September 23, 2016, 06:12:32 pm »
Im trying to have a multiwan setup that will have WAN = comcast and WWAN = ATT ZTE MF923 ( via USB. The MF923 was assigned as a interface ue0 and pulled a and gateway of from the devices dhcp server, I have internet access . I tried to find a way to set it to bridged/IP pass-through mode to pull the external IP but have been unsuccessful. So I just put the ip in DMZ on the device to prevent any firewalling by the MF923.

The issues im having to configure load balancing & failover is that the IP monitor on WAN (comcast) works fine with google dns, but show offline on the WWAN with I can ping from the WWAN in the gui, on the lan when using the MF923 exclusively for internet access so im assuming the gateway can respond to pings. WWAN will show online if the monitor ip is set to (gateway ip).

Anyone have a idea how to get ip monitoring working on this interface?

I have attached some screenshots of my config. Please note that right now the WAN (comcast) will show an interal ip as I am configuring it behind another router, once deployed it will have a public ip.

I also have upped the payload to something greater than 0 with no luck

Hardware / AirCard 781S Netgear 4g Modem - No usable interface shown
« on: March 03, 2016, 01:52:56 pm »
Hello all, Im trying to set up a  AirCard 781S Netgear 4g Modem as a failover WAN interface. It has USB capability and works fine on windows and Linux

The issue when plugged in, pfSense does not show up as a interface nor can I add it as a PPP.

It does show up as a usb device

Code: [Select]
/root: usbconfig dump_device_desc

ugen1.2: <AirCard 781S Netgear, Incorporated> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (500mA)

  bLength = 0x0012
  bDescriptorType = 0x0001
  bcdUSB = 0x0210
  bDeviceClass = 0x0002
  bDeviceSubClass = 0x0000
  bDeviceProtocol = 0x0000
  bMaxPacketSize0 = 0x0040
  idVendor = 0x0846
  idProduct = 0x68e1
  bcdDevice = 0x0228
  iManufacturer = 0x0001  <Netgear, Incorporated>
  iProduct = 0x0002  <AirCard 781S>
  iSerialNumber = 0x0003  <013804000227124>
  bNumConfigurations = 0x0002

I know this is device is not on the list of working 3g/4g modemd but is there anything I can do to try to get this assigned as a interface?

IPsec / Hub & Multi-Spoke VPN - allow communication between spokes?
« on: October 23, 2014, 10:50:53 am »
I currently have a hub and spoke ipsec vpn set up with communication working only from each spoke to the hub not the other spokes. I would like to have the spokes communicate with each other with out destroying the current configuration and moving to a mesh (tinc) but id be open to some feedback on the benefits of tinc over my current configuration so maybe in the future I will migrate to that.

I have read that adding another phase 2 to the spoke I wish to communicate with then repeat that on the other spoke will accomplish this but I have been unsuccessful getting that to work. Do I need to add another phase 2 to the each spoke in the hub as well? I have 7 spokes and it seems like to get them to communicate will be a lot of phase 2 entries...

Here is my current vpn



Let me know if what I want to accomplish with what I have set up is feasible.

VLAN tagging of SSIDs and a management VLAN.

You will also need a managed switch to do this right without bridging pfSense interfaces.  Nothing fancy.  Something like a D-Link DGS-1100-08 will do what you need.

For firewall rules you probably just want to add a rule on LAN rejecting connections to "OPT1 net".

On OPT1 you'll probably want to do something like:

Pass ICMP source OPT1 net dest OPT1 address
Pass TCP/UDP DNS source OPT1 net dest OPT1 address
Block any source OPT1 net dest OPT1 address
Block any source OPT1 net dest LAN net
Block any source OPT1 net dest WAN address
Pass any source OPT1 net dest any

Could I use the extra interface and by pass the switch and still accomplish this? I have a unmanaged switch in place and not have the funding for a managed switch.  I do want one vlan to be able to communicate with the lan interface to access network resources

At our all of our retail stores we have pfSense firewall appliances and all locations have a ipsec tunnel to out main location.

At our newest location we are opening we want to add a dedicated access point out in the show room.

We want 2 SSID's one for private traffic that is on the same subnet as the LAN interface ( so that laptops can communicate down the VPN and access network resources just like whe wired PC's on the switch. DHCP is handed out by pfSense. This is for employees.

Then the second SSID must be completely restricted from the private traffic and on it own subnet ( with internet access only.  This will be for customers.

Ive been searching how to set this up but nothing I have read specifically states how to accomplish this. Most say not to use bridging of the LAN interface and to have the 2 SSID's on their own separate subnet but this will break communication down the vpn tunnel I need the employees to have on the private ssid.

Can anyone help me out on what is the best way to accomplish this?

Also what features should I look for in the access point besides multiple ssid?

Thanks in advance!

The ipsec issue should be fixed now.

Great news! Thanks for fixing this now I can really test this out on hyper-v the way we need it. When do the snapshots get pushed?

I think its posted...does the 10/7 build include the fix?

Yep working now!!! Thanks again!

So basically site to site IPsec is broke now correct? Has anyone got it to work yet?

I dont have much to add other than I too have this issue. I show connection on both ends Changing from DES to AES 128 but no traffic passes. Changing from DES to AES makes no difference.

I will help test in any way if needed just let me know.

Im on the 10/3 snapshot on ms hyper-v

You'll never see more than 1 log entry for a single permitted connection, nothing on LAN in that scenario. It's getting passed, check the state, Diag>States. Probably shows "SINGLE:NO TRAFFIC", which means the target host isn't responding.

Thanks for the help everyone...I got RDP and SIP working. I needed to NAT port forward and let the filter rule auto create to get the packets passed correctly.

Now my issue is just the IPSEC vpn..

I showed connected on both ends, but no traffic either way...
This post is what im experencing

Im on the 10/2 build.. Is this still an known issue?

You'll never see more than 1 log entry for a single permitted connection, nothing on LAN in that scenario. It's getting passed, check the state, Diag>States. Probably shows "SINGLE:NO TRAFFIC", which means the target host isn't responding.

Testing with ms rdp.  From a REMOTE_IP:18786  i see that the packet got passed to my MY_WAN_IP:3389. In states I only see
Code: [Select]
MY_WAN_IP:3389 <- REMOTE_IP:18786 CLOSED:SYN_SENT.  ITs not the destination that is not responding as I was able to rdp with my standalone router.  Is there something I need to assign to route the traffic to the correct subnet?

Looks like it...

I always set my rules to log.  You find that option down lower on the rules page when your building rules.  That way I can see if the packet is actually making it.

What are you seeing in the firewall logs now?

After enabling logging on the WAN and LAN2 and ran a few test with RDP I can see the packet allowed by the WAN but nothing on the LAN/destination server. Should I see that packet in the LAN rule?

Pages: [1] 2