Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - NotAnAlias

Pages: [1] 2 3
1
Installation and Upgrades / Re: Can't install with ZFS 2.4.2
« on: February 19, 2018, 01:37:27 am »
This appears to be a FreeBSD issue, I tried installing 11.1 and I have the same problem. I'll try and look around there.

2
Firewalling / Re: Networking two subnets together
« on: February 11, 2018, 11:38:18 pm »
That's messed up dude. 

If you need stuff to stay up longer you have no choice but to buy a bigger UPS, or use a more power efficient pFsense box, people building pFsense box for one reason or other think pFsense requires major CPU, it does not.  An I3-based pFsense will shove full-gigabit stuff and using less than 20 watts, but you have to buy one of those dedicated box and not a generic AT/ITX which tend to use more electricity. Myself I have a paltry PROTECTLI(MiniSys) Atom E3845 shoving 60 mbit (already overkill but I want AES-ready) at 10-20% CPU usage, consuming 10 watts.

In your current set up, the pFsense cannot be configured as a firewall, it must be configured as a pure router (don't ask me how as I only know about FW).   If configured as a FW, your wireless users are on the WAN, unprotected side of your network.  OK it's protected by the wrt1200ac NAT, but why bother having industrial strength pFsense FW if you are not going to use it as your main FW (directly facing the ISP)?  Moreover, as is, you are double-NATing, forcing unneeded complication of 2 subnets. For example, to commonly Port-Forward, you would have to do it twice, once on the first NAT, then again on the second NAT, and that's just one common issue on top of my head.

In a dedicated FW world, the correct, generic way is to look like this:

PlainModem ----> FW ----> ANY WIFI (bridge mode, not creating another subnet) and ethernet Switches.

Your plan to add a switch to fix this is not gonna work.
I would ideally like to have one router, but I do like those features I mentioned above about Openwrt. I currently just have pfsense dmz'd inside of Openwrt to avoid having two put in two firewall rules.

I tried playing with static routes but I still can't access 192.168.1.1

3
Firewalling / Re: Networking two subnets together
« on: February 11, 2018, 06:00:33 pm »
Huh???  So your not running your pfsense on ups because it uses too much power?  What are you running pfsense on exactly?  How long are these power outages?

Why not just get a better ups?  Or another one for your pfsense.. My network will stay up for about 20 minutes before stuff shuts down on loss of power.. These are more poe AP, my switches and pfsense..  I have 3 UPS... 1 for my main pc and cable modem, pfsense, switch.  Another one for my esxi host and 2 poe AP.  And then 1 in my AV cab that runs another poe AP and that switch in the AV cab, etc.

What hardware are you working, what UPS.. What run time are you looking for, etc.
It's not just the UPS runtime, but I had a power outage a few months ago that was around 6 hours.
There's one feature in particular in Openwrt that I like a lot. It's Cake + Piece of cake traffic shaping. It's noticeably better than fq_codel in my experience,


I get no throughput loss and I get a constant low ping even when maxing my connection. I do not see this coming to pfsense anytime soon.



4
Firewalling / Re: Networking two subnets together
« on: February 11, 2018, 06:30:53 am »
WTF???

You have both sides of pfSense connected to the same network???  That will confuse it.

The only way computers on the 2 subnets can communicate is through the router.  All devices use their address and the subnet mask to determine the local network.  Then it compares the packet destination address, to see if it's on the local network.  If not, it sends the packet to the router (pfSense) for forwarding towards the destination.
Yeah, I had a LAN port from the Openwrt router connected to a switch, and a lan port from pfsense connected to the switch, all the pcs were plugged into the same unmanaged switch. I was more so curious to see what would happen than actually expect anything to work.

Which router would I configure so that the subnets can communicate to each other? I'm trying to learn as I go here, so I appreciate all advice.


5
Firewalling / Networking two subnets together
« on: February 11, 2018, 05:48:46 am »
Hello,
This is my current setup:

Modem > Openwrt(wrt1200ac) > Pfsense > Computers

Openwrt creates a 192.168.2.1 subnet, and pfsense is assigned 192.168.2.100 on its wan interface.

Pfsense then creates a 192.168.1.1 subnet and all the computers plug here.

The setup was made because during power outages you can still connect to the openwrt router. It uses a lot less power than pfsense, so only the openwrt router is connected to the UPS.
This results in computers connected to the Openwrt router via wireless unable to connect to pfsense, which makes sense. Pfsense will see those computers on WAN and block them.
I tried to plug pfsense's lan port and openwrt's lan port into the same switch along with the computers. I unchecked authorize DHCP on openwrt's LAN. Computers are still assigned 192.168.1.x ips so that's good.
So I tried to manually set a computer to 192.168.2.105 and it can ping to the internet sometimes but constantly drops packets. It also cannot connect to the 192.168.1.x computers on pfsense either.
Is there a solution to make it so the computers on the different subnets can talk to eachother?
Would buying a TP-Link 5 port managed switch be able to do this?

Thanks

6
IPv6 / Re: Can't get IPV6 on LAN with two routers
« on: February 09, 2018, 10:37:00 pm »
These are the main ipv6 settings I see configurable in the web interface,



I'm not familiar with ipv6, so I will read up. It is very likely possible on this router as it's just a fork of openwrt.

7
IPv6 / Can't get IPV6 on LAN with two routers
« on: February 09, 2018, 02:43:07 am »
Hello, I have a setup with two routers.
The reason I have two routers is because the first router runs wireless, and is connected to a UPS. It is low power, so it will stay on much longer compared to a desktop with pfsense.

Comcast assigns a /60,
The first router runs LEDE. It assigns a /64 to connected devices, and all my computers can browse ipv6 sites fine. The WAN interface on LEDE is assigned a /60 as expected.
Settings for IPV6 on LAN for LEDE.


Pfsense sucessfully gets an IP on the WAN interface, a /64. I can ping ipv6 addresses through the web interface.
However the LAN interface gets no ipv6 address.

WAN is set to DHCP6, LAN is is set to Track.
Computers connected to pfsense cannot get an ipv6 address.

I have disabled bogon blocking in the WAN interface tab but that did not help, any ideas?

8
Installation and Upgrades / Can't install with ZFS 2.4.2
« on: February 09, 2018, 01:00:20 am »
Hello,

I am using the amd64 2.4.2 pfsense version.

Specs:
Motherboard: GA-B150M-D3H
Memory: 2x2gb ddr3 1066
Flash drive: Sandisk ultra usb 3.0 for installation
SSD: Silicon Power 60GB SSD S60 MLC
CPU: G4400

When I try to install with ZFS, I select stripe option and select the 60gb Silicon Power SSD.
It errors saying:

Code: [Select]
ahcich1: Timeout on slot 0 port 0
ahcich1:  is 00000000 cs 00000000 ss 00000001 rs 00000001 tfd 40 serr 00000000 cmd 0000c017
ada8:ahcich1:0:0:0): SEND_FPDMA_QUEUED DATA SET MANAGEMENT. ACB: 64 02 00 00 00 40 00 00 00 00 00

It gets stuck here, a picture may be more helpful(large):
https://i.imgur.com/o2vMXZp.jpg

Any ideas why this may be happening? UFS seemed to install just fine. However I do not trust UFS, it corrupts very easily. It is worth noting, this same system had issues with a nanobsd install as well on 2.3.x. It took a very very long time to boot up. Others with the same configuration have the same issue. https://www.reddit.com/r/PFSENSE/comments/49qc4x/its_very_slow_on_my_skylake_g4400/

I have tried different SATA cables and different ports. The SSD works fine connected via a USB adapter to a different computer, it checks out with crystaldiskmark and crystaldiskinfo.

9
Routing and Multi WAN / Re: Double nat and ipv6
« on: July 05, 2017, 01:54:57 pm »
Hmm even disabling ipv6 on WAN on pfsense makes me lose access to it. I regain access after a reboot. There is no special configuration I am doing on pfsense's side and ipv6 worked fine before adding the openwrt router. It seems pfsense becomes quite buggy behind another router for ipv6.

 I don't need v6, but it would be nice. I clearly don't have much knowledge on the subject, but it seems weird to me that ipv6 is more complicated in these scenarios compared to double nat, when v6 was supposed to make this simpler.

10
Routing and Multi WAN / Double nat and ipv6
« on: July 04, 2017, 02:14:28 pm »
Hey,

I made a thread here marking my setup, https://forum.pfsense.org/index.php?topic=132993.0
The tl;dr is that I have two internet connections from the same isp, so they share the same gateway. I put a wrt1200ac with openwrt after one of the modems, which then connects to pfsense's WAN.

I am assigned a /60 ipv6 from the ISP. Openwrt I have set to assign a /60 on the LAN address, I am not sure if this is correct.
I tried having pfsense set to a /64 on the WAN and then /60, and pfsense can ping out via ipv6. But the LAN clients on pfsense cannot ping.

On a computer assigned on LAN:

Code: [Select]
   Connection-specific DNS Suffix  . : localdomain
   IPv6 Address. . . . . . . . . . . : fd0e:c91c:a166::d0b
   IPv6 Address. . . . . . . . . . . : fd0e:c91c:a166:0:d474:xxxx:xxxx:bfb
   Temporary IPv6 Address. . . . . . : fd0e:c91c:a166:0:8fc:b454:xxxx:xxxx
   Link-local IPv6 Address . . . . . : fe80::d474:14f7:2153:bfbf%20
   IPv4 Address. . . . . . . . . . . : 192.168.1.161
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::1:1%20
                                       192.168.1.1

I can't ping out.

I don't have much experience with ipv6, I know there is no NAT with it. I thought it would work automatically because of that. I am not sure how the ipv6 delegation sizes work when there are multiple routers. Could anyone give me some insight? Thanks


EDIT: Just set the prefix delegation size on openwrt's wan to /60, realized it was /64. That worked fine on Openwrt, but I still can't get ipv6 out on pfsense's LAN. On pfsense I set the ipv6 interface on LAN to OPT2(the other modem with no router) and I couldn't connect to pfsense at all(ipv4), but pfsense  did not kernel panic and it wasn't frozen. I rebooted it and I could connect again, but I still didn't have ipv6 access. I tried switching the ipv6 interface back to WAN and I lost all access, a reboot fixed that again. Looks like switching the ipv6 interface on LAN causes pfsense problems.



11
General Questions / Re: Double nat and 1:1 nat
« on: July 03, 2017, 02:00:40 pm »
Ah there we go, it was just the firewall rules. Didn't seem to need any special outbound rules in pfsense or anything special with openwrt.
I just used these rules below and all is well.First one is a bit redundant, but I'll leave it since it doesn't hurt.

Thanks for the help!

EDIT: I just realized, since they can both access each other, I wonder if they will compete for DHCP... more testing to do.
EDIT2: I have multiple access points across the house(wired), and they are all connected to pfsense, so my laptop will get a 192.168.1.x ip. I move towards the area with the wrt1200ac(which has the same name/login as the other ap/s) and the laptop's ip changes to a 192.168.2.x ip and everything works seamlessly. I go back to the other side and the ip changes back to  192.168.1.x with pretty much no interruptions.
I'm surprised it works so well. So far I have not see any other type of DHCP competition for the wired computers or anything like that.


12
General Questions / Re: Double nat and 1:1 nat
« on: July 03, 2017, 01:42:17 pm »
It is possible to make use of a WiFi device that is in front of the pfSense WAN. Not recommended for production office use - it is bit to tricky to support because everyone needs to really understand what is going on. I found that the main hassle was when people would think "I can't reach the internet, there must be a problem with pfSense" and they would unplug the pfSense WAN cable and wonder why they still cannot get to the internet via the front-end WiFi. Well that was because devices on the front-end WiFi are getting DHCP from pfSense WAN, and routing in and out of pfSense WAN. The thing at the remote office would be that they call the ISP. Of course the ISP kindly resets the front-end WiFi-router for them to make "the internet" work. So the unusual back-routing of the front-end WiFi into pfSense WAN is unexpected by various support staff.

I posted here https://forum.pfsense.org/index.php?topic=54650.0 and it does work (read the whole thread). It will let device on the front-end WiFi access LAN and also "the internet" - whichever you wish. But unless you really need to save every watt, I would forget about the front-end WiFi and put a separate AP back in the LAN or on an OPT1 interface.

Hey thanks for that, that is quite informative.
My case is very similar, just a few differences. I want DHCP on the wrt1200ac router.
Reason is because the power goes out sometimes. Not that common, but it does happen and usually for a few hours. It would be nice to just have the wrt1200ac router and the modem on the UPS so I can a few hours of wifi. Pfsense drains the ups battery in a few minutes.

You wrote that "WAN has a rule allowing anything in with a source address in WAN subnet - lets the WiFi clients get to pfSense."

I tried creating a few similar rules, but no luck. I can access the wrt1200ac from pfsense's lan, but the wifi clients on the wrt1200ac cannot access pfsense or any of the computers on its lan.


EDIT: What is interesting, is that I can ping and access the wrt1200ac(running openwrt) from pfsense and pfsense's lan, but I can't ping any of the computers on the wrt1200ac. Maybe the wrt1200ac is blocking access, I'll play around.



13
General Questions / Double nat and 1:1 nat
« on: July 01, 2017, 08:59:35 pm »
Hello,

I have two modems and since they share the same gateway I know pfsense does not support that.
So I went ahead and put a Linksys wrt1200ac router after of one of the modems.
I'd like it so the wifi connections on the linksys can still communicate with the computers on the 192.168.1.1 lan network.

I have assigned the linksys a LAN ip of 192.168.2.1
Pfsense is assigned on WAN as 192.168.2.100

LAN on pfsense is 192.168.1.1

How can I go about doing this? From what I looked up I have to set up some rules in 1:1, but it would always be nice to get some direct feedback.
Thanks

14
OpenVPN / Openvpn does not reconnect on disconnects
« on: May 09, 2017, 07:47:42 am »
Whenever there seems to be an Internet outage, the openvpn service seems to stop. It says daemon not running status > services
I have to manually start it.

Is there way for it to automatically start up again?

I am on 2.3.3 amd64, nanobsd.

I would show the log, but I started the service again and it made too many new log messages to see the old ones.

Seems like a similar issue here, https://www.reddit.com/r/PFSENSE/comments/3wji3v/openvpn_client_doesnt_reconnect_automatically/

I am using a domain name to connect to, not an ip address directly. I'll go ahead and try using an ip address instead, but I'm not sure why that would make a difference.

15
Neorouter is exactly that a P2P solution.. Why would you want/need to install this on pfsense?  You install neorouter on the actual client devices..  Not the router/firewall of your whole network..  Why would you not just install the neorouter "server" on one of your clients that is going to be in your network.  This is the way its designed to be done..

Neorouter requires a server where all the other clients still connect to. pfsense has fantastic up time, so it's a great place to put it on. There is one computer I tend to access the most, but I may make changes to it, and it just isn't as reliable. If I am doing something to it, and I have to go I can't access some of the other machines.

I currently had it installed on a netbook, but it's been on for around 6+ years straight according to the hard drive's SMART results. Not sure how long it will continue to last, a SSD would fix that but the CPU inside is very slow. One less device to worry about anyway.

Pages: [1] 2 3