Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - yellowbrick

Pages: [1] 2
Routing and Multi WAN / Re: Multi Wan DNS issue
« on: Yesterday at 02:19:08 am »
What you are trying to do has nothing to do with the firewall as such. You will want to implement split dns for your clients. Probably the easiest way to do this would be via the clients' resolv.conf files, or equivalent.

Routing and Multi WAN / Re: WAN being recodnised as internal I.P Address.
« on: February 16, 2018, 12:38:24 pm »
Disable NAT
Turn off WiFi
reboot the dlink, cross fingers  :)

Routing and Multi WAN / Re: Multi Wan DNS issue
« on: February 16, 2018, 12:26:58 pm »
You are probably using the pfSense box's unbound as your one and only resolver. So naturally per your rules since it is the .1 address it goes out over WAN. Your clients are simply querying the pfSense box.

For the clients in the .200-.254 range, set the DNS to be either that provided by your OpenVPN provider or simply google dns. That will force the clients to query something other than the .1, and make it go out your vpn connection.

Routing and Multi WAN / Re: WAN being recodnised as internal I.P Address.
« on: February 16, 2018, 08:49:11 am »
This and at least some of your previous posts stem from the fact that you are using the ISP provided router in router mode, as opposed to bridge mode.

1. In router mode, your ISP’s router does the NAT. So of course your pfSense gets an RFC1918 address.
2. It appears from your previous posts you did try to disable router mode and out your ISP router in Bridge mode...almost there.
3. Just remember these points about router mode on most ups routers:
            -Your ISP only allows a single computer. So you cannot plug the lan side of isp router into a switch. Only a single computer, or in your case, pfSense WAN must be plugged in to the isp routers Ethernet switch (if built in).
            -any time you change the computer / pfSense connected to your isp router, you need to make it forget the single computer that was connected to it before. You do this by turning off the router, leave it off for a few minutes, plug in the new computer, turn the router back on. Simply connection another computer will likely not work.

Try this: set things up as you want them to be with your pfSense box, etc. Then turn off your isp router for a few minutes and turn it back on.

Should do it.

...and the drive tools in Diagnostics don't work either. Of course, smartctl does not work in the command line either.

Is there another command to try or is SMART status in the SG-3100?

(the ssd I manually installed does support smart and it is enabled as shown in camcontrol)

Code: [Select]
camcontrol identify ada0

pass0: <TS32GMTS800 P1225CE> ACS-2 ATA SATA 3.x device
pass0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 1024bytes)

protocol              ATA/ATAPI-9 SATA 3.x
device model          TS32GMTS800
firmware revision     P1225CE
serial number         E0XXXXXXXX
cylinders             16383
heads                 16
sectors/track         63
sector size           logical 512, physical 512, offset 0
LBA supported         62533296 sectors
LBA48 supported       62533296 sectors
PIO supported         PIO4
DMA supported         WDMA2 UDMA6
media RPM             non-rotating

Feature                      Support  Enabled   Value           Vendor
read ahead                     yes yes
write cache                    yes yes
flush cache                    yes yes
overlap                        no
Tagged Command Queuing (TCQ)   no no
Native Command Queuing (NCQ)   yes 32 tags
NCQ Queue Management           no
NCQ Streaming                  no
Receive & Send FPDMA Queued    no
SMART                          yes yes
microcode download             yes yes
security                       yes no
power management               yes yes
advanced power management      no no
automatic acoustic management  yes no 0/0x00 0/0x00
media status notification      no no
power-up in Standby            no no
write-read-verify              no no
unload                         no no
general purpose logging        yes yes
free-fall                      no no
Data Set Management (DSM/TRIM) yes
DSM - max 512byte blocks       yes              8
DSM - deterministic read       yes              zeroed
Host Protected Area (HPA)      yes      no      62533296/62533296
HPA - Security                 no

General Questions / Re: Openvpn gateway monitor always reads 100% loss
« on: February 07, 2018, 02:05:03 am »
The openvpn client (at least with PIA) typically does not show the real gateway automatically. If your client / interface got assigned a (e.g.), it may show as the "gateway", which will typically not be pingable. You can manually change the monitor IP to something like or something else on the internet that you know will respond to pings. Global DNS providers (google, openDNS are an example).


2.4 Development Snapshots / Re: WiFi accesspoint bridged to a vlan
« on: February 06, 2018, 10:47:13 am »
What I wish you could do was set the native vlan for the wpa-psk ssid other than native untagged vlan - once they allow for management vlan this will be someone moot.  Which I also hear is coming..   But currently can not setup say vlan 100 for your wpa-psk ssid your going to dynamic assign via mac, and then if mac 123 get vlan 200 and if mac 456 get vlan 300, etc.

Sounds like you are trying to get to 1 SSID :-) with everything being assigned dynamically.  I do get your point about the Unifi gear not being able to dynamically assign a VLAN that is also a static for another SSID on the same AP, but for iOT gear I don't see that as an issue. For gear that you don't have RADIUS MAC auth, being sinkholed into a VLAN to nowhere is not such a bad thing. I do see the need for it in other use cases though.

2.4 Development Snapshots / Re: WiFi accesspoint bridged to a vlan
« on: February 06, 2018, 08:46:54 am »
Thanks johnpoz...this is pretty cool to try it now as it fixes my silly SONOS auth issues...

2.4 Development Snapshots / Re: WiFi accesspoint bridged to a vlan
« on: February 06, 2018, 03:53:28 am »
What i'm doing is separating some devices from the regular network. Devices like fire alarms .. I don't want things like that in the same network as laptops or mobile phones for me should also be in a different network.

Not sure if you are using Unifi gear already, but you can create multiple SSIDs (don't remember the max per AP off the top of my head) and have each SSID on a separate VLAN, that can then be handled by separate VLAN/Interface on your main pfSense box. This will give you the desired effect. (assumes you have a VLAN capable switch, etc.)

If you need more than the allowed SSIDs for VLANs, you can go the dynamic VLAN route with the UNIFIs using the freeRadius package in pfSense for authentication, or some other.


Wireless / Re: How to connect pfsense WAN to a wireless access point
« on: January 31, 2018, 12:46:12 am »
You could use two Apple airport express APs (heresy, I know), one to connect as wifi client and then ethernet to pfSense WAN,  and one to provide in room WiFi connected to the pfSense LAN port. I have had generally good experience with Apple Airport Express as Wifi Client. Travel with your choice of pfSense...SG-1000, SG-3100, or roll your own.
Not sure this will work with hotel captive portal, though.

Official pfSense Hardware / SG-2440 random shutdown
« on: January 18, 2018, 03:54:47 pm »

Over the last 2-3 months my SG-2440 has been shutting down randomly with increasing frequency to where it now happens approx once a week. Here are the symptoms:

-no lights on the SG2440 whatsoever
-power cables still plugged in
-no power loss
-no other equipment on the UPS having any issues (have moved to another port on the UPS already)
-need to remove power cable and re-insert to reboot the unit
- **the time on the unit is > months old at startup, syncs after the device boots each time **
-i have also replaced the power brick with another unit and still see the same symptoms

What else can I check? Any ideas to proceed?


Official pfSense Hardware / ZFS on SG-3100 (internal M.2 SSD)
« on: January 14, 2018, 11:15:33 am »

I bought my SG-3100 when Netgate did not offer an SSD option, but I was able to add a M.2 2280 32GB SSD and re-install pfSense 2.4.2_p1 to it.

However, I never got an option to choose the filesystem, like the amd64 installer offers. Once I enter
Code: [Select]
run recovery
the only option I can recall is whether to install to mmcsd0 (the inbuilt eMMC) or the ada0 drive I added.

Is it possible and advisable to install pfSense using ZFS? How do I go about doing it?

Many Thanks!


I am considering getting the new SG-3100, but since it is currently not being offered with a SATA, I will look to add one myself and install the factory image onto it.

Question, which width (or length) is supported in the SG-3100? I didn't see it listed in the specs.

Thank you.


I am getting an error with the acme package and Cloudflare dns validation. The validation is able to create the correct TXT record, but the certificate is not generated as it fails with the above error. Details of the error are:

Code: [Select]
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[CF_Key] => [ … ]
[CF_Email] => [ … ]
[Thu May 11 21:36:03 BST 2017] Registering account
[Thu May 11 21:36:06 BST 2017] Already registered
[Thu May 11 21:36:08 BST 2017] Update success.
[Thu May 11 21:36:08 BST 2017] ACCOUNT_THUMBPRINT=‘…’
[Thu May 11 21:36:08 BST 2017] Single domain=‘'
[Thu May 11 21:36:08 BST 2017] Getting domain auth token for each domain
[Thu May 11 21:36:08 BST 2017] Getting webroot for domain=‘'
[Thu May 11 21:36:08 BST 2017] Getting new-authz for domain=‘'
[Thu May 11 21:36:10 BST 2017] The new-authz request is ok.
[Thu May 11 21:36:10 BST 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/
[Thu May 11 21:36:14 BST 2017] Adding record
[Thu May 11 21:36:14 BST 2017] Added, OK
[Thu May 11 21:36:14 BST 2017] Sleep 120 seconds for the txt records to take effect
[Thu May 11 21:36:44 BST 2017]
[Thu May 11 21:36:48 BST 2017] Success
[Thu May 11 21:36:48 BST 2017] Found domain http api file: /usr/local/pkg/acme/dnsapi/
[Thu May 11 21:36:50 BST 2017] Don't need to remove.
[Thu May 11 21:36:53 BST 2017] Verify finished, start to sign.
[Thu May 11 21:36:54 BST 2017] Sign failed: "detail":"Invalid key in certificate request :: ECDSA curve P-521 not allowed"
[Thu May 11 21:36:54 BST 2017] Please check log file for more details: /tmp/acme/
Actual host/domain name changed above.

This occurs no matter what certificate type I choose (RSA 2048, 4096, p-256), etc.

I am running 2.3.4 on a SG-2440.

What is causing this?


Hardware / Re: Where is physical reset button on SG-1000?
« on: January 03, 2017, 06:10:45 am »
OK...I know this is not possible, but I have somehow fudged up my brand new SG-1000. I think I did not pay attention to the DHCP server range and LAN addresses...and may have configured them to be on separate ranges. Ugh I know.

Now I cannot get a DHCP address to a computer on the LAN and a static address doesn't seem to work.

How can I reset the device to factory defaults.


Pages: [1] 2