Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - jason0

Pages: [1] 2 3 4 5 ... 7
DHCP and DNS / Re: using rfc2136 clients for >1 hostname
« on: January 19, 2018, 10:57:27 am »
Remember : do not edit the zone file without using the "rndc freeze / reload / thaw", or you will be struck by the DNS gods.

Boy Howdy that's the truth!

That's perfect, I appreciate it!


DHCP and DNS / Re: using rfc2136 clients for >1 hostname
« on: January 18, 2018, 12:59:38 pm »
A further question: do you use the same keyname in the setup, or do you have two separate albeit identical keys defined in BInd?

I ask because the howto seems to imply the keyname must match the hostname, but if the keyname refers to the keyname defined on the bind server, then this would not be the case: hence I might have some documentation suggestions.

Also, do you know what changes if zone or user key is selected?


DHCP and DNS / Re: using rfc2136 clients for >1 hostname
« on: January 18, 2018, 12:54:01 pm »
Wow, That's great!  I will play with it soon.

Here's a potentially related question: Are the dns keys stored in pfsense somewhere so that the acme package could access them?


DHCP and DNS / using rfc2136 clients for >1 hostname
« on: January 18, 2018, 01:46:06 am »

I am presently using pfsense 2.3.5 with an older alix board.  I do have a new sg1000 on its way so will be running 2.4.x shortly...

I have several internal web servers behind a nat ipv4 address, and haproxy working the inbound web requests to the servers. 

I found the RFC 2136 clients part of dynamic dns and since I control the dns server (bind9), this makes me very happy.

So I have a configuration based on the howto example working.  YAY!

Since I have 8 different web servers in my domain, it looks like I need 8 rfc 2136 clients: one per name needed. 

Can I use the same key, or do I need to generate a separate key for each name?  The BIND9 Administrator Reference Manual seems to imply yes, so I thought I would check. 

Alternately, might there be a need to be able to have >1 name in an rfc 2136 client?  This way, the rfc 2136 ciient "granularity" is at the domain level...

If I can use the same key, I probably have some edit suggestions for the rfc 2136 howto...

Thank you in advance for your time...


IPv6 / Re: comcast business head-scratcher...
« on: January 04, 2018, 04:57:16 pm »
Oh, I agree, but why were they issued as /63's in the first place?  I told it to track the wan, not set them up as /63's. 

even still: apparently the prefix numbers default to /64 even if the network's a /63...

Given all of that, how do I force the lans to be /64?

BTW: this is 2.4.2-RELEASE-p1 (amd64).


IPv6 / comcast business head-scratcher...
« on: January 04, 2018, 04:35:07 pm »

I am running
I have enabled ipv6 on my comcast connection at work.  (this is a completely different setup from my residence).

I requested a 60, because it's the only setting that would get a response from comcast.

on my wan, i received a /64...However on my lan and opt1 that are set to track the wan (0 and 1 prefixes respectively) I received /63 networks.

Here's more:

According to my comcast business login, the range is xxxx:yyyy::38:f600::/56.

The wan settings:

The lan settings:
   track wan
   prefix 0

The opt1 settings:
   track wan
   prefix 1

The astute observer would see that both the lan and opt1 ipv6 addresses are in the same subnet.  If I change opt1's prefix to 2, the ip address assigned to opt1 is the same.


IPv6 / comcast xfinity (residential) non-responsive
« on: January 02, 2018, 11:18:57 pm »

I have been beating my head against comcast for a while now.  I would really like to go native ipv6.

1) my cablemodem is in bridged mode
2) my wan port is set to dhcpv6 (and dhcp for ipv4)
2.5) I am requesting via ipv4 connectivity
2.6) i am requesting prefix size 60
2.7) I am sending a prefix hint
3) ipv4 works fine.

I see the link-local addresses for both wan and upstream, but no global ipv6 at all.

I haven't configured my lan as I am using hurricane electric at the moment. 

When I filter the dhcp logs for dhcp6c, all I see is:

Jan 2 20:47:39   dhcp6c   85061   extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:21:df:12:d0:00:0d:b9:21:55:e4
Jan 2 20:47:39   dhcp6c   85061   failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jan 2 20:47:39   dhcp6c   85061   <3>["/var/etc/"] (31)
Jan 2 20:47:39   dhcp6c   85061   /var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined

What do I do?

CARP/VIPs / Re: CARP and ( GIF tunnel
« on: December 21, 2017, 06:45:10 pm »

I am having similar problems.  IPV4 failover works beautifully.  But not ipv6.

fw1 and fw2 both have the same tunnel broker settings, both firewall GIF connections are tied to the wan carp ip.  when fw2 is master, ipv6 stops.  when fw1 is master again, ipv6 connectivity returns.

I have compared the output of netstat -rn and ifconfig -a to each other.  The only real difference appears to be how ipv4 is mapped to carp whereas ipv6 is NOT. 

What I theorize is this: until re-pings the ipv4 client address, connectivity is lost. 

Do I need to create a virtual ip address on the tunnel interface and assign the assigned client ipv6 address to it?
is there a way to convince to allow me to use more than one client ipv6 addresses ie one for fw1 one for fw2 and one for carp?  the server and client ipv6 addresses both are /64...

is there a mechanism to bump if a carp changover has occurred?

Thank you in advance for your time...


General Discussion / Re: old/retiring pfsense hardware sought...
« on: December 21, 2017, 01:11:08 pm »
Well, it's funny how the prices on ebay et al can't really compete with the price of netgate's sg-1000.

So I am going to close this thread out.

Thanks for your time!

General Discussion / old/retiring pfsense hardware sought...
« on: December 20, 2017, 12:13:51 pm »

I am building a business but we don't have a solid enough income stream to use something like aws.  I would very much like to find some hardware capable of running pfsense.  For instance: my day job we have two lanner fw-7541 devices.  I love these things. 

My thought is to ping you guys and see if anyone is retiring/replacing older pfsense hardware that I can acquire before they go to the scrap heap.

So here's my requested criteria:

1) 64-bit capable (assuming x64 hardware)
2) at least 2 gig ram
3) at least 4 gig storage
4) at least 2 ethernet ports, (capable of 100mbps, would be very happy with gigabit ethernet

Would like to have:
a) small form-factor, embedded preferred (no fans, solid state, etc...)
b) a sata port and enough power to drive a 2.5 inch hard drive.
c) upgradable ram...
d) aes-ni cpu crypto
e) capable of running pfsense 2.4+

Please contact me

I don't have a budget yet. 

Traffic Monitoring / ntopng emitter
« on: December 11, 2017, 01:26:25 pm »

The version of ntopng showing in the package manager is 0.8.11, whereas the ntopng's version on their site is 3.x.

Does the 0.8.11 version mean the freebsd ports version, or the actual version of ntopng?

Also, as I am running pfsense on embedded systems, is there a configuration that will send probed info to another ntopng server to be processed and stored there, or should I try to configure nprobe?


DHCP and DNS / Re: Bug affecting dhcpd failover state
« on: November 13, 2017, 04:47:05 pm »
So yes, what Jim said is correct: my carp ip address was in a different subnet as the network it was supposed to be on.

I am happy to be wrong!


DHCP and DNS / Re: Bug affecting dhcpd failover state
« on: November 13, 2017, 04:13:10 pm »
Wow!  Good eye on that one!  Thanks!

DHCP and DNS / Fixed: Not-a-bug: Bug affecting dhcpd failover state
« on: November 08, 2017, 01:37:44 pm »

I believe I found a bug.

I am running pfsense 2.4.1-release (amd64) on two fw-7541c lanner firewalls. ( not supported by the pfsense team...I know).

I have verified the config.xml files are nearly identiical (enclosed). 

The bug is in the dhpd.conf files on either system.  I have also enclosed both files.

Primary dhcpd.conf exerpt:
   failover peer "dhcp_lan" { primary; ... split 128; mclt 600; }
   failover peer "dhcp_opt2" { secondary; ... }

Secondary dhcpd.conf exerpt:
   failover peer "dhcp_lan" { secondary; ... }
   failover peer "dhcp_opt2" { secondary; ... }

Note that "secondary" appears in the failover description from the primary system, and also does not include split, or mclt. 

With this configuration, no dhcp addresses are handed out by either server on the "dhcp_opt2" aka em4.1002.

In the dhcpd logs on either primary or backup, I see the messages (for the correct interface):
DHCPDISCOVER from xx:yy:zz:aa:bb:cc via em4.1002: peer holds all free leases
DHCPREQUEST for from xx:yy:zz:aa:bb:cc  via em4.1002: not responding (recovering)

Otherwise: carp seems to operate correctly.

The symptoms are that no ip addresses are handed out on the guestwifi, and the following appears on the dhcpd.leases status page:

Pool Status
Failover GroupMy StateSincePeer StateSince
dhcp_lan (LAN)normal2017/11/08 18:05:08normal2017/11/08 18:05:13
dhcp_opt2 (GUESTWIFI)recover2017/11/08 17:53:22unknown-state2017/11/08 17:53:22

I followed the instructions on, and no change occurs.

My work-around is I have removed "dhcp server settings" from the sync-options, removed the peer address from the primary dhcp config for the guest wifi, and disabled the guestwifi dhcp server on the secondary system.


General Questions / Phantom rules remain after interface deletion
« on: October 10, 2017, 12:44:28 pm »

I am planning to upgrade from 2.1.5 to the latest release.  In the process I have been significantly reducing my network's complexity here: I removed three vlans, openvpn, ipsec, etc.

I can't delete an alias though: I get the error "cannot delete alias.  currently in use by 'block openvpn from logicbox'"

I backed up my configuration and discovered the rule in question (and others) are still defined in the downloaded configuration. 

Aside from rebuilding the entire pfsense router from scratch, or rebuilding the interfaces and deleting the rules, how do I go about stripping out the cruft?

Thank you for your time!


Pages: [1] 2 3 4 5 ... 7