Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - jason0

Pages: [1] 2 3 4 5 ... 8
Packages / Re: FEATURE Request: acme "lets encrypt"
« on: February 23, 2018, 12:38:52 pm »
Sigh.   :-[  Thank you for your patience Jim. 


Packages / FEATURE Request: acme "lets encrypt"
« on: February 22, 2018, 01:58:47 pm »

I have been playing with dynamic dns functions settings in pfsense under the service menu, most specifically rfc2136.  The rfc2136 function calls "nsupdate" underneath pfsense.  Why not have the acme package gui be able to make the same call and update dns in the same way?  It's not as if the nsupdate command represents a dependency.

Code: [Select]
/usr/local/bin/nsupdate -k /var/etc/XXXX.key /var/etc/nsupdatecmds2
contents of nsupdatecmds2:
Code: [Select]
server <dns master server>
update delete _acme-challenge.<fqdn>. TXT
update add _acme-challenge.<fqdn>. 300 TXT samplehash-c95139f6a0149285bcbf1
local <wan ip address>


General Questions / Re: question about vlans and ethernet promiscuous mode
« on: February 02, 2018, 11:58:12 am »
I think you are correct, but I chose a random name for my example as if it were a plain ethernet port.

Thanks for your input!


General Questions / Re: question about vlans and ethernet promiscuous mode
« on: February 01, 2018, 11:29:33 pm »
I got my answer:

the parent interface goes into promiscuous mode, the other vlans do not.


General Questions / question about vlans and ethernet promiscuous mode
« on: February 01, 2018, 11:26:39 pm »

Given the following example, if I set br0.200 to promiscuous mode, does that set the parent interface AND br0.100 to promiscuous mode?

Thank you for your time...


br0 = parent interface
br0.100 = lan
br0.200 = dmz

Hardware / Re: questions about the built-in cpsw switch on the SG1000
« on: February 01, 2018, 12:06:59 pm »
Ok, Thank you!


Hardware / Re: questions about the built-in cpsw switch on the SG1000
« on: January 30, 2018, 06:33:52 pm »
Sweet!  Thanks!

Is there any significance to vlans 4071 and 4072, or are they just placeholders?


Hardware / questions about the built-in cpsw switch on the SG1000
« on: January 30, 2018, 06:08:11 pm »

When configuring my sg1000, I noticed there are already two vlans assigned:
vlan 4071 to cpsw0 (aka WAN)
vlan 4072 to cpsw1 (aka LAN)

What sort of traffic is on these two vlans? 

Also, when digging into the switch configuration via Interfaces / switch / system, it shows:

TI Common Platform Ethernet Switch (CPSW)   
3 ports   
128 vlan groups   
DOT1Q (vlan mode)   
DOT1Q ( capabilities)

Interface / switch / vlans shows:

VLAN group   VLAN tag   Members   Description   
0                   4072          0,2          Default System VLAN   
1                   1001          0t,2t      
2                   1002          0t,2t      
3                   100            0t,2t      
4                   4071          0,1          Default System VLAN

So by inference I can see that member 1 is probably cpsw0 (the WAN port) and that member 2 is probably cpsw1  (the LAN port). 

So what is member 0?  Is it /dev/etherswitch0? 


General Questions / Re: Migrate VLAN to a dedicated network port
« on: January 30, 2018, 05:56:54 pm »
To my mind it seems that solution number one ought to work: but test it.

Build another vlan on em4, enable it, add some rules, and connect a laptop to it: verify it works.  then change the parent interface from em4 to em5 and see if  a) the settings remain intact and b) if the traffic has actually moved to the new interface with the laptop.

if it works you should be able to do to vlan 2001.


General Questions / unsure where to put this
« on: January 30, 2018, 05:51:30 pm »

I have a newly installed sg1000 with a restored configuration from an older alix board running 2.3.  In a nutshell: my linux clients can get an ipv4 address from dhcp, but cannot get an ipv6 address from dhcpv6... UNLESS the ethernet port is in promiscuous mode.

It makes no sense why the ethernet needs to be in promiscuous mode for just dhcpv6.  if there was a problem binding to a port, then it would also affect dhcp for ipv4, right?

Short of starting over entirely (factory reset, rebuilding from scratch)...what can I do to make it work?


SG-1000 purchased in January, 2018: 2.4.2-RELEASE-p1 (arm)

cpsw0 == wan: ipv4 via dhcp via comcast
gif0 == hurricane: ipv6 via tunnel broker.  (comcast ipv6 broken...)
lan == cpsw1
dmz == cpsw1.100 aka vlan100
child1 == cpsw1.1001 aka vlan 1001
child2 == cpsw1.1002 aka vlan 1002

Lan is our network for the adults in the house.  child1, and child2 are vlans with restrictive settings such as opendns.
dmz is where a linux server and a few linux virtual servers are running.   

So, the Lan is configured as a hybrid port: using untagged vlan 1, and the dmz and two child networks are using tags. 

I can try changing the configuration such that the parent interface, cpsw1 is not in use: the pfsense book seems to indicate mine is not a good configuration...

IPv6 / Re: pfsense won't issue
« on: January 29, 2018, 12:22:51 pm »
would there be any issues due to the built-in ethernet switch?


IPv6 / Re: pfsense won't issue
« on: January 29, 2018, 12:19:01 pm »
You are correct: The firewall is an SG-1000 I purchased less than a month ago.  my servers are on vlan100, my home network is on vlan 1 (aka no vlan at all). 

Oh, I restored the configuration from pfsense 2.3 running on a nanobsd alix: I didn't find any warnings about transitioning 32-bit to 64-bit nor between 2.3 and 2.4. 


IPv6 / Re: pfsense won't issue
« on: January 28, 2018, 10:54:40 pm »
Running "pfctl -vvsr |grep cpsw1.100" shows the "hidden" rules that allow the dhcpv6 to operate.

I did some more research: it does not matter what pcap-filter I use: the key to my linux clients getting ipv6 addresses is that the listening ethernet be in promiscuous mode.   

Do I need to completely rebuild my firewall? 


IPv6 / pfsense won't issue
« on: January 26, 2018, 01:29:59 am »

I had a strange thing happen to me yesterday with pfsense.  I have been having trouble with my linux servers
acquirring an dhcpv6 assigned address: there was no sign on pfsense's logs that the linux systems even tried
to acquire an address.  However, dhcp for ipv4 runs properly.

Then a strange thing happened: I shutdown the linux system and cranked up tcpdump on pfsense's command line,
searching for "ether host " with the mac address of the linux system.  I was trying to see what packets
arrived from the linux host.  Lo and behold: the linux system acquirred the ipv6 address.  I tested this with
four different linux systems.  rebooting each system several times, but only when I was running tcpdump on
pfsense, did the linux systems get an ipv6 address. 

Once the linux system had the ipv6 address, access to ipv6 internet worked properly.

two hours later, the ipv6 address lease expired but since tcpdump wasn't running apparently the request
didn't get through to pfsense.

Tonight I ran a slightly different test: I ran the same tcpdump command looking for only the one mac address of the
first linux system.  I left it running, and when I restarted the networking of all of the other linux
systems, each of them was able to acquire its ipv6 address.

why would it appear putting the interface into promiscuous mode caused packets to get
through to the dhcpv6 daemon?

Also wouldn't configuration of the dhcpv6 server create a "hidden" set of firewall rules to allow access to
pfsense via its link-local ip address? 

The details:

1) pfsense 2.4.2-release
2) ipv6 available via tunnel-broker.
3) the network is set to static ipv6 routing working properly

linux systems:
    ubuntu 16.04 lts server
   each /etc/network/interfaces has the following line:
       auto  ens33
       iface ens33 inet dhcp
       iface ens33 inet6 dhcp

DHCP and DNS / Re: using rfc2136 clients for >1 hostname
« on: January 19, 2018, 10:57:27 am »
Remember : do not edit the zone file without using the "rndc freeze / reload / thaw", or you will be struck by the DNS gods.

Boy Howdy that's the truth!

That's perfect, I appreciate it!


Pages: [1] 2 3 4 5 ... 8