Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - ashima

Pages: [1] 2 3 4 5 ... 10

       That is possible if you are having site-2-site openvpn connection. Then all the systems from Client A side can access 192.168.20.x series and vice versa. As far as I can understand from your post  is that you are running windows based openvpn client software  on individual systems on Client A. If that is the case then I guess you will  not able to access systems on Client A side from 192.168.20.x.

I suggest to put up a device (may be another pfsense device) at Client A and then the two devices can make a openvpn connection. Then all the devices from either side should be able to talk to each other.




   Yes we can take 2 connections from same ISP. My doubt :

Since Its a broadband connection 150 Mbps dn & up both ways ,  the contention ratio  is expected to be  1:16  & having same gateway  unlike  a Leased Line Connection  with contention ratio  1:1  or  1:2 .

Are  there any issues  that you perceive    &   foresee to crop up . . . ?




Well, there will be an upload and download speed restriction through captive portal / freeradius for every user.

I guess this would prevent any one of them  eat up the entire bandwidth. Is there any thing else I need to take care.

I am not load balancing as ISP A is at 150 Mbps  Up/Down and ISP B is at 30 Mbps up/down and ISP C is at 15Mbps/40Mbps Up/Down

So I thought ip based routing would be better. Am I right on this concept ?



 Thank you all for replying. So a big NO to TPlink.

@NogBadTheBad,   All the three ISPs will be connected to pfsense. All the Aps will be connected to this box.

The first  200 dhcp clients will use ISP A the next 50 clients will use ISP B. So depending upon the ip address ISP will be decided by pfsense.

Will be using same SSID across.

Is there any thing else I need to take care.



Thank you Derelict for replying, would need a suggestion .

     For the discussed location what are your thoughts about :-

    1.   Ubiquity Unifi AP AC Lite   vs   Tp-Link EAP 245.

    2.   Ubiquity Unifi AP AC Pro   vs   Tp-Link EAP 330.


General Questions / Can Wifi APs get overwhemed by torrent connections ..?
« on: February 04, 2018, 11:47:46 pm »
Greetings to all,

   Wish  to discuss an upcoming scenario with high density / high population wifi devices in a small area.

Scenerio is for a  Hostel Accomodation,  wireless APs  are needed to be  installed in the coming week.
Each floor has too many 4inch brick walls (5-6) , hence planning several APs on each floor.

ISP available are :-  ISP-A Broadband 150 Mbps, ISP-B Broadband 80 Mbps , ISP-C Broadband 40 Mbps.
                      ( Upload & download speeds being the same in all the 3 ISPs )

Wi-Fi Access Points :-  Considering to  use Ubiquiti unifi ap ac lite   x  21 Numbers spread across 4 floors.
                        Open for suggestion if Ubiquiti unifi ap ac pro  would be more appropriate.
                        What would your comments be on Engenius EAP1200h . . ?

WiFi Coverage :- No Coverage Issues , -55 db  to -45 db. On Laptop the wifi signal shows 4/5  or  5/5 bars.

Networking : CAT6 , Gigabit switches.
             ISP-A (150Mbps) segmented for 3 Floors.
             ISP-B ( 80Mbps) segmented for 1 Floor.
             ISP-C ( 40Mbps) as a failover for  either ISP-A or ISP-B

Firewall :  pfsense configured with Captive Portal , 190 User Logins with Bandwidth Capped at 4Mbps per user login.
            with limit of 2 device per user login.
            Configured to run Captive Portal.    ( Squid is not required )

Each Access Point expected to receive max 30-40 concurrent device connections (Laptops & Mobiles).

Doubt - 1 :  will this desktop hardware be sufficient  for the job of  pfsense box ?
             AMD A-Series APU A4-6300 3.x GHz  - Dual Core  or
             AMD A-Series APU A8-7600 3.x GHz  - Quad Core (open for suggestions)
             8GB DDR3 Ram,  160GB SATA HDD x 2 Nos  ( RAID 0 - zfs mirror )
             5 GbE LAN Ports

Doubt - 2 :  In a particular area of the property,

We have a doubt about  several users  connect to the same WiFi AP simultaneously in a partucular area may use file torrenting on their laptops.  Since we have seen in the past,  a simple torrent file usually opens 40-50 connections & about 1000 half open connections.
Will this become an issue  &  other users within the same WiFi AP  experience disruptive internet performance  ?
Several users using torrent ( within same AP )  can  over whelm the WiFi AP's capacity to handle  per client connection ?

Also, that we do not wish to block torrents in the network.

Essentially, even thought the signals are strong, and the head count of users is just 20 at a given time,
but several users using torrent can  spoil the user experience in that area,  over whelming the particular WiFi-AP.




   You will have to install squid and squidguard.

Also to block https sites you have to enable SSL Filtering. Chose the option Splice whitelist and Bump otherwise. Create a whitelist of https site which you want to pass. Rest all will be bumped.

Hope this helps you.

General Questions / Re: VIP setting
« on: January 28, 2018, 05:54:12 pm »
Thank you viragomann.

I am using mac-ip binding in box1 so box2 always get same Ip.

I can of course make box2 to have static Ip if that serves  the purpose.
My question is about assigning another Ip  (virtual ip) to box2 so that I can access server2 with same port as server 1.


General Questions / Re: Route specific hosts over VPN
« on: January 27, 2018, 12:29:35 pm »
This link might help you.



   You can have two dhcp pools but you cannot tell this client should select from pool A and this client should select from pool B. So all the clients you want to be in pool B give them fixed ip. But remember if any other client which was suppose to get dhcp address from Pool A, fix his ip to pool B then he'll be allowed.

So to avoid this you should either use Managed switch or go for vlan.

If you have all wireless devices, then setting up vlans is quite simple. Only thing then required will be device which can tag the clients. Most of the APs now a days come vlan tagging facility.

If you have desktops then you have to invest in managed switch.

I can help you setup vlans, incase you decide to do so.

General Questions / Re: VIP setting
« on: January 27, 2018, 07:42:18 am »

  I haven't received any response. I just want to confirm if I use virtual Ip with Ip Alias and do a port forward to second server will it work. Since the Pfsense box is at the remote location (at the head office where all branches connect) I don't want to take any chance.

Also should I have to make any change in  BOx 1 (the load balancer) as it is the dhcp server fox box 2.

As I am going to make these changes remotely I just want to confirm my step.

Any Help ?


You can sort of achieve this by ip-mac binding but the best way to do this is either use managed switch or vlan.


General Questions / VIP setting
« on: January 26, 2018, 10:38:56 am »
Here's the setup :

           First pfsense box (Box 1) acting as load balancer , OpenVPN Server for branches and dhcp server for Box 2.

           Second pfsense box (Box 2)  acting as firewall, content filter.
           Two Servers , Server1 and Server 2 are behind the firewall .

All the branches connect to Box 1 through OpenVPN and rdp to Server1. (rdp port 3389 is opened in Box 2  and port forwarded to server 1)

Now I want to assign another IP to Box 2 (VIP) which should port forward to server 2. So that users when use this IP for rdp they are forwarded to server 2.

My Plan :

        My plan is to have Virtual IP in Box 2 with IP Alias. Then port forward for this IP to server 2.

I am not sure about this settings so don't want to take any chance.

Also is there any changes I need to make in Box 1 (as it is the dhcp server for box 2).

Any help.



   Thank you  @viragomann

" In the client config on A enter the head office and the site B LAN subnets  at "IPv4 Remote network(s)" "

This is what made it work. I was trying to do so since morning.


General Questions / Inter Site Communication Between two VPN Clients Site
« on: January 24, 2018, 05:04:02 am »
Hello everyone,

      My Scenario :

                 Pfsense   working as openvpn server at head office

Site A, Site B  are connecting to Openvpn Server at head Office through OpenVPn Tunnel

Communication happening between Site A and head office and vice versa
Similarly between Site B and head office.

I would like to access Server at Site A from Server at Site B. (Inter Site Communication)

Unfortunately option Inter Client communication is not available for OpenVPN server (Site 2 Site)

I tried putting Site A lan subnet in CSO of Site B local network in Openvpn Server. This pushed the route to Site B. I was able to ping server at Site A from the firewall but not from any other device from Site B.

What am I missing ? Any help ?


Pages: [1] 2 3 4 5 ... 10