Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Puma

Pages: [1] 2
General Questions / Re: Need help to configure VLAN in HA environment
« on: March 06, 2018, 02:36:42 am »
Thank you !
I try to set up this.

General Questions / Re: Need help to configure VLAN in HA environment
« on: March 01, 2018, 04:47:36 am »

Thanks for your help.

You can't have the same subnet on more than one interface. So you can;t use on both LAN and VLAN10.
It is interesting. So i can keep LAN interface with actual configuration (192.168.9.X) and just create one extra VLAN (with different subnet of course) ?
In my idea of first post, it was to migrate LAN interface to VLAN10 but if it is possible to keep actual interface running and create VLAN20 for another subnet, it is what i want. So can you confirm is it possible without problem ?

Which of the ports on your switch is connected to pfSense?
PFSENSEs are connected on port 1 and 2 on the switch.
Port 3 is a device on a LAN
Port 4 is a device on extra subnet (VLAN20)

Can you help me for the configuration of VLAN on the switch please ? It is abstract for me.

General Questions / Need help to configure VLAN in HA environment
« on: February 27, 2018, 04:49:49 am »

I tried to configure VLAN on a HA environment without success and i need help to do this.

Here, it is the actual environment and what i want :

I have two pfsense in HA mode. I have an existing interface on each FW with a CARP IP :

Master, LAN interface, IP :
Backup, LAN interface, IP ;

I have created two VLAN (in interfaces -> VLAN)
VLAN 10 and VLAN 20

VLAN : i want to assign existing IP of LAN interface :

- What shoud i do next for the existing LAN interface ? Disable the LAN interface ? Keep enabled but set to any IP ? This parent interface will host VLAN.

In my essay, i enabled my VLAN interface and set with 192.168.9.X IP. I changed the interface type on the CARP from LAN to VLAN10.

My switch layer 2 is configured like this but i'm not sure of the configuration (see picture).
The port 3 and 4 are PC clients for this example.

Can you help me to make the vlan work and if you can guide me on the process please ?
Thank you in advance.

Routing and Multi WAN / Multi WAN on same interface
« on: January 30, 2018, 05:24:25 am »

Before I start, I specify that I have no nic available and not possibility to do VLAN.

So, we have one interface "VPN" connected to a switch where we have already several ISP routers for our clients. We have set gateways of the routers, virtual IP, static routes and NAT to access some DMZ machines and we can communicate them without problem.

Now, i want to add another router connected to this switch and to have access on DMZ machines. I configured gateway address and virtual IP. I don't want to set static routes. For example, all requests who are coming on public IP : 90.80.x.2 are redirected on DMZ machine : and reply with same IP as the entry.

How can i do this please ?

I tried NAT, NAT 1:1, nat outbound specifying public IP 90.80.x.2.
On this router, i have a direct public IP subnet (90.80.x.1/29) on a port that I would like to use

Actually, i want to display a web page (https), i see the request came (establishing the secure connection) but the page isn't displayed, i think the reply can't be realize (SYN - ACK) and this is the default gateway of the DMZ interface.

I hope you can bring me some advices to do that.

Thank you.

Hardware / Create raid gmirror after install
« on: October 04, 2017, 03:04:58 am »

Is it possible to create raid 1 after install please ?
If yes, can you guide me how to do please ?

At the install, the firewall had 2 HDD, i did quick install.


Installation and Upgrades / GMIRROR - SYNCHRONIZING 100% stuck
« on: August 29, 2017, 02:48:31 am »

We have a pfsense with 2 disks configured in raid 1 with GEOM Mirrors.

One disk was bad, we had replaced with a new disk. The sync is stuck at 100 % :

Code: [Select]
gmirror status
                Name    Status  Components
mirror/pfSenseMirror  DEGRADED  ada0 (ACTIVE)
                                ada1 (SYNCHRONIZING, 100%)

I see that the first disk with smart, we have errors when the firewall has rebooted to replace the second disk failed.

Code: [Select]
SMART Error Log Version: 1
ATA Error Count: 5
        CR = Command Register [HEX]
        FR = Features Register [HEX]
        SC = Sector Count Register [HEX]
        SN = Sector Number Register [HEX]
        CL = Cylinder Low Register [HEX]
        CH = Cylinder High Register [HEX]
        DH = Device/Head Register [HEX]
        DC = Device Command Register [HEX]
        ER = Error register [HEX]
        ST = Status register [HEX]
Powered_Up_Time is measured from power on, and printed as
DDd+hh:mm:SS.sss where DD=days, hh=hours, mm=minutes,
SS=sec, and sss=millisec. It "wraps" after 49.710 days.

Error 5 occurred at disk power-on lifetime: 20844 hours (868 days + 12 hours)
  When the command that caused the error occurred, the device was active or idle.

  After command completion occurred, registers were:
  -- -- -- -- -- -- --
  40 51 00 00 8c a1 40  Error: UNC at LBA = 0x00a18c00 = 10587136

  Commands leading to the command that caused the error were:
  CR FR SC SN CL CH DH DC   Powered_Up_Time  Command/Feature_Name
  -- -- -- -- -- -- -- --  ----------------  --------------------
  25 00 00 00 8c a1 12 00      00:51:12.327  READ DMA EXT
  25 00 00 00 8c a1 12 00      00:51:10.264  READ DMA EXT
  25 00 00 00 8c a1 12 00      00:51:08.200  READ DMA EXT
  25 00 00 00 8c a1 12 00      00:51:06.001  READ DMA EXT
  25 00 00 00 8c a1 12 00      00:51:03.954  READ DMA EXT

So, we will reinstall pfsense soon but we aren't on site.

Is there a way to unlock this situation please ?


IPsec / Phase 2 haven't uniqid tag
« on: March 14, 2017, 09:55:07 am »

I upgraded from pfsense 2.1.5 to 2.3.2 and when i want to edit a phase 2, it is empty. The value of p2index= of the url is empty : https://xx.xx.xx.xx/vpn_ipsec_phase2.php?p2index=

In the config file, i haven't uniqid (and reqid) tags.

1. How can i set this uniqid easily ? What about reqid tag ?

2. If i add manually uniqadd with a random value, will it work ?

3. Can i restore the IPSEC part without reboot firewall or IPSEC tunnels ?

Thank you.

Installation and Upgrades / Upgrade - Lost outbound NAT
« on: January 03, 2017, 09:45:14 am »

I have upgraded from 2.3.2 to 2.3.2 P1. After the reboot, the section "Outbound NAT" was lost.

Before, the mode was in manual mode and after the upgrade, the mode was automatic with any value.

To fix it, i have restore the NAT section in the config file and now i have all my oubound nat values.

Do you have hear about this issue ? Do you know what might have caused this ?


General Questions / Re: HA - Crash report - Need help to understand why
« on: October 04, 2016, 10:47:50 am »
Sorry i don't really understand your answer (and English isn't my native language). Is there a problem with the hard drive ? I must check it ?

General Questions / HA - Crash report - Need help to understand why
« on: October 04, 2016, 04:53:27 am »

I would like to know if you can analyse the crash report and help us to understand why the slave pfsense was crashed and why we had a downtime on our first pfsense and instability during 30 minutes period.

I explain, we have two pfsense configured in HA in the version 2.1.5 (I know this is an old version, we have a project to upgrade). Last week, we have a downtime of our production and so, our internet lines were down (fiber, VPN, VDSL) : the first pfsense had high load average : ~ 13 and the secondary pfsense was crashed with this crash report. We have shutdown the secondary and disable the SYNC (HA - pfsync) interface to bring back to the life the first pfsense.

Actually, these PFSENSE are virtualized with Proxmox and Intel e1000 network cards  (we would like to upgrade in physical with the newest version but I have tested it and we have a problem with IPSEC and FTP).

So, can you help us ? Do you need more informations ?


En règles, j'ai ceci (pour l'instant c'est général, j'affinerai après) :

Protocole : TCP
Source IP (du serveur FTP) : vers IP : ALL et port : ALL

IPSEC : j'ai mis ALL pour le moment

Je viens de tester la connexion FTP via IPSEC sans IP NAT, cela fonctionne.

Effectivement, la configuration d'avant et que j'aimerais serait un NAT au niveau de la configuration IPSEC ( :  client Ipsec -> nattage client -> accès FTP ; Mais ça bloque au niveau du LIST

J'aimerais passer tous les clients sur notre serveur SFTP, mais il reste 2 clients qui souhaitent rester dans cette configuration de faire du FTP via IPSEC...

En résumé, j'ai mon tunnel IPSEC avec une phase 1 et une phase 2, le serveur vsftpd avec la configuration décrite dans la doc PFSENSE pour le mode passif et les 2 règles citées au-dessus.

L'IP du serveur FTP :
Le client connaît l'IP nattée suivante pour accéder à ce serveur FTP via l'IPSEC :

Dans la configuration du tunnel IPSEC P2 :

Je confirme que le FTP fonctionne en LAN ou via le WAN mais pas via l'IPSEC. J'ai essayé avec et sans ces règles de NAT, et je suis d'accord qu'elles ne servent à rien.

Configuration Tunnel IPSEC :

IP local du serveur FTP vsftpd :

A la configuration du serveur vsftpd, j'ai ajouté ceci :
# Do not allow the client to use PORT
# Use the hostname in the PASV response (DNS must be setup and match!)
# Enable Passive Mode
# Set the passive port range (1000 ports)

Dans "PORT FORWARD", j'ai ajouté cela :

Interface : IPSEC
Protocole : TCP
Source : any
Destination :
Destination port range : 21
Redirect target IP :
Redirect target port : 21
Règle associée

Interface : IPSEC
Protocole : TCP
Source : any
Destination :
Destination port range : 50000-51000
Redirect target IP :
Redirect target port : 50000(-51000)
Règle associée

Par la suite, nous avons un second serveur FTP sous FileZilla Server, mais déjà si on règle ce problème avec vsftpd, ça sera une belle avancée.


J'étais en version 2.1.5 où 2 tunnels IPSEC sont montés avec deux clients pour faire du FTP (passive).
J'ai migré sur la dernière version en 2.3 et depuis, il est impossible de faire du transfert FTP via IPSEC. Le client arrive à se logguer mais pas à lister et bien sûr à faire des transferts.
J'ai une règle IPSEC autorisant les ports 21 et la plage d'IP 50000 à 51000 vers le serveur FTP.

La connexion à ce FTP fonctionne en LAN et sur le WAN et testé avec FileZilla Server et vsftpd.
J'ai suivi ce guide aussi :

J'a essayé d'activer le ftpdebug, j'ai changé le cryptage de l'IPSEC en 3DES.

Je remarque qu'en mode actif, j'arrive à lister mais je souhaiterais rester en mode passive.

Aurez-vous une astuce pour faire refonctionner le FTP passive via IPSEC svp ?

Merci d'avance de votre aide.

Pages: [1] 2