Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - DanC

Pages: [1] 2 3
General Questions / Re: Rules between lan and vlan
« on: October 12, 2017, 08:43:04 am »
If you have that rule in place, then your settings on the switch are probably not correct.  I can say for certain, your switch setup is less than ideal.  There's probably a reason for your setup, but I'd try to simplify the mess of Internet on port 8 passing through both switches for starters.

Might be a setting on your switch that's causing your lack of interconnectivity.  Do you have any port isolation enabled?

Can you ping pfSense from your VLANs?  Do you have connectivity from VLAN to VLAN?

General Questions / Re: Rules between lan and vlan
« on: October 11, 2017, 08:46:14 am »
So long as everything on L1 is correct, make a rule on your PC's interface that has the following:

Action:  Pass
Interface:  Whatever Interface has
Address Family:  IPv4
Protocol:  Any

Source:  Single Host or Alias -
Destination:  Single Host or Alias -
Dest Port Range:  Any/Any

That will pass all traffic from your PC to your Server.  Make sure this is above any "Block" rules, if you add any to that interface.

General Questions / Re: Rules between lan and vlan
« on: October 10, 2017, 03:41:19 pm »
Your first rule, as you probably understand since you said it was "only test," isn't necessary.  The rule below it also passes all that traffic.

Your traffic might be using a protocol that is not TCP or UDP.  If you're trying to ping from that subnet, either add another rule that allows ICMP (under protocol) or change the protocol of your bottom rule to "Any."

I could ask a million questions about what traffic you want to go where, but you really need to spell it out.  Changing the protocol to Any will definitely allow all traffic to leave that interface, but it might not get you where you want to go security-wise.

General Questions / Re: Rules between lan and vlan
« on: October 09, 2017, 01:09:36 pm »
Can you post your firewall rules for these interfaces?

Traffic is evaluated as it enters an interface. 

If you want your PC on 10.0.10/24 subnet to access pfSense on 10.10.10/24 subnet, then you need to add a firewall rule to allow that traffic.  So add a rule on's interface to allow traffic to destination  (I'm assuming you're using /24 subnets)

OPT interfaces (VLANs or other physical interfaces) by default have no rules, so all traffic is blocked.  Traffic will not pass between segments unless you allow it to happen.

Are all affected PCs on the same switch?  Could be a dead/unplugged switch and not pfSense at all...  Need more details!

For now I ordered the unifi usg since everything I read says it can push gig if you don't use qos, etc.  And it was only a 100 bucks so such purchases can sneak by the committee without any grief...

You're going to return that in a week.  The USG is a total pile of hot garbage (or at least it was a year ago when I tried it last).  If you wanted to do anything useful, you have to edit config files and reprovision.  I'll admit it has probably gotten better with newer firmware/controller features, but when you have pfSense at your disposal, stick with pfSense man!

I have 1000/250 at home, and if you're adamant about it, I'll test it for you and let you know what overall throughput is with no QoS.  But really, return it  ;D

I think you might have a misconception of what ESXi is.  As John said, it's a Type 1 hypervisor, closed source developed by vmware.  As such, it allows you to run Linux and Windows VMs (and more), but it's not reliant on any other OS underneath it.  The hypervisor is usually installed on a SD card or a USB drive attached directly to the motherboard.

Normally I'd be all for suggesting that you test out something before you put it into production (even if 'production' is your own home), but rest assured that pfSense doesn't need to have its hand held.  I've also used my fair share of Ubiquiti equipment, but I'd not a huge fan of their routers.  APs and Switches are great and good choice on yours.

My suggestion would be to dive in on pfSense.  If you're already planning on building a server for ESXi, you might as well run pfSense in a VM and be done with it.  I'd return that edge router while you're at it!  I'd also suggest getting a Gold subscription which includes an OVF of pfSense pre-provisioned for vmware among a million other things.

I have two other suggestions while you're in the market:

1.  Buy a managed Switch.  You're already in the UniFi line, so picking up a US-8-60 is a good start.  It'll power your UniFi AP, but most importantly it will allow you to start segmenting your network with VLANs.  If you need more than 8 ports, size up accordingly.

2.  Buy a good network interface card for your server.  Friends don't let friends buy motherboards with Realtek NICs.  Intel -1gbe or Chelsio - 10gbe.

Good luck!


Feedback / Re: Error 500
« on: September 20, 2017, 08:29:53 am »
Must have exceeded the forum's upload capacity.  Even two images reproduced the error.  I was able to upload each individually.


...I built a smart mirror in his bathroom with a bunch of widgets on a monitor behind interrogation glass.  (I'll get some pictures if requested)...

Yes please..

I acquired a 30"x30" sheet of one-way interrogation glass from our company's glass supplier.  I bought a 27" asus monitor and ripped the front bezel off.  I applied a liberal amount of liquid nails between the bezel-less chassis and the screen to make sure it wasn't going anywhere.  I did this to get the screen as close to the glass as possible.

I needed a way to mask ambient light from bleeding through the back of the glass, so I used 3M vinyl wrap that's use for car decaling.  I smoothed it across the glass, making sure to be careful of air bubbles. 

I measured the space where the monitor is planning to go in relation to the standoff locations, then mounted a small flat wall mount for the monitor.  I put the mirror on the mount and glass on the wall, then marked the wrap where the top of the monitor hit the glass.

Using that as reference point, I traced the outline of the monitor on the vinyl, and then marked a second set of lines 1/2" inside of the first.  Using a straight edge and a razor blade, I gently cut the vinyl and peeled away the inside.

After that, I just had to put the monitor back on the mount, and the glass back on the standoffs, and we're ready to roll.

The video source is a Chromebit in kiosk mode.  It points to a local ubuntu wordpress VM.  I made a custom theme and added a bunch of generic widgets.

I've made three of these mirrors now, the largest having a 43" 4k tv behind it.  If anyone has any interest in more details, feel free to PM me.  It was fun figuring out how to do this, and after three, I've got the process down.

Feedback / Re: Error 500
« on: September 20, 2017, 08:15:56 am »
Yea, I was surprised to run into an issue.  They were jpgs from an iPhone and I guess file size might have has something to do with it.  3.4 MB, 2.4 MB, 1.7 MB, and 1.6 MB.

I'll try to edit and attach 1 at a time.

Feedback / Error 500
« on: September 18, 2017, 02:07:17 pm »
I was attempting to post on the Official Hardware forum, and I received this error.  I attempting the post this morning, and then again this afternoon.  The error happened both times.  I was attempting to attach four images to the post.

General Questions / Re: Send an email when the gateway falls
« on: September 06, 2017, 03:46:41 pm »
I use UptimeRobot for this.  It's free.

Your fears about IoT devices potentially being compromised are well founded.  Many on these forums, including me, will tell you to segment your network in a manner similar to how you're designing yours.

That said, opening ports or forwarding ports for IoT devices is a disaster waiting to happen.  I'm sure you can already see the implications of doing so.  A VPN really is the only way that you should remotely manage them.  I will say, using self signed certificates for your VPN is the ideal way to do this, but PSK options are available. 

It's really not too bad. I'm confident that if you're already planning on segmenting your network and you've thought that through, you can make a VPN work.

If you're trying to use services from your local private network remotely, I'd recommend using a VPN.  Forwarding ports and restricting access to specific public IP addresses can be used in some cases where both ends of the connection are known, but this doesn't seem to be the case for you.

Create a VPN, give access to the local subnet that your servers are on, done.  There are tons of tutorials online for pfSense.  I highly recommend getting the official pfSense book, or better yet, pfSense gold subscription.  That will walk you through step by step for creating a Road Warrior IPSec VPN using EAP-MSCHAPv2.

There's also a Hangout from a few months back with a video tutorial on how to do this.

Good luck!


General Questions / Re: DNS, DHCP, or both?
« on: July 25, 2017, 08:46:26 am »
In DNS Forwarder and DNS Resolver, there's an option called "DHCP Registration"

DHCP Registration

Register DHCP leases in the DNS Resolver

If this option is set, then machines that specify their hostname when requesting a DHCP lease will be registered in the DNS Resolver, so that their name can be resolved. The domain in System > General Setup should also be set to the proper value.

You only need to set host names in your DHCP reservations.

Pages: [1] 2 3