Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - JKnott

Pages: [1] 2 3 4 5 ... 78
One other thing, the purpose of that UPS cable is to trigger an orderly shutdown.  If you don't use it, the computer will experience a sudden power failure and not be able to shut down properly.  This might cause disk corruption.

So if the PC is shutdown properly due to low UPS battery signaling a true shutdown, the power supply would continue to monitor the AC line?  It would watch for a power loss and power return event?

When a computer is shut down, it's not fully off.  Part of it is still running, watching the power switch, wake on LAN etc..  So, when the power is restored, that small part powers up and can check the configuration, to see whether to power up or not.  A computer is only fully powered off when unplugged.

Also, it doesn't have to be a UPS that sends that magic packet.  It can be any device, such as another computer.  In data centres, there are entire systems to to control & manage the computers.

Amusing thing for me is... my pFsense box boots faster than my cable modem, so when power comes back and powers all, pfsense Readies first and asks modem for an IP, which it ain't yet ready, and then just sits there with a  I wasn't patience enough to wait and after 10 minutes having seen the cable modem's green lights, went ahead and manually rebooted pfsense a second time to get the WAN IP.  If I had some critical stuff running requiring full auto restore I may not be so happy. This is 2.4.2.

That must be one slow modem.  Regardless, it shouldn't be too hard to write a script that checks the IP address for and then restarts the DHCP client.  Perhaps it could run a minute after the client starts and then loops until a valid address is obtained.

When setting up a laptop plugged into one of the Hitron LAN ports to test connectivity, they suggested an IP address of 62.x.x.178, a netmask of and a Default GW of 62.x.x.177

That fits in with them providing a /29 to you.  You can use any address between .178 and .183, which means pfSense only had to filter and not route or use NAT.


They state that once in modem mode only 1 network port will work at a time.

I have a Hitron GCN3ACSMR, which is in bridge mode.  I can plug a 2nd device into it and get another IPv4 address, as is the norm with my ISP.  However, this has nothing to do with the issue, that is how the subnet is provided.

The target IP address is, I think .62.x.x.176 (at the far end of the tunnel), with the Hitron sat on .177.

What address do they give you for your default route?

I quote what he wrote in his first message:

My assigned address block is 62.x.x.176-183. The Hitron router is sat on .177, leaving .178-183 as my usable address space

That's the "LAN" side of his Hitron router and that alone tells me that his ISP is not forwarding the /29 any further and the block is in fact terminated at the Hitron.

Just because you're given a subnet doesn't mean that your ISP is doing the right thing and forwarding the block to your own router, they will more often than not just give you their own router configured exactly as this Hitron here.

What the OP could do is check the MAC address for that .177 address.  If it doesn't match the sticker on the modem, it's the ISPs router.

The piece of information missing here is where is this IP block terminated, in other words what is the target IP address for this /29 block. It looks very much like it's terminated at the ISP router but it's not completely clear. If it was routed to his pfSense he could just use that block on his LAN/OPTx network. If not and his ISP can't/doesn't want to change the arrangement then there is no other option than to use VIPs and NAT.

The OP says:
I've just had installed a Hitron router, currently operating in bridge mode, for my Virgin Media Business connection. My assigned address block is 62.x.x.176-183. The Hitron router is sat on .177, leaving .178-183 as my usable address space.

I suspect the .177 is not the router, but the ISP's gateway address.

How is this any different from what I do on IPv6?  I get a /56 prefix from my ISP.  PfSense filters it according to the rules and can even split that /56 into multiple /64s on various interfaces.  This is exactly the same thing, other than the much smaller address space.  His ISP delivers 62.x.x.176 /29 to him.  PfSense then passes those addresses onto the LAN, without NAT and without even routing.  All it has to do is filter the traffic.  Just imaging him directly connecting his network to the ISP, without pfSense.  Those addresses would be available to use as is.  PfSense, as a firewall, simply protects his network, without having to do any NAT or even routing.  As he mentioned, his modem is in bridge mode, with the /29 provided to him.

While I don't know the specific capabilities pfSense has in this regard, pass through firewalls, that do not do NAT or route are common in businesses, in exactly the same situation as the OP has.  That is filter the traffic and do nothing else.

You'll need to NAT.

Why??  If he has enough addresses in his subnet, there's absolutely no reason to use NAT and reasons why not to use it.  He has 6 addresses available and no more than 5 devices.

The address space he wants to use is sat on the WAN side of pfSense, the WAN interface has a /29 subnet mask.

If you NAT the public IP address to a private one you can control what services can hit the end device.

He said:
My assigned address block is 62.x.x.176-183

That means he has a block of 8 addresses, 6 usable.  A /29 mask means 8 addresses.  The ISP will route traffic for his addresses to his WAN interface and pfSense will filter appropriately.  This is basic networking.  Bottom line, addresses in this 62.x.x.176 /29 subnet is what pfSense had to deal with.  This is not the same as where someone has a single IPv4 address that has to be shared via NAT.

It amazes me how much people's thinking has been poisoned by NAT being used so much, to the point they fail to understand how things really work.  NAT is a hack to get around the IPv4 address shortage and nothing more.

In Linux, there are hooks for running scripts on various evens, such as a network connection coming up.  I expect the same would be available in FreeBSD, which pfSense runs on.  However, I'm not that familiar with FreeBSD and haven't bothered looking.  Look for the script that starts the DHCP client and you should be able to modify it to do a release/renew.

You'll need to NAT.

Why??  If he has enough addresses in his subnet, there's absolutely no reason to use NAT and reasons why not to use it.  He has 6 addresses available and no more than 5 devices.

Some computers can be configured for what happens when power is restored.  For example, the computer I use for pfSense can be set to a) stay off, b) resume previous state or c) power up.  Another option is "Wake on LAN", where something sends a magic packet that wakes up the computer.

How many devices do you have on the LAN?  If no more than 6, you don't need NAT, which means you don't port forward.  You just route.  BTW, .183 is not usable.  It's the local broadcast address.  On IPv4, the number of usable addresses is the block size - 2, to allow for network and broadcast.  In your case it's 8 - 2 =6

DHCP and DNS / Re: VoiP LAN device stuck on DHCP renewal
« on: February 14, 2018, 01:59:52 pm »
Option 50, in the request, shows the address is being requested.  The ack shows the correct client address, but for some reason is being sent to the broadcast address.  I have no idea why it would do that.  On my own system, the ack is sent to the correct client address.  The problem with sending to the broadcast address is the client has no idea the ack is for it.  When the broadcast IP address is used, the broadcast MAC address is also used.  A proper ack is sent to the assigned IP address, using the client's MAC address.

So, the question now becomes, why is the ack going to the broadcast address?

Pages: [1] 2 3 4 5 ... 78